GoodRx will have to pay a $1.5 million fine as part of a proposed settlement with the Federal Trade Commission (FTC) if it gets approved by a federal court.
The proposed FTC order came in connection to allegations the regulator made about GoodRx committing violations of the FTC Act and the Health Breach Notification Rule. The FTC announced the proposed settlement Wednesday.
Under the proposed order, GoodRx will also be barred from “sharing of health data for ads” and required to obtain “affirmative express consent” from users “before disclosing user health information with applicable third parties for other purposes,” according to the FTC’s press release. The company must also tell third parties to “delete consumer health data.”
DRIZLY AND ITS CEO SUBJECT OF FTC ORDER TAKING ACTION OVER DATA BREACH
The proposed order also includes provisions that limit how long GoodRx keeps personal and health information and mandates that certain privacy measures be put in place, the FTC said.
In a statement posted Wednesday on its website, GoodRx said it does “not agree with the FTC’s allegations and we admit no wrongdoing.” The company stated that “entering into the settlement allows us to avoid the time and expense of protracted litigation.”
The FTC claimed that GoodRx shared “sensitive personal health information for years with advertising companies and platforms–contrary to its privacy promises–and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.” The company allegedly shared information with Facebook, Google and a few others.
GoodRx “used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram,” the FTC claimed. FOX Business reached out to Meta Platforms, the corporate parent of Facebook, for comment but did not receive a response by the time of publication.
CLICK HERE TO READ MORE ON FOX BUSINESS
The complaint purported that GoodRx “configured a Google tracking pixel on its website and an SDK [Software Development Kit] on its GoodRx Mobile App to share Custom Events that conveyed users’ health information with Google.” It also configured tracking tools to share personal information like phone numbers and email addresses, the complaint alleged.
Such tracking tools gather and send data to third parties “so that they can provide advertising, data analytics, or other business services” to the website owner, the complaint said.
“Google prohibits personalized advertising based on sensitive data like health conditions or prescription medications,” Google said in a Thursday statement to FOX Business. “We also have strict policies that advertisers and developers must comply with regarding personally identifiable information being shared with us.”
GoodRx said in the statement on its website that it “proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy” nearly three years ago “before the FTC reached out to us.” It said that “no medical records were shared” and pushed back on the FTC’s claim it violated the Health Breach Notification Rule.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices,” the statement also said. “We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare.”
GoodRx said it expects the settlement provisions will not have a material impact on its business or operations.
The company’s stock was trading at roughly $6 on Thursday afternoon, up nearly 2% today and down about 78% over the past year.