How does Facebook know you want sugar-free snacks? These personal ads may have targeted you based on your online searches or a refill of your diabetes medicine collected by the digital health company GoodRx. GoodRx has been sending this personal health information such as prescription information to ad platforms like Facebook and Google to use and monetize your data.

But the Federal Trade Commission did not approve of GoodRx’s actions and, last Wednesday, fined the digital health company for its “deceptive practices” in the disclosure of personal and health information to third-party advertising companies and platforms like Meta and Google for advertisement purposes.[1] At the core of the complaint, the FTC cited the inconsistencies between the statements made in GoodRx’s privacy policy and its actual business practices, specifically, the company’s use of online tracking tools such as web beacons and software development kits (generally referred to as pixels) for targeted and personalized ads.

GoodRx is a digital health platform allowing consumers to compare drug prices across pharmacies and receive coupons or discounts for their prescriptions through its website or mobile application. It also offers users telemedicine consultations and other online healthcare services through paid subscriptions. All of these services result in the collection of significant sensitive health information about GoodRx’s users; for example, the current prescriptions of these consumers.

GoodRx’s privacy policies from 2017 to 2019 contained several statementsregarding its collection, use, and disclosure of this personal information, which, according to the FTC, were false. Specifically, GoodRx’s privacy policy stated that it would never reveal personal health information to advertisers and that it “rarely shared” personal information with third parties except for limited circumstances like the delivery of its services directly to consumers. The company also claimed that it imposed restrictions on these third parties over the use of any disclosed information.

However, FTC alleges that GoodRx consistently violated those statements by deploying pixels on its website and mobile application, which sent consumers’ online activity to companies like Google, Meta, and other advertising platforms to create personalized advertisements. For example, an individual could claim a drug coupon for erectile dysfunction medication using the GoodRx mobile application. Through the third-party ad platform pixels integrated into the mobile application by GoodRx, the ad platforms received the user’s health information, including the name of the drug retrieved through the coupon, drug quantity, drug dosage, related health condition and the individual’s contact information, IP address, geolocation, and advertising IDs. The FTC noted that GoodRx’s conduct went beyond just sharing personal information and that GoodRx actively used and monetized personal health information in connection with targeted advertisements.

The Department of Justice, on behalf of the FTC, brought suit against GoodRx for engaging in “deceptive practices or acts” in violation of Section 5 of the Federal Trade Commission Act. Worse, FTC asserted that the pixel usage constituted an unauthorized disclosure of personally identifiable health information and, thus, GoodRx violated FTC’s Health Breach Notification Rule by failing to notify consumers, FTC, and the media of this unauthorized disclosure.

FTC decided to make an example of GoodRx and insisted on a settlement imposing substantial penalties against the company: (a) imposing a $1.5 million fine; (b) prohibiting the disclosure of any health information collected by the company to third parties for advertising purposes; (c) requiring the collection of affirmative express consent (rather than imputing it through GoodRx’s privacy policy, terms of service, and other browse-wrap documents) before the company disclosed the personal information to third parties for “Non-Advertising Purposes,” and (d) notifying consumers of its “deceptive practices.”

This FTC action is a clear “warning shot” and represents an increased focus by regulators and plaintiff’s lawyers on businesses’ use of pixels and the collection and disclosure of information associated with such pixels. This goes beyond the healthcare space. Last December, the Office for Civil Rights at the U.S. Department of Health and Human Services issued a bulletin warning entities about possible HIPAA violations through the integration of these tools in their services.[2] It clarified that regulated entities are not permitted to use pixels in a manner that would result in impermissible disclosures of personal health information to ad platforms and pixel vendors. Additionally, civil class-action lawsuits have hit several companies this past year citing improper use of pixels and data collection for advertising purposes, with Chick-Fil-A being a recent target.[3]

TAKEAWAYS

  • All companies should investigate and audit their websites, mobile applications, and any other online services for pixels and other tracking technologies sharing information with third parties to know exactly what information is shared via these pixels and for what purposes;
  • Companies should then confirm that their privacy policies accurately describe their data collection, use, disclosure, and business practices throughout the time period when the policies are in effect, and if not, update the policies; and
  • Legal Departments, general counsels, and other individuals responsible for privacy at their companies should develop processes and procedures with internal business units, including marketing and online teams, to ensure visibility and communication about the implementation, use, and maintenance of such tracking technologies.

[1] Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising, FTC.Gov (Feb. 1, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising

[2] U.S. Department of Health & Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS.Gov, (Dec. 1, 2022) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

[3] Carroll v. Chick-Fil-A, Inc., Case No. 3:23-cv-00314, (N.D. Cal. January 22, 2023)