FTC Fines GoodRx $1.5 Million for Unauthorized Disclosure of Health Information
February 2, 2023
The FTC this week announced a major enforcement action against GoodRx over health privacy violations, fining the company $1.5 million and forcing it to halt transfers of health data to third parties for advertising purposes. GoodRx is a digital health platform that offers prescription discounts and telehealth services. According to the FTC complaint, GoodRx violated both Section 5 of the FTC Act and the Health Breach Notification Rule for sharing sensitive user data with third-party advertising platforms. After promising its users that it would “never share personal or health information with advertisers or other third parties,” GoodRx nevertheless shared sensitive personal information with third-party advertising companies and platforms without providing notice or seeking consent from its users. GoodRx further exploited the personal information it shared with Facebook, using Facebook’s ad targeting program to target advertisements to GoodRx users based on their health information.
In addition to the $1.5 million penalty, the proposed court order prohibits GoodRx from disclosing user health information to third parties for advertising purposes. The order also requires GoodRx to obtain affirmative express consent before any future disclosure of health information to third parties, noting that “consent” achieved through manipulative design (otherwise known as dark patterns) has “the substantial effect of subverting or impairing user autonomy, decision-making, or choice, does not constitute Affirmative Express Consent.”
EPIC has long fought to safeguard health privacy, both under HIPAA and other laws. EPIC has advocated for stronger reproductive privacy protections, including through the establishment of data minimization requirements. EPIC and coalition partners have also urged the FTC to investigate Google and Amazon’s use of manipulative user interfaces. EPIC previously filed a complaint with the D.C. Attorney General explaining how Amazon employs dark patterns when customers try to cancel their Amazon Prime subscriptions, continuing to collect, retain, and use misdirected subscribers’ personal data.