Back to Cases
technologyHealthcare · 2023
GoodRx Holdings Inc.
GoodRx was subject to the FTC's first-ever enforcement action under the Health Breach Notification Rule for sharing customers' sensitive personal health information — including prescription drug purchases and associated medical conditions — with Facebook, Google, Criteo, and other advertising platforms for targeted advertising, without users' knowledge or consent. The FTC found GoodRx failed to honour its privacy policy commitment not to share health information with advertisers and violated its promise to limit data use to healthcare purposes. GoodRx also failed to notify affected users of the disclosures as required.
Fine Imposed€1.4M
Authority
FTC-US
Regulation
FTC Act Section 5 — Unfair or Deceptive Acts or Practices
Max fine$51,744 per violation per day for post-order violations; initial enforcement via consent orders without direct fines
Statusactive
Key Takeaways
- Health technology companies using advertising pixels that transmit prescription-linked data to third parties face both FTC Act Section 5 and Health Breach Notification Rule liability — there is no 'de facto standard practice' defence when health data is shared without consent.