Feb 01, 2023

FTC: GoodRx’s not-so-good privacy practices come to light

Posted Feb 01, 2023 7:43 AM

By ALVARO PUIG
Consumer education specialist, FTC

Nowadays, there are health-related apps and websites everywhere that let you track things like your physical activity, health conditions, caloric intake, prescriptions, and even ovulation. They ask you for details about yourself and your health, but what if they use and share your information in ways they’re not supposed to?

The FTC says GoodRx, a digital health platform that offers virtual doctor visits and lets users get coupons for prescription drugs, broke its promises to users about how it would use and share their personal health information.

The FTC claims GoodRx shared information about users’ health conditions and prescription drugs with digital advertisers like Facebook and Google without users’ permission — and contrary to what it told users in its privacy policy. GoodRx then used that sensitive health information to target its users with health ads on users’ social media feeds. To generate those ads, GoodRx shared with Facebook and others information about its users’ prescription medications and sensitive health concerns — things like erectile dysfunction or treatments for sexually transmitted diseases. Worst of all, it failed to tell its users.

To settle this matter, GoodRx will pay a $1.5 million penalty. The company is prohibited from sharing health data with relevant third parties (like Facebook) that would use it for advertising, and must get users’ permission to share health data with relevant third parties for anything else.

Health apps can have a great benefit to users. But convenience may come at a cost. As this and other FTC cases show, there can be risks if companies don’t keep their promises. Companies might create profiles about you and share your sensitive information with other companies. And once your information is no longer private, it’s hard (maybe impossible) to keep it out of the wrong hands.

Here are some ways to protect your privacy online and when you use an app:

Opt out of targeted ads, if possible. A company’s privacy notice or policy can be hard to read, but it should spell out what the company will or won’t do with your information: Will it share your information with other companies? For targeted advertising? Can you control whether ads will be targeted to you based on your app usage and browsing activity? The Digital Advertising Alliance and the Network Advertising Initiative also have free opt-out tools. If you choose to opt out, do so on each device and browser you use.

Check if you can customize your privacy settings. Can you adjust the app’s permissions so it doesn’t have access to information it doesn’t need? Does the app track your device’s location? If the app doesn’t need the info, especially your location, turn it off. If the app does need it, consider limiting access to only when the app is in use.

Find out if you have the right to tell the company to delete your data. Some state laws give you that right. See the U.S. State Privacy Legislation Tracker from the International Association of Privacy Professionals to learn more.

For more advice, check out our guide to protecting your privacy online.