In recent months, the U.S. Federal Trade Commission (FTC) has come down hard on mega tech corporations, not only fining Google for paid endorsements, but also publicly stating its mistrust in Microsoft over the Activision-Blizzard takeover. Today, the FTC has announced that it has imposed a $1.5 million fine on drug discount provider GoodRx for not reporting unauthorized disclosure of consumers' personal health information with companies including Google, Facebook, Criteo, Branch, and Twilio.
This move comes as a first-of-its-kind enforcement under the FTC's Health Breach Notification Rule. On top of the fine, this action prohibits GoodRx from sharing user health data with applicable third parties even merely for advertising purposes, and will require user consent for any other data sharing as well.
The FTC explicitly detailed the ways in which the drug discount firm violated its consumer privacy laws, noting that GoodRx did the following:
- Shared Personal Health Information with Facebook, Google, Criteo, and Others
- Used Personal Health Information to Target its Users with Ads
- Failed to Limit Third-Party Use of Personal Health Information
- Misrepresented its HIPAA Compliance
Samuel Levine, Director of the FTC's Bureau of Consumer Protection, commented on the precedent set via this enforcement:
"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."
The Commission has referred the final order to the Department of Justice for filing, after a 4-0 unanimous voting in favor of the complaint. Notably, though, the proposed order will first have to be approved by the federal court to come into effect.
2 Comments - Add comment