Not What the Doctor Ordered: GoodRx to Pay $1.5 Million in FTC’s First Enforcement of the Health Breach Notification Rule
The Federal Trade Commission earlier this month undertook an enforcement action against online pharmacy and telehealth provider GoodRx, in the latest example of the agency seriously pursuing its role as the nation’s de facto privacy regulator. In a proposed order agreed to by the parties to settle the FTC’s claims, GoodRx would pay a $1.5 million penalty.
According to the FTC’s complaint, GoodRx shared sensitive personal health information—such as prescriptions and health conditions—with third party advertising services like Facebook, Google, and Criteo and other third parties. The FTC alleged that GoodRx made those disclosures despite representing to consumers that it would “never” share health information with advertisers or other third parties and not otherwise obtaining consent or authorization for those disclosures. And those disclosures, according to the FTC, were unfair and deceptive under Section 5 of the FTC Act. Perhaps more surprisingly, the FTC also alleged that GoodRx’s failure to notify its users about those disclosures violated the FTC’s Health Breach Notification Rule.
This post summarizes key takeaways and next steps for privacy professionals conducting privacy checkups arising from the GoodRx enforcement action.
- The FTC Is Enforcing Its Expansive Interpretation of the Health Breach Notification Rule.
As we’ve previously written, the FTC issued the Health Breach Notification Rule in 2009 to impose breach notification requirements on companies that process consumer health information, but are not subject to HIPAA. The Rule requires entities that (1) are not a HIPAA covered entity or business associate and (2) offer or maintain “personal health records” to notify affected consumers and the FTC whenever certain unsecured health information is obtained by an unauthorized person as a result of certain breaches of security.
The Rule existed in relative obscurity until the FTC issued a Policy Statement in 2021 expressing a surprisingly broad interpretation of several aspects of the Rule. Of particular relevance to GoodRx, the FTC took a broad view of which incidents require notification under the Rule, stating that “a ‘breach’ is not limited to cybersecurity intrusions or nefarious behavior” but could also include disclosures of covered information without an individual’s authorization.
The FTC’s allegations against GoodRx aligned with that broad interpretation. According to the FTC, GoodRx’s disclosures of individuals’ sensitive health information to advertising platforms and other third parties were “unauthorized” because GoodRx represented to consumers that it would never share personal health information with advertisers or other third parties and did not otherwise obtain consent or authorization for those disclosures. The FTC thus concluded that failing to notify the FTC and consumers of the unauthorized disclosures violated the Rule.
Given the FTC’s expansive interpretation of the Health Breach Notification Rule, mobile health app providers should evaluate whether their incident response procedures account for identifying, responding to, and notifying of unauthorized disclosures under that Rule.
- But Don’t Forget Section 5 Fundamentals.
While the FTC highlighted this action as its first enforcement of the Rule, the bulk of the FTC’s complaint consisted of alleged violations of Section 5 of the FTC Act under familiar theories. Activities that GoodRx engaged in that the FTC alleged constituted unfair and deceptive trade practices included:
- Failing to provide notice and obtain affirmative consent prior to processing health information for advertising purposes, which is contrary to prior FTC guidance providing that companies should obtain consumers’ affirmative express consent before collecting “sensitive” data, including health information.
- Disclosing health information to Facebook, Google, and Criteo in violation of representations to consumers that it would “never” share health information with advertisers or other third parties.
- Violating representations that GoodRx’s telehealth subsidiary would obtain consent before disclosing personal information to third parties for purposes beyond providing users access to its services.
- Allowing third party recipients of users’ personal information to use that information for advertising and their own internal business purposes, notwithstanding various representations that GoodRx would limit third parties’ ability to use personal information, including representing that a GoodRx subsidiary would implement “contractual and technical protections” to limit third party uses of GoodRx’s users’ information.
- Stating that GoodRx complied with Digital Advertising Alliance (“DAA”) principles, which the FTC stated would have required GoodRx to obtain consent to use health information for advertising.
- Displaying a seal on the website that indicated GoodRx complied with HIPAA (even though GoodRx was not a HIPAA covered entity, and did not comply with HIPAA).
- Failing to implement policies or procedures governing users’ personal health information disclosures and breach response.
And finally, companies should consider obtaining consumers’ consent to share and use their sensitive personal information for advertising and other related purposes. Had GoodRx done so, the disclosures that were the focus of the FTC’s complaint would not have been “unauthorized” and therefore would not have triggered the Health Breach Notification Rule or claims of deception and unfairness under Section 5.
- GoodRx Continues FTC Targeted Advertising and Sensitive Data Enforcement Trends.
The GoodRx case continues a recent FTC enforcement trend regarding the collection and sharing of sensitive information for marketing and advertising purposes. Other recent examples of the trend include the actions against Flo Health regarding health information, OpenX regarding children’s location data, and Kochava relating to precise geolocation information. Collectively, those enforcement actions emphasize the FTC is especially focused on companies processing data the FTC considers sensitive (per FTC guidance, children’s information, financial and health information, Social Security numbers, and certain geolocation data are all sensitive) for advertising and marketing purposes. As discussed above, such companies should consider implementing processes to obtain users’ consent and to make accurate and comprehensive disclosures about their processing of that data, especially for advertising and marketing.
* * * *
Targeted advertising disclosures and processing will likely continue to be a key enforcement priority for regulators, especially with the increasing number of state laws regulating targeted advertising processing. That is especially likely in areas like health care that involve “sensitive” information. If you would like help assessing the implications of the GoodRx enforcement action for your business, please contact any member of the Wyrick Robbins Privacy and Data Security Team