How does Facebook know you want sugar-free snacks? These personal ads may have targeted you based on your online searches or a refill of your diabetes medicine collected by the digital health company GoodRx. GoodRx has been sending this personal health information such as prescription information to ad platforms like Facebook and Google to use and monetize your data.
GoodRx is a digital health platform allowing consumers to compare drug prices across pharmacies and receive coupons or discounts for their prescriptions through its website or mobile application. It also offers users telemedicine consultations and other online healthcare services through paid subscriptions. All of these services result in the collection of significant sensitive health information about GoodRx’s users; for example, the current prescriptions of these consumers.
However, FTC alleges that GoodRx consistently violated those statements by deploying pixels on its website and mobile application, which sent consumers’ online activity to companies like Google, Meta, and other advertising platforms to create personalized advertisements. For example, an individual could claim a drug coupon for erectile dysfunction medication using the GoodRx mobile application. Through the third-party ad platform pixels integrated into the mobile application by GoodRx, the ad platforms received the user’s health information, including the name of the drug retrieved through the coupon, drug quantity, drug dosage, related health condition and the individual’s contact information, IP address, geolocation, and advertising IDs. The FTC noted that GoodRx’s conduct went beyond just sharing personal information and that GoodRx actively used and monetized personal health information in connection with targeted advertisements.
The Department of Justice, on behalf of the FTC, brought suit against GoodRx for engaging in “deceptive practices or acts” in violation of Section 5 of the Federal Trade Commission Act. Worse, FTC asserted that the pixel usage constituted an unauthorized disclosure of personally identifiable health information and, thus, GoodRx violated FTC’s Health Breach Notification Rule by failing to notify consumers, FTC, and the media of this unauthorized disclosure.
This FTC action is a clear “warning shot” and represents an increased focus by regulators and plaintiff’s lawyers on businesses’ use of pixels and the collection and disclosure of information associated with such pixels. This goes beyond the healthcare space. Last December, the Office for Civil Rights at the U.S. Department of Health and Human Services issued a bulletin warning entities about possible HIPAA violations through the integration of these tools in their services. It clarified that regulated entities are not permitted to use pixels in a manner that would result in impermissible disclosures of personal health information to ad platforms and pixel vendors. Additionally, civil class-action lawsuits have hit several companies this past year citing improper use of pixels and data collection for advertising purposes, with Chick-Fil-A being a recent target.
- All companies should investigate and audit their websites, mobile applications, and any other online services for pixels and other tracking technologies sharing information with third parties to know exactly what information is shared via these pixels and for what purposes;
- Companies should then confirm that their privacy policies accurately describe their data collection, use, disclosure, and business practices throughout the time period when the policies are in effect, and if not, update the policies; and
- Legal Departments, general counsels, and other individuals responsible for privacy at their companies should develop processes and procedures with internal business units, including marketing and online teams, to ensure visibility and communication about the implementation, use, and maintenance of such tracking technologies.
 Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising, FTC.Gov (Feb. 1, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising
 U.S. Department of Health & Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS.Gov, (Dec. 1, 2022) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
 Carroll v. Chick-Fil-A, Inc., Case No. 3:23-cv-00314, (N.D. Cal. January 22, 2023)