The Department of Justice finalized the FTC settlement levied against GoodRx and ordered the digital health company to take corrective actions in order to rectify the privacy violations, including sending consumer breach notices outlining the unauthorized data sharing.
DoJ announced the Feb. 17 stipulated order late Thursday, which finalizes the $1.5 million penalty and issues a host of corrective actions GoodRx must take to prevent unauthorized disclosures of consumer data in the future and ensure compliance with the FTC Act and rules.
Namely, GoodRx must notify its users of the past disclosures to third-party data brokers, while solidifying the FTC and DoJ ban against the company from ever disclosing the health data of its users for advertising purposes again. The company is also prohibited from further misrepresentations and from disclosing health data without affirmative user consent and notice.
The federal agencies are also requiring GoodRx to notify users in the event of another privacy breach, in addition to mandating the company improve its record-keeping, certification, monitoring, and compliance obligations.
GoodRx is currently defending itself from a class action lawsuit filed against the company and Meta in the wake of the FTC filing levied against the company, which detailed a host of privacy violations. Namely that it violated the FTC’s Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the unauthorized disclosure of health data.
The initial filing alleged the company engaged in “repeated, unauthorized disclosures of users’ personal and health information over the course of a four-year period” with third-party advertising companies and platforms, including Facebook, Google, Criteo, Branch and Twilio.
Company officials have defended their actions, noting they changed their policies after a 2019 Consumer Report revealed GoodRx was sharing medication names and other intimate details of users with 20 internet companies. Combined with browser information, the report showed third parties could infer a great deal of information about its users from the shared data.
However, as noted throughout the Feb. 1 FTC filing, GoodRx never publicly notified its users of these dubious practices. That failure was a driving force in the DoJ decision.
Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, noted that the DoJ “is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”
“Consumers have a right to know whether and how their personal health information will be used and to know when it has been disclosed to third-parties,” Boynton said in the release.
The DoJ announcement suggests the agency will continue to work with the FTC on protecting against these unauthorized disclosures of sensitive, private information.
The finalized settlement, combined with the ongoing FTC lawsuit against data broker Kochava over the sale of consumer health data, should serve as a warning to app developers that engage in dubious privacy practices.
FTC has repeatedly warned it will be using its health breach rule to regulate data not covered by the Health Insurance Portability and Accountability Act — and for good reason, as research consistently shows health and mental health apps routinely share users' health data without consent. A new study found the majority of third-party data brokers “are willing and able” to sell mental health data and some actively advertise for consumer health data.