As GoodRx Stumbles on Privacy, Competitors Pounce
The hammer is dropping. Seven years after the European Union got the ball rolling on consumer privacy by adopting the General Data Protection Regulation (GDPR), the U.S. Federal Trade Commission announced its first-ever financial penalty for inappropriate data sharing practices by GoodRx .
According to the FTC, GoodRx failed to notify customers whose personal health information was disclosed to third parties like Google and Facebook through tracking technologies on its website and mobile app.
Agreeing to settle the case and pay a $1.5 million civil penalty means GoodRx can avoid an expensive and lengthy legal battle with the FTC. The company will also be prohibited from sharing user data with applicable third parties for advertising purposes, and it must “make an effort” to have its third-party partners delete any health data that was already shared.
Founded as a prescription drug discount provider, GoodRx has grown into a comprehensive digital health platform. In addition to providing users with prescription drug discounts, the company offers telehealth visits and other health services. It also collects volumes of data about patients, including information provided by users and information coming from pharmacy benefit managers who must confirm when a consumer purchases a medication using a GoodRx coupon.
According to the FTC, GoodRx inappropriately shared sensitive personal health information with advertising companies and platforms like Facebook, Google, and Criteo for years, and it failed to report those disclosures in a way that complied with current privacy laws.
Wakeup Call
The FTC’s move is seen as a major wakeup call to companies that monetize consumer data with digital advertising, and especially those with access to health information.
“Services collecting data regarding personal prescription preferences should never engage in any third party for advertiser retargeting campaigns,” says Vipin Porwal, CEO and founder of SmartRx.
SmartRx is one of a handful of newer entrants into the prescription discount cards market, and a competitor to GoodRx. In addition to following best practices for protecting user privacy, as outlined in more general data protection regulations, companies in the health sector must also practice HIPAA compliance and follow the FTC’s Health Breach Notification Rule. They must not — as GoodRx is alleged to have done — compile lists of users who purchase specific medications and upload those users’ email addresses, phone numbers, and mobile advertising IDs to third-party platforms for advertising purposes.
“Any personal information shared with SmartRx is only shared with third party service providers who are necessary to provide the service to SmartRx’s customers and who are bound by contracts that prohibit these service providers from using personal information for any other purpose,” Porwal says. “Whether us or our competition, they should only store personal information, including any sensitive health information, only for so long as necessary to provide the services requested by its customers.”
Tipping Point
According to a recent report by DataGrail, 57% of people say they’re “fed up” with or “creeped out” by existing data privacy practices, and 75% of people would abandon their favorite brands if they felt like a company wasn’t taking care of their data.
From Target’s breach, in which hackers stole data from 40 million credit and debit cards, to Sephora’s struggle to comply with California’s CCPA privacy regulations, there’s growing concern among consumers about whether the companies they trust are keeping their personal information safe.
Last summer, the U.S. House of Representatives introduced the American Data Privacy and Protection Act (ADPPA), but the bill stalled before the midterm elections. In the absence of a comprehensive federal law, more consumers are using ad-blockers, deleting their browser histories, and requesting that companies delete their data on an individual basis.
In seeking damages from GoodRx for invading its users’ privacy, the FTC is looking to make a major statement that could impact many organizations outside the healthcare space in the coming years. GoodRx’s settlement is now awaiting approval by a federal judge.
