On February 1, 2023, the U.S. Federal Trade Commission (FTC) filed a proposed order implementing a permanent injunction and civil penalties against GoodRx in what the FTC called a “first-of-its-kind” enforcement action. The order prohibits GoodRx from disclosing user health data to third parties for advertising purposes and further assesses a monetary judgment against GoodRx in the amount of $1,500,000.00 for its violations of the Health Breach Notification Rule and the Federal Trade Commission Act.

GoodRx is a drug comparison website, which connects its users with coupons to be redeemed for certain prescribed medications based upon the name of users’ medications, dosage and location information and further offers telehealth services. GoodRx shared sensitive user data and personal identifiers with third parties, including Facebook and Google, to target ads to existing customers and individuals that previously visited its website.

The FTC commenced an enforcement action against GoodRx following a pair of allegations suggesting that GoodRx was sharing health information, without consent, via third-party cookies and that the company had violated Facebook’s prohibition of advertising content that contains or implies personal attributes, including health information.

Data collectors and/or processors should understand the following takeaways from GoodRx’s past practices and the FTC’s proposed order:

1. Affirmative express consent is required when utilizing health-related data and similar sensitive personal information for advertising purposes with few limited exceptions.

GoodRx allegedly collected and processed its user health information based on the medication information the user provided to GoodRx and/or on an implicit basis, tracking the webpages the users visited and in turn, disclosed this sensitive information to third-party advertisers. GoodRx allegedly failed to obtain specific, informed and unambiguous consent from its users before disclosing health-related information.

2. Health-related data should not be shared for non-advertising purposes without notice to and consent by the individual with few limited exceptions.

The proposed order alleges that GoodRx failed to implement any sufficient policies or procedures to prevent the improper or unauthorized disclosure of users' personal health information or to notify users of breaches of that information. Despite having privacy policies in place, GoodRx allegedly failed to implement its privacy policies and obtain affirmative consent from its users prior to disclosing health information to third-party advertisers, which disclosure was unauthorized.

3. Adequately restrict third-party contracts with regard to the purpose of disclosure and limits on data processing.

According to the FTC’s complaint, Facebook used user data for its own purposes, including research, development and ad optimization. Implicitly, the FTC indicates that the stated purpose of disclosure that was not well qualified or restrictive, which allowed Facebook to utilize GoodRx user data for its own purposes. Therefore, when contracting with third parties, it’s important to sufficiently confine the purpose of disclosure of sensitive information and restrict third-party use and data processing so as to avoid unintentional permissive uses of data.