The Federal Trade Commission (FTC) announced yesterday that it has brought its first-ever enforcement action under its Health Breach Notification Rule, against digital health platform GoodRx Holdings, Inc. This follows the FTC’s previous warning, in September 2021, that health apps must comply with the rule or face penalties.
The Health Breach Notification Rule requires health apps and other devices that collect, use or share personal health information to notify customers of any breach or unauthorized use of data.
GoodRx, a telehealth and prescription drug discount provider, was accused of the unauthorized sharing of its customers’ personal health information with third-party advertising platforms and adtech vendors in violation of federal consumer protection law.
If approved by the U.S. District Court, Northern District of California, GoodRx will have to pay a $1.5 million penalty and will be permanently barred from sharing user health information with third parties for advertising purposes. Further, if approved by the court, GoodRx will also be required to obtain affirmative express consent before disclosing user health information with third parties for purposes other than advertising, to require third parties to delete data shared with them, to limit its data retention periods and to put into place a comprehensive privacy program.
A New Era of Oversight by the FTC
Most health apps and digital platforms are not covered by HIPAA, the federal health privacy law, and for years have collected, used and disclosed health care information with little active oversight. While the FTC’s Health Breach Notification Rule has been on the books since 2009, the FTC has not prioritized its enforcement…until now. In the absence of comprehensive federal consumer privacy legislation and an increased focus by consumers on data privacy, the FTC has been stepping in to fill the regulatory gaps in protecting consumer health data held outside the health care system.
This FTC action is one of a few demonstrating the agency’s recent increased focus on the privacy practices of digital health companies. In August 2022, the FTC filed a lawsuit against data broker Kochava for selling geolocation data that could be used to track movements to abortion clinics and other sensitive locations, and in June 2021 the agency reached a settlement with Flo Health, a fertility tracking app, after the company failed to obtain users’ consent for sharing personal health information with third-party companies.
These actions can also be seen as part of a broader trend toward more active regulation of third-party data sharing for digital advertising and other purposes, which has recently been a priority of the California Office of the Attorney General in its enforcement of the California Consumer Privacy Act’s notice and opt-out rules for such sharing, as well as the subject of current or soon-to-be-effective privacy laws in Virginia, Colorado, Connecticut and Utah.
In a statement regarding the GoodRx action, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said that “[d]igital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information.…The F.T.C. is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
Most recently, in the wake of the Supreme Court’s decision in Dobbs, overturning the federal right to abortion, the FTC indicated that it will be monitoring companies’ compliance with unfair and deceptive business practices, as well as its breach rule, with respect to use of sensitive data, especially when companies make claims that data is anonymized and cannot be linked to an individual.
This latest enforcement action should serve as yet another warning to digital health companies that their privacy practices are under federal scrutiny.
What’s Next
All digital health applications should heed the warning by the FTC and review how they are collecting, using and sharing consumer health data.
- Are their privacy notices up to date, accurate and complete?
- Are they acting consistent with consumers’ notice and consent regarding the use and disclosure of their data?
- Have they operationalized the privacy notice to ensure their practices match their statements?
- Are third-party platforms and vendors sufficiently restricted from unauthorized uses of data, and if so, are they complying with contracts that impose those restrictions?
- Is it possible that the digital health application may also be subject to other privacy regulations, such as HIPAA or the newest generation of state consumer privacy laws?