FTC Accuses GoodRx of Sharing User Data Without Consent

Under a proposed FTC order, GoodRx would be barred from sharing user health data for advertising purposes.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
2 min read

GoodRX users may have given up more than they thought.

Getty Images

GoodRx will pay $1.5 million and be barred from sharing user data with outside companies for advertising purposes under a deal that would settle allegations that it shared some of its users' most intimate health-related information with companies like Facebook and Google.

The Federal Trade Commission characterized the action, which is pending approval by a federal court, as the first of its kind under its Health Breach Notification Rule, adding that the agency won't hesitate to use its full legal authority to take action against companies that willingly misuse or exploit consumer data.

"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement.

According to the FTC's complaint, GoodRx, which helps users find deals on prescription drugs and offers telehealth and other health-related services, shared its users' data with outside companies for advertising purposes, despite promising it wouldn't.

It also made money from that same data by using it to target its own users with personalized health-related ads on Facebook and Instagram, the FTC said. The complaint also accuses the company of failing to limit third-party use of the data, misrepresenting its compliance with the Health Insurance Portability and Accountability Act, or HIPAA, and failing to put in place policies and procedures to protect its users' data.

In a company blog post, GoodRx pushed back against the FTC's allegations, saying they're focused on an "old issue" that was "proactively addressed" more than three years ago before the FTC's inquiry began. The company admitted no wrongdoing, adding that the proposed settlement will allow it to move on and avoid the time and costs of drawn-out litigation.

In addition to the civil penalty and ban on collecting data for advertising purposes, the settlement requires GoodRx to get users' consent before sharing data for purposes other than advertising; reach out to the third parties it shared the data with and ask them to destroy it; limit its own retention of user data; and put in place a privacy program designed to protect user data.