Nowadays, there are health-related apps and websites everywhere that let you track things like your physical activity, health conditions, caloric intake, prescriptions, and even ovulation. They ask you for details about yourself and your health, but what if they use and share your information in ways they’re not supposed to?
The FTC says GoodRx, a digital health platform that offers virtual doctor visits and lets users get coupons for prescription drugs, broke its promises to users about how it would use and share their personal health information.
The FTC claims GoodRx shared information about users’ health conditions and prescription drugs with digital advertisers like Facebook and Google without users’ permission — and contrary to what it told users in its privacy policy. GoodRx then used that sensitive health information to target its users with health ads on users’ social media feeds. To generate those ads, GoodRx shared with Facebook and others information about its users’ prescription medications and sensitive health concerns — things like erectile dysfunction or treatments for sexually transmitted diseases. Worst of all, it failed to tell its users.
To settle this matter, GoodRx will pay a $1.5 million penalty. The company is prohibited from sharing health data with relevant third parties (like Facebook) that would use it for advertising, and must get users’ permission to share health data with relevant third parties for anything else.
Health apps can have a great benefit to users. But convenience may come at a cost. As this and other FTC cases show, there can be risks if companies don’t keep their promises. Companies might create profiles about you and share your sensitive information with other companies. And once your information is no longer private, it’s hard (maybe impossible) to keep it out of the wrong hands.
Here are some ways to protect your privacy online and when you use an app:
- Opt out of targeted ads, if possible. A company’s privacy notice or policy can be hard to read, but it should spell out what the company will or won’t do with your information: Will it share your information with other companies? For targeted advertising? Can you control whether ads will be targeted to you based on your app usage and browsing activity? The Digital Advertising Alliance and the Network Advertising Initiative also have free opt-out tools. If you choose to opt out, do so on each device and browser you use.
- Check if you can customize your privacy settings. Can you adjust the app’s permissions so it doesn’t have access to information it doesn’t need? Does the app track your device’s location? If the app doesn’t need the info, especially your location, turn it off. If the app does need it, consider limiting access to only when the app is in use.
- Find out if you have the right to tell the company to delete your data. Some state laws give you that right. See the U.S. State Privacy Legislation Tracker from the International Association of Privacy Professionals to learn more.
For more advice, check out our guide to protecting your privacy online.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Is there a class action lawsuit that past users of the app can take part in?
In reply to Is there a class action… by Susan Adelson
When ftc penalizes someone consumers never see the money. You'll have to search the internet to see if there's a civil elections against person or parties that disseminated your information on the web and two third-party people etc. I've had like that way. When FTC wins millions of dollars off of these scanners we either consumers who are constantly harassed by the scam calls and or lose money are never compensated. One day my phone rang more than a hundred times from scammers and thereafter maybe 20 times a day I just stopped answering my phone but when the FTC family they sued them for millions seized all their money and I didn't get it done I hope that the people who lost money from scammers receive something when I highly doubt it. Good luck and always check for civil action suits on the internet
In reply to When ftc penalizes someone… by Nona
The FTC has returned $12.1 billion dollars to people through FTC refund programs, and refunds companies and third parties sent directly to people. Read about the FTC refund program, the cases, and the amounts returned at
https://www.ftc.gov/enforcement/refunds.
In reply to When ftc penalizes someone… by Nona
My privacy was violated by GoodRx. To what extent? I don't know. I received an email stating they shared my data without my permission. How and for what purpose? So basically they earned money on my data and now the government earned money off them using my data. We are the actual damaged parties and what we get is a promise they won't do it again. That's not acceptable and it is necessary not enough.
In reply to My privacy was violated by… by JoAnne Nelson
The settlement requires GoodRX to pay a civil penalty, which by law must go to the U.S. Treasury.
In reply to Is there a class action… by Susan Adelson
I hope that the FTC will also penalize Good RX and give the funds to those whose privacy and HIPPA that were violated.
In reply to I hope that the FTC will… by Debbie Stolte
Correct.
All parties involved are guilty. Not just GoodRx. Violating medical privacy law. THEY ALL MADE PROFITS doing this!
Big business again & again is getting a slap on the wrist. I never see anyone receive jail time like a normal citizen would.
As well, there should always be compensation for the victims.
In reply to Is there a class action… by Susan Adelson
User OF GOODRX and received email of that violations on private information
In reply to Is there a class action… by Susan Adelson
Need info about GoodRX class action lawsuit
In reply to Is there a class action… by Susan Adelson
I had been a visitor of the app was my privacy violated?
The FTC has my sincere respect and admiration! The staff has a true (mission statement) of which they live up to. As this consumer alert (GoodRx) is an example of.
Gratefully Consumer 101,
Why not also fine the social media companies who should be able to recognize private information when they receive it? They are as much at fault for disclosing this information as is Good RX.
This sight is so important in the nation today because the facts and information are real not fake!
Thank you so much!
Thanks for making aware of the many ways our private info can be shared
This is a great information to educate because I was reading about the GoodRx's that when you order order from them is cheaper than calling than regular pharmacy. I glad that it mentioned thier negative views.
Thanks this information..
I like your bulletins to inform and protect the public. Thank you.
MAJOR HIPPA VIOLATION!!! BETTER BE A CLASS ACTION AND INDIVIDUAL LAWSUITS!!
In reply to MAJOR HIPPA VIOLATION!!!… by Jeanine Hoffman
*NOT* a HIPPA violation.
HIPAA does NOT apply to *all* health data. HIPAA covers doctors, health care providers, insurance companies, and businesses that work with them directly.
Give the same information to other companies companies (like GoodRX), they can take your health information and do anything they wanted with it.
The FTC doesn't make laws. They work to protect us using laws passed by the House and Senate.
In reply to MAJOR HIPPA VIOLATION!!!… by Jeanine Hoffman
I completely agree with your statement.
This is our personal medical information. Which is automatically assumed protected under the law.
Knowingly violating this law to make money should be a much more severe penalty than $1.5 million. Why does no one from big business ever get prison time either?
Those violated deserve remuneration for the money GoodRx & Social Media made breaking a well defined law. Class action suit!
I should have known over the years because I have always been getting advertisements tailored to my conditions on Social Media.
To the ftc.gov owner, Your posts are always informative and well-explained.
EVERY SINCE I STARTED USING THEM I WAS FOUND ON THE DARK WEB WHILE I SUPPOSED TO BE PROTECTED BY MCAFEE.
I also got an email from GoodRX about this settlement and that they shared my personal information with third parties on March 2, 2023. So now I have been getting scammers and other promotional offers continuously. So how do we obtain compensation for giving out our personal information without our consent? How do we protect ourselves from future adverse effects from this violation that this company did to the consumers?
So who's getting the 1.5 million dollars? Not us the victims??
I have suffered professionally and personally from GoodRx’s selling of my extremely personal medication needs! Fine that THEY had to pay a get-outta-jail fee, but what about us consumers?! Where is my financial settlement for damages??
All parties involved, including Good RX, knowingly violated the law. To make money. This is a slap on the wrist to big business again. As always I never see anyone go to jail for these violations.
I have received ads personalized towards my medical conditions for years, and now I know why. I do appreciate the work of the FTC, but I believe a higher penalty & all of the parties involved should be held accountable.
As well, those whose rights have been violated should be compensated. We know that this dissemination of individuals private information profited all these companies.