On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement.
According to the FTC’s Complaint, GoodRx violated the FTC Act by, among other things, disclosing personal and health information to third parties while representing in its privacy policies that it would “never” share such information with advertisers or other third parties. The FTC alleged that GoodRx also violated the FTC Act by deceptively stating in its privacy policies that disclosure to third party providers was limited to what was necessary to provide telehealth services, unless the consumer consented to other uses. The Complaint alleges that GoodRx failed to comply with the HBNR by failing to report these unauthorized disclosures.
The FTC’s enforcement action against GoodRx and proposed settlement shows that non-HIPAA covered entities collecting health-related information should understand the technologies used on their websites and in their mobile applications and ensure that their privacy policies accurately reflect their collection, use and disclosure of such information using those technologies. The failure to properly disclose information sharing practices could be a violation of the FTC Act and in any event, lead to an investigation and/or enforcement action. The FTC’s action also highlights the FTC’s interpretation of “breach of security” under the HBNR, to potentially include the disclosure of health-related information through the use of third party advertising technology on a website or through a mobile application without appropriate consumer authorization. The FTC’s action is, as we have previously discussed, part of a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.