GoodRx, a company that provides prescription price transparency and discounted prices on medications, has agreed to pay a $1.5 million civil penalty as proposed by the Federal Trade Commission (FTC) for its unauthorized sharing of users’ personal information with big technology corporations.
On Wednesday, the FTC filed a legal complaint against GoodRx, alleging the company shared its users’ personal and health data with big technology firms like Facebook, Google, Criteo, Branch, and Twilio.
The FTC complaint notes that GoodRx has promised, since 2017, that it would share its users’ personal information, including personal health information, with limited third parties. GoodRx had promised this data sharing would be for limited purposes and would come with restrictions on how those third parties used the GoodRx user information. The complaint states GoodRx also promised that it would never share personal health information with advertisers.
Despite these promises, the FTC complaint states GoodRx gave other companies information on its users’ prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers. The complaint states GoodRx shared this information without seeking their users’ consent or even providing notice of the move.
According to FTC about 55.4 million consumers have visited or used GoodRx’s website or mobile apps since January 2017.
GoodRx’s alleged violations of its consumer privacy policies first came to light on Feb. 25, 2020, when Consumer Reports published an article reporting that GoodRx was sharing health information with Facebook, Google, and other third parties. GoodRx issued a public response to the Consumer Reports article on Feb. 28, 2020, stating, the Consumer Reports article “led us to re-examine our policies. In the course of our review, we found that in the case of Facebook advertising, we were not living up to our own standards. For this we are truly sorry, and we will do better.”
Despite this Feb. 28, 2020 statement, the FTC said GoodRx continued to share certain user health information with Facebook for several thousand GoodRx users between April 2020 and November 2020 without notifying its users of this continued transmission of health information.
In addition to paying the $1.5 million penalty, a proposed court order would permanently bar GoodRx from sharing user health information with third-party organizations for advertising, and require GoodRx to obtain users’ affirmative consent before it discloses their health information to any third parties. The proposed court order would also have GoodRx direct third parties to delete the consumer health data that it wrongfully shared in the past and have those third-party companies inform consumers about the breaches and the FTC’s enforcement action against GoodRx. The proposed order would also seek to impose a timeline for how long it can retain users’ personal and health information.
GoodRx Agrees to Settlement but Disputes Allegations
In a Wednesday statement, GoodRx confirmed it had agreed to settle with the FTC over the complaint, but disputed the allegations raised by the regulatory agency.
“We do not agree with the FTC’s allegations and we admit no wrongdoing,” the company said. “Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”
GoodRx insisted it had begun addressing issues three years ago, “before the FTC reached out to us.”
“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer, and government websites, we are proud that we took action to be an industry leader on privacy practices,” the GoodRx statement continued.
GoodRX also insisted it did not share any medical records with third party organizations and said the information it did share “was primarily IP addresses and web page URL information related to looking at content.”
GoodRX said it has saved its users $45 billion in medical expenses since launching in 2011 and it remains a leader in data privacy.