FTC cracking down on companies that share customers’ health data

“What they’re doing is sending a warning shot across the digital bow of the online advertising industry saying, ‘Hey, these things are unfair, we’re watching, and you should not be using this health information in the way it’s being used,’” said Jeff Chester, executive director of the Center for Digital Democracy, a Washington, D.C.-based nonprofit that advocates for digital privacy and consumer protections online.

The commission said GoodRx engaged in unfair and deceptive practices by telling its customers that it complied with a federal health privacy law, HIPAA, that doesn’t apply to it, and by pledging not to share user data with third parties for advertising purposes, when it did.

The commission also said the company failed to erect internal processes to protect consumer health data or to limit how much access third parties had to that data.

GoodRx, based in Santa Monica, Calif., has agreed to settle, but the company said it does not admit wrongdoing, and does not believe the requirements detailed in the order will materially impact its business. “We believe this is a novel application of the Health Breath Notification Rule by the FTC. We used Facebook tracking pixels to advertise in a way that we feel was compliant with regulations and that remains common practice for many websites,” the company said in a statement.

If the court affirms the settlement, GoodRx will be prohibited from disclosing user health data to third parties for advertising purposes and will have to get explicit consent from its customers to share their data for any other purposes. The order also bans the use of technology that manipulates users.

The FTC also wants to task GoodRx with ensuring that the third parties with which it shared health data delete it, and with implementing new privacy protections for users. The agreement assesses the $1.5 million civil penalty for violating the FTC Act, the law that gives the agency the power to police “unfair” and “deceptive” trade practices.

Broader crackdown

The GoodRx order is just the latest enforcement action signaling the FTC’s heightened interest in protecting the privacy of health data online.

The commission has pursued two other enforcement actions since 2020. Most recently, it filed a lawsuit against data broker Kochava in August in a federal district court in Idaho, where the firm is based, after it sold data the agency said could identify if a person had been to an abortion clinic. In 2020, the commission took an enforcement action against period tracking app Flo Health after it allegedly shared user health data with Facebook and Google after telling customers it would keep that data private.

Flo Health settled with the FTC in 2021, while Kochava filed a preemptive suit against the agency, challenging enforcement.

Both of those cases rely on the FTC’s long-established power to police unfair and deceptive trade practices.

But in its agreement with GoodRx, the FTC is outlining a new approach to regulating data collection relying on the 2009 rule.

And Chair Lina Khan has signaled the agency plans further rulemaking to increase its power over data-sharing online. Since her Senate confirmation in 2021, Khan has pushed the idea that the way personal data is collected on websites and on internet-connected devices by marketers and data brokers is itself unfair and often deceptive, opening these practices up to scrutiny by the FTC.

“The expanding contexts in which users’ personal data is used — from health care and housing to employment and education — mean that what’s at stake with unlawful collection, use, retention, or disclosure is not just one’s subjective preference for privacy, but one’s access to opportunities in our economy and society, as well as core civil liberties and civil rights,” Khan wrote last August following the FTC’s release of an advanced notice of proposed rulemaking asking for public input on whether the commission should write new rules governing commercial surveillance and data security.

The agency has received over 10,000 comments and proposed rules could come later this year. In the meantime, agency officials warned at a briefing on the GoodRx order that more actions like it are likely. “We can walk and chew gum,” said an FTC official who briefed reporters on the impending action on the condition of anonymity. “We’re undertaking the review of those comments and we’re continuing to be aggressive in our enforcement in this area.”

New use of an old rule

The 2009 economic stimulus law directed the FTC to create a rule in collaboration with the Department of Health and Human Services to protect health data not governed by HHS or HIPAA, which sets privacy rules for medical providers. The resulting data breach rule states that any entity not covered by HIPAA that collects personally identifiable health information must tell consumers when there’s been a breach of their data or face action from the FTC.

Since then, the FTC has never enforced it.

However, in the last 18 months the commission has issued three statements, indicating that it is broadening its interpretation of the rule’s scope beyond companies’ cybersecurity practices to their marketing and advertising strategies.

In September 2021, the FTC published a policy statement clarifying that mobile apps and other connected devices, like wearables, could be considered health care providers under the rule since they offer health care services. Subsequently, the commission released further guidance saying the rule applies to fitness trackers, mobile apps, connected health devices, and any other collector of health data, and explained what they should do to comply.

In the court order detailing the agency’s agreement with GoodRx, the FTC defines what it considers sensitive data. “We’re not just defining it to include medical records held by doctors and hospitals, but rather to include any individually identifiable information that can be derived from an individual’s activities to reveal their health conditions. So we’re talking about browsing data, app usage, other everyday activities that can reveal really sensitive information about our health and our conditions,” an FTC official said.

That not only implicates companies selling health services and tools like telehealth providers, diet apps, pharmacies, or purveyors of bluetooth-connected blood pressure cuffs, but also third parties like Google and Facebook. During the briefing, an FTC official said that its agreement with GoodRx puts the third parties it’s sold data to on notice that they’re in possession of information that the agency believes was illegally collected.

In a statement, Google said it already “prohibits personalized advertising based on sensitive data like health conditions or prescription medications. We also have strict policies that advertisers and developers must comply with regarding personally identifiable information being shared with us.”

Still, the FTC’s action against GoodRx also sends a message to advertising platforms that they should ensure that they are not inadvertently collecting health data.

In its complaint, the FTC highlights how that could occur. The commission said that GoodRx in 2019 compiled a list of users who had purchased medications and uploaded their email addresses, phone numbers, and mobile advertising IDs — a code associated with devices that help advertisers track people across the internet — to identify their profiles and then target them with health-related ads.

These customized lists effectively target users based on health data in a way that might not be obvious to a platform like Facebook, which stopped allowing companies to target ads based on sensitive data like health information last year.

“With this case, we’re making clear that apps that are covered by this rule need to come clean with consumers when they share sensitive data improperly…. or expect to hear from us,” an FTC official said.

Alfred Ng contributed to this report.