In what the U.S. Federal Trade Commission calls a "first-of-its-kind" enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness authority in privacy cases, with some important takeaways for privacy programs that handle health-related data. It also asserts a novel application of the HBNR against digital health services, which often fall outside the scope of the Health Insurance Portability and Accountability Act.

GoodRx began as a drug-pricing comparison site and later expanded its offerings to include telehealth services. The company contracts with pharmacy benefit managers to provide users with coupons for discounted prescription drugs. With just the name of a medication, dosage and location information, GoodRx provides users with coupons to be redeemed at nearby pharmacies. The FTC complaint details how GoodRx shared some of this information, along with personal identifiers, with third parties such as Facebook, Google and Criteo to target advertisements through those platforms to its customers and prior site visitors. The complaint alleges that despite privacy and confidentiality assurances to its users, this sharing amounted to unauthorized disclosures of sensitive user data to third parties.

Double jeopardy

The case springs from a set of practices subject to earlier attention from private sector privacy watchdogs. In February 2020, Consumer Reports published an article claiming GoodRx was sharing health information via third-party cookies and tracking pixels. Subsequently, the Digital Advertising Accountability Program, operated by BBB National Programs, released a decision extolling GoodRx for adjusting its practices to reach compliance with the Digital Advertising Alliance's Self-Regulatory Principles. These changes came after a routine DAAP review uncovered an alleged failure to properly notify consumers about their choices related to third-party interest-based advertising practices facilitated through GoodRx's website and mobile application.

Around the same time, Facebook found GoodRx had violated its platform policies for advertisers, which prohibit ad content that asserts or implies personal attributes including physical or mental health conditions. And yet, the FTC complaint alleges, GoodRx continued to share information with third parties until November 2020.

Now, the company's alleged past behavior resulted in a whopping eight counts of wrongdoing in the FTC complaint. Notably, GoodRx claims in its press release about the settlement the conduct included in the complaint was "proactively addressed almost three years ago, before the FTC inquiry began." Privacy professionals should understand the new territory the FTC enters through this action. Although the alleged violation of the HBNR enabled the FTC to seek a monetary remedy, the unfairness claims show the agency may have reached largely the same substantive outcome without the HBNR.

Inferences matter: An expansion of sensitive data

To merit an unfairness charge under Section 5 of the FTC Act, a company's conduct must cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to competition or consumers. In the privacy context, unfairness has almost always been alleged in situations where sensitive personal data was handled in a manner that did not provide consumers with adequate awareness or choice about its use or sharing.

The FTC has long considered health information to be sensitive. This actions continues to broaden the scope of sensitive health data — important as professionals and policymakers alike refine our understanding of health-relevant data. The FTC complaint alleges that GoodRx shared "users' prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers" with third parties to enable GoodRx's ad campaigns targeting users' specific medications or health conditions.

Yet, more than physical and mental health conditions, the commission suggests sensitive information includes any data that could possibly lead to an inference about an individual's health or other intimate detail, such as:

• Medical treatments and treatment choices.
• Life expectancy.
• Disability status.
• Information relating to parental status.
• Substance addiction.
• Sexual and reproductive health.
• Sexual orientation.
• "Other highly sensitive and personal information."

According to the FTC, any sharing of such information without authorization from the GoodRx user is likely to cause feelings of stigmatization, embarrassment and emotional distress in addition to potentially impacting users' ability to obtain employment, housing, health insurance and disability insurance.

The long list of possible inferences only postulates about what could have been revealed by GoodRx's data sharing practices and the harms that could flow from that. The examples of health conditions from the case similarly include stigmatized conditions, like STIs, and common conditions like high blood pressure. It is unclear whether all of these intimate details are always considered "sensitive" under an FTC analysis, but it is worth understanding the growing scope when compared with existing legal codes that often refer simply to health conditions or special categories like biometric data. Here, the FTC suggests that other related information and inferences, even if not directly covered by compliance requirements, are also worthy of heightened care.

Prescription proscriptions

Knowing what data is considered sensitive health information is necessary for GoodRx — and likely helpful for any company that collects health or health-adjacent data — given the proposed order's mandate of "affirmative express consent," i.e., opt-in consent, before any sharing of health information, even for many non-advertising purposes. Understanding what this injunctive remedy means for other businesses that are not under the scrutiny of the agency requires a detailed comparison between the order and the corresponding issues in the complaint. 

There are two unfairness charges in the FTC's complaint, which correspond to two newly refined expectations about the proper handling of sensitive health data.

1. Don't use health-related data for advertising without consent

Count VII of the FTC complaint implies notice and "affirmative express consent" are required before collecting and sharing users' health-related information for most advertising purposes. GoodRx was allegedly collecting health data — either revealed by the user based on their prescriptions or inferred based on the pages they visited — and exposing it to advertising vendors for purposes of delivering ads to its existing customers and website visitors. According to the FTC, it should have first sought consent.

There may be limited exceptions to this consent requirement. The proposed order against GoodRx is helpful for teasing out what these may be. As an injunctive remedy, GoodRx has agreed not to advertise using health-related data at all. Exempt from this promise is contextual advertising, with the understanding that "contextual" means advertising that:

• Is "non-personalized."
• Is shown as part of a consumer's "current interaction" with the company's websites or mobile apps, "including associated ad serving and response mechanisms."
• Does not disclose consumers' personal information to another third party.
• Is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the company's websites or mobile apps.

2. Don't share health-related data without individual knowledge

Count VI alleges a failure to "implement any sufficient policies or procedures to prevent the improper or unauthorized disclosure of users' personal health information, or to notify users of breaches of that information." The specifics of this unfairness charge relate to GoodRx's alleged shortcomings in establishing a proper privacy program to maintain compliance with the HBNR and other best practices. But the last clause is key: Individuals should be notified of breaches of their information. In the context of the HBNR, as described below, that means informing customers about almost any sharing of health data.

Under the proposed order, GoodRx is enjoined from disclosing health-related data to third parties for non-advertising purposes without consent, with some exceptions. Again, the order appears to be imposing a remedial course for the company that goes beyond the misbehavior alleged in the complaint.

For everyone else, the FTC's expectation is that customers be kept informed any time health data is shared with third parties. Again, there are exceptions. Under the order, "third parties" means any other entity except an entity subject to an agreement complying with the HIPAA privacy rule, a pharmacy delivering the service requested by the consumer, an entity assisting the company with legal compliance or enforcing its terms of service or a service provider or partner of the company. Service providers are only exempt if they meet a detailed set of requirements that limit their processing to the direction of the company or internal uses and strictly limit onward transfers of data, among other requirements.

In the complaint, the FTC alleges Facebook could have used data shared by GoodRx "for its own purposes, including its own research and development and ad optimization purposes." The strong implication is that the purpose limitations agreed to by GoodRx and Facebook were not restrictive enough. Thus, any entity processing health-relevant data should be careful that its contracts with third parties properly limit the processing of the data and otherwise conform with the heightened requirements for sensitive data. Whether these standards extend to non-health sensitive data is a question for another day.

Forget what you know about a 'breach'

Another impactful aspect of the settlement is the FTC's allegation that GoodRx's actions violated the Health Breach Notification Rule, a conclusion GoodRx continues to dispute, but which allows the FTC to extract a financial penalty from this first-time violation.

Although this is the first case where the FTC has applied the HBNR, it did not come without warning. The FTC implemented the HBNR in 2009 to protect the growing amount of health data generated by third-parties outside the scope of HIPAA. In 2021, the commission issued an official policy statement and associated resources asserting HBNR may apply to health mobile app developers and wearable technology companies. The guidance reminded us that "a 'breach' is not limited to cybersecurity intrusions or nefarious behavior." Violations may also include "incidents of unauthorized access, including sharing of covered information without an individual's authorization."

These clarifications were regulatory guidance, not a change in the rule. As Commissioner Christine Wilson mentions in her concurring statement, the use of third-party vendors in a manner that could reveal health information violates the plain meaning of the rule. This is important because GoodRx's alleged violations occurred before the guidance was issued.

GoodRx, as a "vendor of Personal Health Records," falls within scope of the HBNR because it maintains personal information such as prescription information, medication purchase data, user search inputs and geolocation that can be aggregated into a "Personal Health Record" managed primarily for the individual user. As required under the HBNR, such information is considered "PHR identifiable health information" that is gathered from multiple sources, including PBMs.

The transmission of this data from the GoodRx site to third parties, even for the company's own advertising purposes, constituted a "breach" because those third parties "acquired" the information "without the authorization of the individual." For HBNR analysis, the point of reference is always the individual whose data is shared. Since GoodRx had not collected affirmative express consent from its users to authorize the sharing of their PHR data with third parties, the sharing — even for somewhat limited purposes — was a "breach" in violation of the HBNR. A major lesson here is that obtaining informed user consent before sharing any personal or health data, regardless of the purpose, will ensure that it remains an authorized disclosure of data outside the bounds of the HBNR.

Say what you do, and do what you say

Finally, as with most FTC privacy cases, a majority of the claims in the FTC complaint center on misrepresentations. The FTC alleges GoodRx represented in its privacy policy that it generally did not disclose personal health information to advertisers or third parties, or, if it did, it was only for purposes of providing the service and direct communication. GoodRx also promised users it would adhere to the Digital Advertising Alliance's Self-Regulatory Principles, but allegedly failed to meet the requirements of the Sensitive Data principle under that code.

The FTC alleges, despite these privacy policy promises, GoodRx used third-party tracking tools, such as Facebook's tracking pixel, to transmit health-related personal information to third parties. The most striking of these pixel transmissions was the inclusion of custom plain-text fields among the fields that Facebook's Pixel would collect from visitors to the GoodRx website. These pixel fields captured, and therefore revealed, personal health information including the name of the medication or health condition related to the user's purchases or behavior.

The FTC will always consider a company's privacy policies and promises against its actions. The takeaways here for the privacy community focus on the bread and butter of a privacy officer's role: the development and implementation of a robust privacy program rolled out across an entire company. Once a policy is established, the actions of all teams, from the business development team to marketing, should be subject to privacy review. Importantly, as this case shows, this includes advertising practices like retargeting or custom audiences that make use of platforms for delivery.

Setting a GoodRx example

The remedies in the proposed GoodRx order stand in stark contrast to those in the FTC's action against Flo Health less than a year ago. Unlike Flo Health, GoodRx faces a civil penalty and an all-out prohibition against advertising using its users' health data. Although the facts of the cases differ, these advancements illustrate the FTC's evolution toward more ready use of its unfairness authority in privacy cases. The agency is increasingly willing to use every available tool, like the HBNR, to achieve satisfactory redress. As the FTC continues to strengthen its enforcement arsenal, this case stands as a cautionary tale for digital health companies — and any organization that processes sensitive personal data.