On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

The HBNR was initially passed in 2009 but had never been enforced until now. In general, it requires that non­-HIPAA-covered vendors of personal health records (“PHR”) give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of PHR. We have previously written about the FTC’s guidance in 2021 that it intended to enforce the HBNR where health apps violated the rule. We have also previously written about the U.S. Health and Human Service’s recent bulletin cautioning HIPAA-covered entities in their use of cookies, pixels, and other tracking technology to ensure that Protected Health Information (PHI) is not disclosed to third parties in violation of HIPAA. The GoodRx settlement shows that the FTC is also scrutinizing the use of advertising cookies and pixels on websites that collect personal health information. The FTC Act generally prohibits unfair or deceptive business practices, including misrepresentations or deceptive omissions concerning uses made of consumers’ personal information.

Turning to the substance of the allegations, the FTC claims that GoodRx—a provider of services that allegedly allows individuals to compare prescription pricing at nearby pharmacies on its mobile application or on its website—“integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App,” which collected and sent personal data to third parties for “advertising, data analytics, or other business services.” The information alleged to have been shared with third parties included contact information, persistent identifiers, location information, and “Events Data” (e.g., pages views that may have reflected the consumers’ health concerns). Notably, GoodRx was also alleged to have tracked and shared “Custom Events” through the Facebook Pixel that conveyed health information about its website users, including medication names and health conditions. And while GoodRx’s privacy policy described the use of third-party tracking tools, it also stated: “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” The FTC also alleged that GoodRx monetized its violations by sharing the sensitive information with third parties so that it could target users with health related advertisements.

According to the FTC’s Complaint, GoodRx violated the FTC Act by, among other things, disclosing personal and health information to third parties while representing in its privacy policies that it would “never” share such information with advertisers or other third parties. The FTC alleged that GoodRx also violated the FTC Act by deceptively stating in its privacy policies that disclosure to third party providers was limited to what was necessary to provide telehealth services, unless the consumer consented to other uses. The Complaint alleges that GoodRx failed to comply with the HBNR by failing to report these unauthorized disclosures.  

The FTC’s enforcement action against GoodRx and proposed settlement shows that non-HIPAA covered entities collecting health-related information should understand the technologies used on their websites and in their mobile applications and ensure that their privacy policies accurately reflect their collection, use and disclosure of such information using those technologies. The failure to properly disclose information sharing practices could be a violation of the FTC Act and in any event, lead to an investigation and/or enforcement action. The FTC’s action also highlights the FTC’s interpretation of “breach of security” under the HBNR, to potentially include the disclosure of health-related information through the use of third party advertising technology on a website or through a mobile application without appropriate consumer authorization. The FTC’s action is, as we have previously discussed, part of a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.