FTC Action Against GoodRx Shows Agency’s Might, Confirms U.S. Focus on Tracking Pixels

The Federal Trade Commission (FTC), weighing in on privacy concerns surrounding the use of website pixel tracking technologies, last month took action against prescription drug discount provider GoodRx for unauthorized disclosures of consumers’ personal health information to technology companies.[1]

In the FTC’s first-ever action under its 2009 Health Breach Notification Rule, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes; it agreed to pay a $1.5 million civil penalty for violating the rule.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The FTC’s actions against GoodRx, which follow guidance from the HHS Office for Civil Rights (OCR) on web-tracking technologies hold significant implications for HIPAA covered entities and business associates, said Rebecca Herold, CEO of Privacy & Security Brainiacs SaaS Services and CEO of The Privacy Professor consulting practice. [2]

“This should be a wake-up call that there is now another regulatory agency applying penalties against organizations for insufficient cybersecurity and privacy protections of health data,” Herold said. The GoodRx settlement indicates that the FTC’s enforcement of health privacy will extend “into requiring security and privacy program activities that mirror HIPAA requirements,” she said.

The FTC’s health breach notification rule was enacted as part of the American Recovery and Reinvestment Act of 2009 (16 C.F.R. § 318).[3] The rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.

In addition, if a service provider to an entity covered by the rule suffers a breach, that service provider must notify the entity, which in turn must notify consumers.

The rule specifies the timing, method and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. The FTC also issued a policy statement in September 2021 warning that health apps and others that collect or use consumers’ health information must comply with the rule.

This document is only available to subscribers. Please log in or purchase access.