Bad Privacy Practices at GoodRx?

Privacy Plus+

Privacy, Technology and Perspective

Bad Privacy Practices at GoodRx? – FTC Prohibits Disclosure of Health Information for Advertising Purposes. This week, let’s look at a new Consent Decree required by the Federal Trade Commission (FTC or Commission) and consider what it reveals about its expanding privacy enforcement as well as the continued rumblings inside the Commission.

Background: This past Wednesday, the FTC filed a Complaint against GoodRx Holdings, Inc. (GoodRx), alleging that in connection with its “consumer-focused digital healthcare platform,” it shared personal health information with third-party advertising companies and platforms, like Facebook and Google, in contravention of its privacy policies. Based on those allegations, the FTC charged GoodRx with violating the Health Breach Notification Rule (HBNR) and Section 5 of the FTC Act, among other causes of action. The Complaint sought a 20-year permanent injunction, a civil penalty of $1.5 million, and certain other relief like requiring senior officials of GoodRx to acknowledge (in writing) receipt of the injunction – thus making it easier to hold those individuals in contempt, if they are found to be involved in its subsequent violation.

You can read the Complaint here:

https://www.ftc.gov/system/files/ftc_gov/pdf/goodrx_complaint_for_permanent_injunction_civil_penalties_and_other_relief.pdf

The Proposed Consent Decree: In addition to the $1.5 million penalty, the proposed Consent Decree permanently prohibits GoodRx from sharing health data for advertising purposes. (!!!) It also requires GoodRx to:

• - Obtain users’ affirmative express consent for any other sharing of user health information;

• - Clearly and conspicuously detail the categories of health information that it will disclose to third parties, expressly prohibiting the use of any dark patterns to obtain users’ consent to share the information;

• - Direct third parties to delete the user health data that was shared with them;

• - Inform users about the breaches and the FTC’s enforcement action against the company;

• - Limit retention of data;

• - Publicly post its retention schedule; and

• - Implement a comprehensive privacy program.

You can read the Consent Decree (“Stipulated Order for Permanent Injunction, Civil Penalty, and Other Relief”) here:

https://www.ftc.gov/system/files/ftc_gov/pdf/goodrx_stipulated_order_for_permanent_injunction_civil_penalty_judgment_and_other_relief.pdf

Something Old: In FTC cases, a Complaint will commonly follow substantial private negotiations between the parties, which have led to a settlement. The Complaint, a Joint Motion for Entry of Stipulated Order, and a proposed Consent Decree (our term for it) will then all be filed at the same time. Decades-long injunctions against unfair or deceptive acts or practices and stiff civil penalties for misleading consumers – essentially, for false advertising – are also common.  And since the FTC’s approval comes through the full vote of the Commission, sometimes commissioners will write “concurrences” or “dissents” to the Commission’s decision to accept the settlement. All of that happened in FTC v. GoodRx this week. 

…but Also Something New: This is the first time the FTC has barred a company from sharing user health data with applicable third parties for advertising purposes. The third parties at issue are, of course, the Big Tech advertising giants.  This case appears to mark disfavor toward their core business practices. Additionally, it serves as a warning to all companies in the healthcare space that rely on Google and Facebook.  The FTC has signaled that disclosing health information to third parties for advertising purposes is now illegal (or at least scrutinized against the company’s privacy notice and privacy practices).

Additionally, there is some argument that this is the first time a civil penalty has been assessed under the HBNR, even though GoodRx has claimed publicly that the FTC’s allegation is a novel, unsupportable, and wholly wrong application of it.  You can read a summary of the HBNR here:

https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule

If interested, you can also read the FTC’s and GoodRx’s dueling press releases by clicking on the links that follow:

https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising

https://www.goodrx.com/corporate/business/goodrx-response-to-ftc

Also New(ish):  Commissioner Christine Wilson, a Trump appointee, filed a public statement concurring in the settlement, but criticizing it for being too lax – she would have imposed a much higher penalty. That part seems ordinary enough. Strikingly, though, Commissioner Wilson then spent most of her text excoriating her “current and former” fellow Commissioners – at least, the ones whom Democrats appointed – for the “sudden U-turn” she claims they’ve taken in agreeing to things they complained about when Republicans were in control, an “about-face” which she also blames for the well-publicized morale problems among FTC staff.

We acknowledge that such statements can make gripping reading for those who agree with Commissioner Wilson’s political views. Still, we question whether public, ad hominem attacks among the Commissioners are good for the Commission, the economy, or the country.  

Commissioner Wilson’s concurrence can be found here:

https://www.ftc.gov/legal-library/browse/cases-proceedings/public-statements/goodrx-concurring-statement-commissioner-christine-wilson

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.