FTC Brings First of its Kind Enforcement Action against GoodRx for Violating the Health Breach Notification Rule

FTC Brings First of its Kind Enforcement Action against GoodRx for Violating the Health Breach Notification Rule

Blog WilmerHale Privacy and Cybersecurity Law

On February 1, 2023, the Federal Trade Commission (FTC) reached a settlement with digital health platform GoodRx for sharing users’ personal health information with third parties without properly disclosing their data practices or obtaining users’ affirmative consent, as well as for failing to maintain adequate policies or procedures to protect users’ personal health information. This is the FTC’s first ever enforcement decision under the Health Breach Notification Rule (HBNR), which requires vendors of personal health records (PHRs) or PHR-related entities to notify consumers, the FTC, and sometimes the media, when they discover certain data breaches. GoodRx agreed to pay $1.5 million under the terms of the settlement, as well to implement other remedies regarding its data practices, including being permanently banned from disclosing user health information to advertisers for most advertising purposes and being forced to direct third parties to delete the consumer health data that was shared with them. 

This case not only creates novel results in a variety of areas related to the disclosure of health information but also flags for entities dealing with health information a wide range of new risks and concerns to evaluate going forward. This is an area where it is clear that the FTC will be pursuing aggressive and innovative theories about potential consumer risks associated with health information.

This enforcement decision comes after the FTC recently expanded its interpretation of the HBNR to include unauthorized disclosures of personal information as potential data breaches. GoodRx case does not involve facts that we would typically think of as a data breach; rather the company was disclosing consumer health information with advertisers and other third-party marketing partners without user authorization. The FTC deemed this unauthorized sharing to be sufficient to constitute a “breach” of individually identifiable health information, indicating that it is serious about enforcing its broad interpretation of the HBNR moving forward. 

The GoodRx settlement is also the latest in a series of decisions where the FTC is more aggressively flexing its enforcement authority (and expanding its interpretation of the law through its informal guidance and enforcement actions). Specifically, in addition to citing GoodRx’s deceptive practices (e.g., using data in a way that was inconsistent with its privacy policy), the FTC also alleged that GoodRx violated the “unfairness” prong of Section 5 by failing to implement measures to prevent the unauthorized disclosure of health information and by not obtaining consent before using and disclosing health information for advertising purposes. The potential implication here is that the FTC may perceive all use of health data for advertising purposes (without affirmative express consent) to be a potential violation of Section 5, even if the entity has properly disclosed such practices in its privacy policy

The upshot for companies is that the FTC is closely paying attention to the use and disclosure of sensitive information (particularly health information) for any purposes that are not necessary in order to provide the consumer with the services they contracted for, including targeted advertising. Businesses operating in this space should ensure that their privacy policies and other relevant notices provide appropriate transparency about these practices and obtain affirmative consent wherever possible, especially if they are sharing sensitive personal information. Businesses should also continue to monitor future FTC decisions to assess whether the agency is further developing substantive limitations on certain use cases through the unfairness prong of Section 5. 
 
We have provided a summary of the complaint and the proposed order below, as well as provided additional key takeaways for businesses. We are happy to answer any additional questions you may have. 

The Complaint

The complaint charges GoodRx with violating Section 5 of the FTC Act and the Health Breach Notification Rule. Specifically, the complaint alleges that GoodRx (among other things):

  1. Deceived consumers by sharing their sensitive health information for targeted advertising purposes in violation of the representations it made in its privacy policy and in other public statements. These representations included disclosures stating that GoodRx never disclosed “personal health information to advertisers” and was in adherence with the Digital Advertising Alliance principles. The FTC deemed this practice to be “deceptive” under Section 5. 
  2. Did not limit third parties’ use of data. The FTC also alleged that GoodRx allowed the third parties that it shared data with to use that information for their own internal purposes, including for research and development or to improve their advertising practices. According to the FTC, GoodRx did not have sufficient contractual and other limitations in place with these third parties. This violated the representations in the company’s privacy policy that this information was disclosed subject to “confidentiality obligations” and only disclosed for “limited” purposes.
  3. Used health information to target ads to consumers without obtaining their consent. The FTC alleged that GoodRx configured tracking pixels on its website and used software development kits (SDKs) on its mobile app to share information with advertisers, such as the drug for which users had received coupons and the medical condition that the drug treats, along with other user information such as phone number, email, zip code, and IP address. Furthermore, Android and iOS operating systems shared users’ geographic coordinates and advertising IDs to target individuals with ads. The FTC also alleged that in August 2019, GoodRx collected a list of users who had purchased heart disease-related medication and uploaded their email addresses, phone numbers, and mobile advertising IDs to an advertiser to create custom audiences in order to target users with relevant advertisements. According to the complaint, these constituted “unfair” practices under Section 5 because GoodRx did not obtain “affirmative express consent” for these uses.
  4. Did not implement policies to protect health information or other personal information. According to the FTC, GoodRx did not have any sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. The FTC alleged that this also constituted an “unfair” practice under Section 5. 

The last two points are particularly noteworthy because the FTC raised these allegations under the “unfairness” prong of Section 5, as opposed to the “deceptive” prong. According to the FTC, GoodRx’s failure to obtain affirmative consent before using consumer health information for targeted advertising purposes and to implement policies to protect health information violated Section 5 not only because they were inconsistent with the representations made by the company but also because they “caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” This is an important distinction because it suggests that the FTC is leveraging its unfairness authority to begin to create precedent around companies’ privacy practices, just as it did with reasonable data security.

The Proposed Order

In addition to paying a $1.5 million penalty, the proposed order creates a number of substantive limits on GoodRx’s data practices, as well as requires the company to implement certain policies and procedures. Specifically, the order states that GoodRx is:

  1. Prohibited from disclosing health information for targeted advertising purposes. This further substantiates the argument that the FTC may view the use of health information for targeted advertising practices as an “unfair” practice in violation of Section 5 unless a company obtains prior affirmative consent.
  2. Prohibited from disclosing health information for all non-advertising purposes without affirmative express consent and notice. Notably, the FTC defines “affirmative express consent” in this regard as “any freely given, specific, informed and unambiguous indication of an individual’s wishes by demonstrating agreement by the individual…” The FTC also notes that this consent must be outside of the privacy policy, terms of use, or some other similar document, and that a company cannot rely on dark patterns to obtain such consent. This definition of consent is more specific than what the FTC has included in previous decisions (with the exception of the recent Epic Games order) and is similar to what the state privacy laws in the US (such as the California Privacy Rights Act) are requiring. 
  3. Required to implement a comprehensive privacy program. GoodRx must document this privacy program and, among other things, 1) designate a person responsible for the program; 2) conduct a risk assessment related to the privacy program every 12 months; 3) develop a number of specific policies and procedures (including those related to data retention and privacy training); and 4) provide an update of the privacy program to the board of directors at least once every 12 months. GoodRx’s privacy program must also be subject to a biennial assessment from a third-party assessor. 

Key Takeaways

Companies should be paying attention to the following points in light of the GoodRx decision:

  1. Review their targeted advertising practices. Companies that disclose personal information for targeted advertising purposes, especially health information, should be aware that this is an enforcement priority for the FTC. Companies that operate in this space should review the disclosures that they make to consumers regarding their data use and ensure that their practices are consistent with their representations. Companies should also assess whether they affirmative obtain consent for this activity and whether their consent process would meet the FTC’s standards. 
  2. Compliance with the Health Breach Notification Rule. Companies that manage health data should reevaluate whether they meet the definition of a “vendor” of personal health records or a PHR-related entity and are potentially subject to the HBNR. This may potentially raise the risk related to an FTC investigation, as the FTC is looking for opportunities to enforce its trade regulations rules (like the HBNR) which give it the ability to obtain penalties for first time violations. 
  3. Monitor and limit third party use of data. Companies should monitor and audit third parties that they share personal information with (especially for marketing and advertising purposes) to understand how they use the personal information that they disclose to them. Companies should also look to implement contractual and technical limitations on how third parties are permitted to use the data they receive and otherwise ensure that these third parties’ use of their data is consistent with the representations they are making in public. 
  4. Implement appropriate policies and procedures around personal data. The FTC expects that all companies that process personal data have a privacy program in place, especially companies that process sensitive health information. The GoodRx order can be used as a benchmark for understanding where their policies and procedures regarding their use, disclosure, and safeguarding of such information might fall short from the FTC’s perspective. 
 

 

 

Authors

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.