GoodRx leaked user health data to Facebook and Google, says FTC

Since 2017, more than 55 million people have used or visited GoodRx’s mobile apps or website, the FTC said. From 2017 to 2020, the company “disclosed extremely intimate and confidential details” to third-party ad tech and marketing firms like Facebook, Google, Criteo and Twilio, according to the complaint, repeatedly violating its public promises not to do so. The data that was released, the agency said, could link users with chronic physical and mental health problems, including substance abuse.

GoodRx also did not place limits on how Facebook, Google and other companies could use their customers’ health information, federal regulators said, giving third parties the ability to use the data for internal business purposes, such as product research and development. Regulators said GoodRx also “failed to maintain sufficient” protections for users’ personal information, such as adequate formal written privacy and data-sharing policies.

The FTC case centers on GoodRx’s use of tracking tools from Facebook, Google and other companies. Millions of sites and apps use such tools, known as “pixels” and “software development kits,” to track and share data about their users’ activities with third parties for their commercial purposes, such as ad targeting and user analytics. .

Such tracking tools may collect information such as users’ first and last name, email addresses, mobile phone numbers, unique device identification codes, locations, genders, and Internet Protocol or IP addresses. They can also record details about user activities, such as opening an app, clicking a link, or viewing information about a specific disease or medication.

While this type of data sharing is widespread in consumer sectors such as retail and travel, the FTC complaint said GoodRx’s use of tracking tools to share personal health data with advertising platforms had led to misleading and unauthorized data disclosures, an argument that challenges business as usual in the digital sector. health industry.

GoodRx said it removed Facebook’s tracking pixel almost three years ago.

In recent years, the FTC has intensified its focus on health privacy.

In 2021, the FTC accused the developer of Flo, a health-tracking app used by more than 100 million women, of misleading users about its data-handling practices by sharing intimate health details about their periods and pregnancies. with Google and Facebook. Flo reached an agreement with the agency that prohibited the company from misleading users about privacy and required it to obtain their consent before sharing their health data.