FTC Reaches $1.5M Settlement With GoodRx For Allegedly Improperly Sharing Health Information With Advertisers - Advertising, Marketing & Branding - United States

[Gunnar Larson]

"ARTICLE





United States: FTC Reaches $1.5M Settlement With GoodRx For Allegedly
Improperly Sharing Health Information With Advertisers
09 February 2023
by Bram Schumer (New York)
Frankfurt Kurnit Klein & Selz
Your LinkedIn Connections
with the authors

GoodRx, a popular drug discount website and application used by millions of
Americans, entered into a $1.5 million settlement with the Federal Trade
Commission for allegedly unfairly and deceptively sharing users' personal
health information with advertisers, including Facebook and Google.
According to the FTC, GoodRx's data handling practices violated both
Section 5 of the FTC Act, and, in a "first of its kind" action, the 2009
Health Breach Notification Rule (HBNR), which requires vendors of personal
health records to report data breaches, even if neither the entity nor the
data in question is subject to HIPAA. The case highlights the growing
concerns over the sharing of personal health information and the FTC's
increased efforts to regulate companies in the digital health industry,
even those that are not subject to HIPAA.

The crux of the complaint focused on the allegedly deceptive disclosures in
GoodRx's privacy policy between 2017 to 2020, in which the company made
bold and unqualified claims that it "never provide[s] advertisers any
information that reveals a personal health condition." Not so, claimed the
FTC. GoodRx, like so many websites, used advertising tracking technologies
such as cookies and pixels from popular services like Facebook, Google, and
Criteo. Without proper notice and consent, these trackers allegedly
funneled information to advertisers that included not just IP address,
names, and browsing analytics, but also the medications and health
conditions users were browsing on GoodRx.

As a result, Facebook, Google, and other advertisers obtained access to
data that was arguably sufficient to construct highly personal profiles of
users based on their health information, medical diagnoses, and lifestyles
– everything from antibiotics for sexually transmitted infections, to
antidepressants, to birth control and abortion drugs.

Not only did GoodRx provide this data to Facebook and Google, but it
targeted users with Instagram and Facebook ads related to health
conditions. For example, if a someone used GoodRx to search for information
about sexual health, GoodRx later showed that user Facebook and Instagram
advertisements for its subsidiary HeyDoctor's STI testing clinics – it
assumed they'd need them, after all. According to the FTC, sharing this
information with Facebook violated promises in the GoodRx privacy policy
that the company would "never" reveal such private health information to
advertisers.

The FTC also alleged that multiple statements GoodRx had made were
deceptive, such as a claim that the company was compliant with Digital
Advertising Alliance (DAA) principles (when it wasn't), and the unchecked
use of a HIPAA compliance seal on the HeyDoctor website. In reality,
neither GoodRx nor HeyDoctor were subject to HIPAA, and the seal created
the misimpression that data was handled in accordance with that law.

In addition to Section 5, GoodRx also allegedly violated the Health Breach
Notification Rule (HBNR). In a novel application of the rule, the FTC found
that GoodRx's disclosures of personal information via advertising trackers
were in fact "breaches" that GoodRx failed to report. This expanded
interpretation of the HBNR is likely a harbinger of more FTC enforcement to
come at the multi-billion-dollar digital health and health-adjacent
industry, including health and fitness applications, activity trackers, and
fertility apps. Unlike traditional patient records in hospitals and
doctors' offices, these companies and the information they collect are not
covered by HIPAA. It appears that, in the absence of federal legislation,
the FTC plans to leverage HBNR and Section 5 in innovative ways to regulate
health data.

Moreover, the FTC's invocation of Section 5's "unfairness" prong – on
account of GoodRx not obtaining affirmative consent prior to sharing data
with advertisers – suggests that all personal health information, even if
not bona fide medical records, could require affirmative consent prior to
being shared, even if such practices are clearly disclosed in the privacy
policy. It remains to be seen whether and how aggressively the FTC will
pursue this line of thinking. Such an interpretation could significantly
impact the ability of health, wellness, and fitness companies to use any
kid of advertising trackers without obtaining opt-in consent.

In a response statement, GoodRx stated that user privacy is one of its top
priorities and that the issues the FTC identified were resolved three years
ago. The company defended its use of advertising tracking technologies as
both commonplace and compliant with applicable laws and regulations. The
company also stated that the Facebook pixel that the FTC took issue with
had been deactivated, and that in any event, no actual medical records were
shared; just circumstantial browsing information that may or may not have
pertained to a particular user's medical information.

In light of the GoodRx action, companies should consider the following:

Consider health data – even circumstantial health data – "sensitive" under
the law. While GoodRx and its subsidiaries did not handle medical records
like the ones in doctors' offices and hospitals, the information they
shared was still considered "sensitive" by the FTC. Companies should limit
their handling of any information regarding users' health for non-essential
purposes such as advertising. Use of health information for non-essential
purposes could be considered a "breach" under the HBNR.

Clearly say what you do, and do what you say. Companies should review their
use of advertising tracking technologies, and their privacy policies to
ensure that their data handling practices are correctly characterized.
Bold, unqualified statements ("We never..." or "We always...") should be
avoided. Also, companies should consider that the use of advertising
tracking technologies likely constitutes a sale of personal information
under the CPRA, and provide notice and opt-out opportunities accordingly,
as applicable.

Review compliance with state laws. The California Privacy Rights Act
(CPRA), and Virginia Consumer Data Protection Act (VCDPA) took effect on
January 1, 2023. The California Attorney General has signaled that
companies have a several-month grace period to comply with the CPRA before
enforcement starts; however, CCPA compliance is required now. Companies
should review their policies with an eye towards the requirements of these
laws, particularly the detailed California requirements regarding the right
to opt out of the sale or sharing of personal information, which the CA AG
has signaled is a top priority.Companies should also review their privacy
policies to ensure they comply with the forthcoming privacy laws of
Colorado, Connecticut and Utah, which go into effect later this year.

Review and renegotiate contracts as necessary (or as feasible). To the
extent possible, consider adding language to DPAs and other relevant
contracts that restricts the recipient's use of personal information to
just what is necessary to provide services on the controller's/business's
behalf.

www.fkks.com"
https://www.mondaq.com/unitedstates/advertising-marketing--branding/1280976/ftc-reaches-$15m-settlement-with-goodrx-for-allegedly-improperly-sharing-health-information-with-advertisers#:~:text=ARTICLE,www.fkks.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 8208 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20230210/17bb76ca/attachment.txt>