The Bottom Line
- The FTC is showing that it intends to be more active regarding the misuse and exploitation of sensitive personal information.
- Companies that use health information should take precautions to protect consumer data and provide proper disclosures when sharing health information with technology firms that target advertising or otherwise.
In a first-of-its-kind enforcement, the FTC has brought an action against GoodRx for allegedly violating its Health Breach Notification Rule. The FTC alleges that GoodRx violated federal consumer protections law and a rule governing the unauthorized disclosure of personal health information by sharing consumers’ sensitive health information with third parties. Those parties, including Meta Platform Inc.’s Facebook and Alphabet Inc.’s Google, then allegedly targeted GoodRx consumers with related advertisements.
GoodRx is a digital health platform that offers prescription drug discounts, telehealth visits and other health services. More than 55 million consumers have used GoodRx since it launched in 2017.
Health Breach Notification Rule
Health websites and applications that collect personal information are becoming more and more mainstream — in part because of the COVID-19 pandemic. The Health Breach Notification Rule, issued over a decade ago, requires companies to report unauthorized disclosures of health information to consumers and, in some cases, the media. It applies to companies that are not otherwise covered by the Health Insurance Portability and Accountability Act (HIPAA). The FTC says that collecting personal health records without proper disclosures or consumer consent and sharing that information with third parties constitutes a breach under the Health Breach Notification Rule.
Absence of Federal Privacy Law
In the absence of a federal comprehensive consumer privacy law, individual states have stepped up to the plate. Therefore, the FTC has limited legal resources to call upon. That said, the FTC’s authority to enforce against “deceptive” and “unfair” practices in or effecting commerce under the FTC Act is very broad and regularly leveraged by the FTC in privacy cases. In the GoodRx matter, the FTC alleged that the platform’s privacy policy was deceptive in that it did not properly disclose its information processing or data sharing activities and that sharing the information with third parties without proper authorization was an unfair practice.
Proposed Order
Under the proposed order for GoodRx’s alleged violations of the Health Breach Notification Rule, GoodRx has agreed to pay a $1.5 million penalty. In addition to the monetary penalty, the proposed order also includes significant provisions to remedy GoodRx’s alleged past actions and govern future action. The potential remedies include:
- Prohibiting any disclosure of consumer health information to third parties for advertising purposes.
- Requiring consumer’s affirmative express consent prior to sharing any health information with third parties. The order clarifies further that GoodRx shall clearly and conspicuously detail what categories of health information will be shared and prohibits the use of dark patterns to obtain users’ consent.
- Requiring GoodRx to direct any third parties with whom consumer information was previously shared to delete that information and further inform such third parties’ consumers about the breaches and the FTC’s enforcement action against GoodRx.
- GoodRx will be required to limit how long it retains personal and health data according to a data retention schedule and publicly post a data retention schedule. This will include detailed information regarding its continued data collection with an explanation of why such data collection is needed.
- GoodRx must implement a comprehensive privacy program that includes strong safeguards to protect any user data.
While the proposed order and fine represents the first action brought by the FTC under the Health Breach Notification Rule, this action makes it clear that the FTC is open to imposing significant fines and requiring clear action to remedy alleged violations.