Bloomberg Law
Feb. 3, 2023, 10:05 AM

GoodRx FTC Privacy Fine Is ‘Warning Shot’ for Health Tech Firms

Skye Witley
Skye Witley
Andrea Vittorio
Andrea Vittorio

The Federal Trade Commission’s $1.5 million fine against GoodRx Holdings Inc. signals a broader reckoning for a growing array of health tech services and devices that collect and use information about their users to monetize free products.

Companies that collect potentially sensitive health data through products such as sleep monitors, fertility trackers, or diabetes devices should take a close look at how information flows through to advertisers or marketers, lawyers and former FTC officials said. Makers of wearable devices like fitness trackers also should review their privacy policies and examine whether their data practices line up with what they’re telling consumers, they said.

Businesses that are using technology platforms to provide similar services to consumers in the health care realm “really need to pay attention to this case,” said Eileen Harrington, a former FTC official who retired in 2012.

“The FTC intends this case to be a warning shot across the bow,” Harrington said.

The enforcement action against GoodRx represents the agency’s first use of a 14-year-old health breach notification rule, but is unlikely to be the last, attorneys said. It comes against the backdrop of heightened regulatory attention on personal health data privacy in relation to abortions and a wave of consumer lawsuits against hospital systems and other health-related organizations that have installed advertising tools on their websites or apps.

GoodRx, which offers a free service for finding prescription drug discounts, monetized private health information without permission from consumers by sharing data with third-party advertisers including Alphabet Inc.'s Google and Meta Platforms Inc.'s Facebook, according to the FTC complaint filed Feb. 1 in a California federal court.

A Meta spokesperson declined to comment on the enforcement action or its ad tracking technology. Google “prohibits personalized advertising based on sensitive data like health conditions or prescription medications,” a spokesperson said in an emailed statement.

Third parties received details on consumer’s prescriptions, health conditions, and contact information, the agency alleged. The discount prescription drug provider also deceived consumers by writing in its privacy policy that it would not disclose health information to advertisers or any third party, in violation of Section 5 of the FTC Act, the commission alleged in its complaint.

Tracking Tools

The case spotlights the business models of health apps and devices, which often are offered for free or as a subscription service.

“Free apps offer a potentially greater vector for potential misuse of information,” said Jay DeVoy, a partner in Holland & Hart LLP’s healthcare practice group. That’s because free apps are more likely to fund their services through advertising revenue, DeVoy said.

Flo Health Inc. previously settled FTC allegations that its mobile app shared sensitive health information with data analytics providers after promising data would be kept private. Glow Inc. was forced to consider how privacy and security lapses in its fertility-tracking app could impact women, as part of a 2020 settlement with California’s attorney general. Both Flo and Glow offer free or paid versions of their apps.

Any company operating in the health app ecosystem or collecting consumer health data should take a closer look at how ad-tracking tools are used on their platforms, said Duane Pozza, the FTC regulation group co‑chair at Wiley Rein LLP. Pozza previously spent six years working at the FTC.

“It’s notable that the FTC called out the use of pixels and other kinds of technologies like that as something that involves essentially a disclosure,” Pozza said. The commission has interpreted its health data breach rule to cover information that is exposed or shared without consumers’ permission.

Health companies employing “plug and play” technology—like the Meta Pixel and advertising software—should closely examine their obligations under the breach notification rule, an FTC official told reporters during a Jan. 31 briefing. The official declined to comment about whether the agency is probing other companies.

FTC Commissioner Christine Wilson said in a statement she would have supported “a large multiple of the $1.5 million civil penalty” given the high value consumers place on their private health data and GoodRx’s multi-billion dollar market valuation.

The agency in 2021 released a policy statement warning health app makers to follow the breach rule, which requires a notification to consumers of unauthorized data disclosures.

Privacy Investigations

The privacy violations alleged by the FTC were first surfaced by Consumer Reports in February 2020, according to the agency’s complaint. The FTC told GoodRx that it intended to investigate the company’s privacy and security practices in March of that year, according to a corporate filing for investors.

There are likely similar investigations in the works at the FTC, said Justin Brookman, a former FTC official who directs technology policy for Consumer Reports.

“The first case is important because it establishes a precedent,” Brookman said. “They often don’t want to do just one case.”

Dozens of civil lawsuits have been filed against digital health companies that allegedly monetize personal health information. Many of the lawsuits point to similar investigations into ad trackers by other nonprofit organizations.

The Boston-based Mass General Brigham health system agreed to pay $18 million to settle a class action over the use of web analytics tools that allegedly collected data about visitors to its site without the users’ permission.

The FTC’s enforcement action against GoodRx also mentioned third parties that allegedly received personal health data, including Criteo, Twilio Inc., and Branch.

Criteo said it didn’t receive information such as names and email addresses, or prescription and medical information.

“Criteo’s data policies and privacy practices on our platform prohibit most of the targeted advertising campaigns and programs referenced in the FTC complaint against GoodRx,” the company said in a statement.

Twilio declined to comment. Branch didn’t immediately respond to a request for comment.

To contact the reporter on this story: Skye Witley at and Andrea Vittorio at

To contact the editors responsible for this story: Keith Perine at; Jay-Anne B. Casuga at