GoodRx Leaked User Health Data to Facebook and Google, F.T.C. Says

Since 2017, more than 55 million people have used or visited GoodRx’s mobile apps or website, the F.T.C. said. From 2017 to 2020, the company “revealed extremely intimate and sensitive details” to third party ad tech and marketing firms like Facebook, Google, Criteo and Twilio, the complaint said, repeatedly violating its public promises not to do so. The data that was disclosed, the agency said, could link users to chronic physical and mental health issues including substance abuse.

GoodRx also did not put limits on how Facebook, Google and other companies could use its customers’ health information, federal regulators said, giving the third parties the ability to use the data for internal business purposes like research and product development. Regulators said GoodRx also “failed to maintain sufficient” protections for users’ personal information like adequate formal, written privacy and data-sharing policies.

The F.T.C.’s case centers on GoodRx’s use of tracking tools from Facebook, Google and other companies. Millions of sites and apps use such tools — known as “pixels” and “software development kits” — to track and share data on their users’ activities with third parties for business purposes like ad targeting and user analytics.

Such tracking tools can collect information like users’ first and last names, email addresses, mobile phone numbers, unique device ID codes, locations, genders and Internet Protocol, or I.P., addresses. They can also record details on user activities like opening an app, clicking on a link or looking at information on a specific illness or medication.

While such data sharing is widespread in consumer sectors like retail and travel, the F.T.C. complaint said GoodRx’s use of tracking tools to share personal health data with advertising platforms had led to deceptive and unauthorized data disclosures — an argument that challenges business as usual in the digital health industry.

GoodRx said it removed the Facebook tracking pixel nearly three years ago.

Over the last few years, the F.T.C. has intensified its focus on health privacy.

In 2021, the F.T.C. accused the developer of Flo, a health tracking app used by more than 100 million women, of misleading users about its data-handling practices by sharing intimate health details about their periods and pregnancies with Google and Facebook. Flo agreed to a settlement with the agency that prohibited the company from misleading users on privacy and required it to obtain consent from them before sharing their health details.