The online health data ecosystem takes another regulatory hit

The FTC has announced a groundbreaking enforcement action against GoodRx that focuses on, among other things, the disclosure of sensitive health information to third parties through online and mobile tracking technologies without clear notice and obtaining affirmative user consent. The action represents the FTC’s latest application of the unfairness and deception prongs under Section 5 of the FTC Act to the use of common web tracking technologies, such as cookies, pixels, and mobile SDKs, as well as the first instance in which the FTC has enforced the Health Breach Notification Rule (HBNR). The action makes clear the FTC’s expectation that health companies obtain affirmative user consent for the disclosure of sensitive health information through web tracking technologies.  In some cases, in the absence of affirmative user consent, use of online tracking technologies may trigger breach notification requirements under the HBNR.

Through the GoodRx enforcement action, the FTC has joined a slew of federal and state regulators, class action litigants, and media outlets in scrutinizing the use of online tracking technologies by health organizations. Health companies will need to consider whether their uses of web tracking technologies to analyze user online interactions and facilitate advertising falls within the bounds of the FTC’s decision against GoodRx, as well as recent guidance from the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).

The FTC’s enforcement action against GoodRx has far reaching implications regarding the use of web tracking technologies to collect and analyze sensitive health information.  In the Order, the FTC outlines a roadmap for new expectations for privacy programs, including appointments of privacy leads, development and implementation of comprehensive compliance programs and establishment of a governance and oversight process for the use of web tracking technologies.

FTC allegations

Deceptive statements

The FTC complaint alleges that GoodRx made false and deceptive statements regarding its use and disclosure of sensitive health and personal information in violation of Section 5 of the FTC Act. Specifically, the FTC alleges that GoodRx falsely represented that:

1. It would never disclose information that reveals personal health information to advertisers or third parties. The complaint alleges that GoodRx disclosed personal health information through third-party tracking tools when it implemented various third-party tracking technologies on its websites and mobile applications.

2. It would only use or share sensitive health and personal information in limited circumstances to provide services requested by a user. The complaint alleges that GoodRx used and shared such data for other purposes, including targeted advertising.

3. Third parties would be limited in their ability to use personal health information shared with them by GoodRx. The complaint alleges that GoodRx failed to deliver on promises that it contractually binds third parties to whom it discloses personal health data to confidentiality standards. Instead, the complaint alleges that GoodRx agreed to the template terms offered by third parties that permitted expanded data use rights.

4. It adheres to Digital Advertising Alliance (DAA) principles. The complaint alleges that GoodRx failed to obtain affirmative user consent for the use of health information for online behavioral advertising in violation of the DAA principles.

5. It is a HIPAA-compliant entity. The complaint alleges that GoodRx represented that it is HIPAA-compliant by displaying a seal suggesting HIPAA compliance at the bottom of its website homepage although GoodRx is neither a HIPAA covered entity nor compliant with HIPAA standards.

Unfair practices

The FTC complaint alleges that GoodRx engaged in unfair trade practices in violation of Section 5 of the FTC Act by failing to:

1. Provide notice and obtain affirmative user consent prior to the disclosure of sensitive health information through web tracking technologies. The FTC notes that GoodRx became aware that it was disclosing sensitive health information to web tracking technology vendors following a February 2020 media report. Although GoodRx conducted an audit of its data sharing practices in April 2020 following the report, GoodRx allegedly continued to disclose sensitive health information to web tracking technology vendors until November 2020, without providing users with notice of its continued disclosure of their health information and obtaining affirmative user consent.

2. Implement an appropriate formal compliance program. The complaint alleges that GoodRx failed to implement and maintain a comprehensive privacy compliance program to support GoodRx’s privacy comments. Among other things, GoodRx allegedly failed to implement policies and procedures to provide notice of a breach of personal or health information. GoodRx further allegedly failed to provide sufficient oversight over how its marketing department implemented web tracking technologies.   

Violations of the Health Breach Notification Rule

The complaint also charges GoodRx with an ongoing violation of the HBNR for continued failure to notify users of the unauthorized disclosure of their sensitive health information through web tracking technologies. The HBNR became effective in 2009 and requires non-HIPAA regulated “vendors of personal health records” – broadly interpreted to include a range of mobile apps and connected devices – to provide notice to impacted individuals, the FTC, and, in some instances, the media, regarding the unauthorized acquisition of individually identifiable health information contained in a personal health record. Although the FTC has signaled its intent to enforce the HBNR, the action against GoodRx marks the first instance in which the FTC has brought an enforcement action under the HBNR.

Next steps

The FTC’s action against GoodRx has significant implications for all health companies, particularly in their use of common web tracking technologies. We will explore these implications in further detail in future posts. In the meantime, the GoodRx order sets out several immediate action items for health and other companies to consider: 

• Confirm that privacy notices clearly describe collection, use, and disclosure practices of personal information and sensitive health information through tracking technologies and other means.

• Implement and maintain an appropriate governance structure for oversight of web tracking technology implementation on websites and mobile applications. 

• Review public disclosures to confirm that the organizations’ participation and compliance with third-party frameworks, such as the DAA self-regulatory principles, is accurately described.

• Implement and maintain a formal written privacy program to promote adherence to privacy statements and commitments, and to provide clear processes and procedures for oversight of the organizations’ collection, use, and disclosure of personal information and health information.

• Review incident response plans to account for non-cybersecurity related disclosures of personal information and health information and, if applicable, to address compliance with the HBNR.

• Review mechanisms for providing notice and obtaining affirmative user consent for the collection, use, and disclosure of health information, including in connection with use of web tracking technologies for advertising purposes. 

• Assess whether the organizations’ practices for the collection, use, and disclosure of health information through web tracking technologies necessitate notice under the HBNR or other applicable laws.

Authored by Scott Loughlin, Melissa Bianchi, Donald DePass, Natalie Perez, Alaa Salaheldin.