GoodRx will pay $1.5 million and be barred from sharing user data with outside companies for advertising purposes under a deal that would settle allegations that it shared some of its users' most intimate health-related information with companies like Facebook and Google.
The Federal Trade Commission characterized the action, which is pending approval by a federal court, as the first of its kind under its Health Breach Notification Rule, adding that the agency won't hesitate to use its full legal authority to take action against companies that willingly misuse or exploit consumer data.
"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement.
According to the FTC's complaint, GoodRx, which helps users find deals on prescription drugs and offers telehealth and other health-related services, shared its users' data with outside companies for advertising purposes, despite promising it wouldn't.
It also made money from that same data by using it to target its own users with personalized health-related ads on Facebook and Instagram, the FTC said. The complaint also accuses the company of failing to limit third-party use of the data, misrepresenting its compliance with the Health Insurance Portability and Accountability Act, or HIPAA, and failing to put in place policies and procedures to protect its users' data.
In a company blog post, GoodRx pushed back against the FTC's allegations, saying they're focused on an "old issue" that was "proactively addressed" more than three years ago before the FTC's inquiry began. The company admitted no wrongdoing, adding that the proposed settlement will allow it to move on and avoid the time and costs of drawn-out litigation.
In addition to the civil penalty and ban on collecting data for advertising purposes, the settlement requires GoodRx to get users' consent before sharing data for purposes other than advertising; reach out to the third parties it shared the data with and ask them to destroy it; limit its own retention of user data; and put in place a privacy program designed to protect user data.