Advertisers exploiting health data privacy: Allegations against GoodRx for compromising user trust regarding personal health information
GoodRx Data Sharing Settlement: A Landmark Decision with Far-Reaching Implications
In a significant development, digital health platform GoodRx has agreed to pay $1.5 million to the Federal Trade Commission (FTC) in addition to a $25 million settlement for a class action lawsuit. This case, one of the most high-profile examples of digital health platforms sharing personal data with ad networks, could have far-reaching implications as more healthcare services move online.
The class action lawsuit, Jane Doe et al. v. GoodRx Holdings, Inc., et al., was filed in California and consolidated several related lawsuits. If approved, affected users can file claims for compensation, though over $8 million may go to attorneys' fees. The settlement follows a 2023 FTC action, in which the agency accused GoodRx of violating the FTC Act and the Health Breach Notification Rule.
Plaintiffs allege that from October 2017 to March 2019, GoodRx used tracking technologies to send sensitive data like users' medication searches and health concerns to third-party ad platforms without informing users or obtaining consent.
Impact on Users and Third Parties
For users, GoodRx shared sensitive health data—including details about drugs and health conditions searched—without explicit consent, violating privacy expectations and federal rules. Users were impacted because their personal health information was disclosed for advertising purposes, betraying consumer trust.
Regarding the settlement and legal consequences, GoodRx agreed to pay $25 million to settle the class action lawsuit over these claims. Additionally, the FTC fined GoodRx $1.5 million for violating the Health Breach Notification Rule by sharing this data without notifying consumers.
For third parties like Meta, Google, and Criteo, they were not included in the $25 million settlement, as the lawsuit targeted GoodRx itself. However, a judge refused to dismiss claims against Meta and Google, allowing the lawsuit to continue against these companies. Meta and Google's attempts to avoid liability—by arguing lack of specific allegations or their policies prohibiting protected health info sharing—were rejected by the court.
The judge ruled that GoodRx’s and Meta’s terms of service disclosures did not clearly establish user consent for sharing sensitive medical info, allowing the suit concerning these third parties to proceed.
Future Controls and Ongoing Legal Action
The settlement requires GoodRx to stop sharing user health data with third parties for advertising, and the company must comply with court orders and FTC rules to protect consumer data going forward. District Court Judge Araceli Martinez-Olguin will decide whether to approve the proposed deal.
The FTC found violations of federal law, including the Health Breach Notification Rule, in relation to GoodRx's practices. The lawsuit stems from GoodRx's use of tracking pixels, hidden snippets of code embedded in websites that gather and transmit user data.
The settlement is significant as it highlights the importance of companies honoring their privacy promises to users. Meta, Google, and Criteo are named as co-defendants in the class action lawsuit, accused of knowingly receiving and using sensitive data. The ongoing legal action against these tech giants will determine their accountability in using this data.
[1] FTC Press Release, "FTC Settles with GoodRx Over Health Breach Notification Rule Violations" (2023), https://www.ftc.gov/news-events/press-releases/2023/03/ftc-settles-goodrx-over-health-breach-notification-rule-violations
[2] GoodRx Press Release, "GoodRx Reaches $25 Million Settlement in Class Action Lawsuit" (2023), https://www.goodrx.com/about/press-center/press-releases/goodrx-reaches-25-million-settlement-in-class-action-lawsuit
[3] Law360, "FTC Settlement With GoodRx Leaves Meta, Google On Hook For Class Action" (2023), https://www.law360.com/articles/1562982/ftc-settlement-with-goodrx-leaves-meta-google-on-hook-for-class-action
[4] Reuters, "GoodRx sued over allegations it shared users' health data with advertisers" (2022), https://www.reuters.com/business/healthcare-pharmaceuticals/goodrx-sued-over-allegations-it-shared-users-health-data-with-advertisers-2022-02-23/
[5] HIPAA Journal, "GoodRx Sued Over Allegations of Selling User Data to Advertisers" (2022), https://www.hipaajournal.com/goodrx-sued-over-allegations-of-selling-user-data-to-advertisers/
- The settlement highlights the importance of technology companies, such as Meta, Google, and Criteo, in ensuring data privacy, especially when it comes to sensitive medical conditions and health-and-wellness information, as they are named as co-defendants in the class action lawsuit for allegedly knowingly receiving and using such data.
- The fine imposed on GoodRx serves as a reminder that science, technology, and health-and-wellness platforms must adhere to regulations like the Health Breach Notification Rule, asFailure to do so can lead to medical-conditions data being shared without proper consent, potentially impacting users' health and trust in these services.
