Online pharmacy GoodRx to pay $1.5 million civil penalty for years of sharing consumer health information with third parties including Facebook, Google and Criteo for advertising purposes It agreed, the Federal Trade Commission said Wednesday.

In a complaint filed in California federal court, the FTC advised consumers that the healthcare and telemedicine giant will share personal health information collected while using its website and services with third parties. accused of not doing so.

The FTC said GoodRx “falsely promised its users not to share personal health information with advertisers or other third parties,” but it monetizes the data it collects and sells it through targeted health and pharmaceuticals. It said it “repeatedly violated this promise,” including by targeting its own users. – Certain Ads. The FTC says GoodRx has been doing this for “years.”

TechCrunch has reached out to GoodRx for comment and will update this article when we receive a response.

This is the first action taken under the FTC’s Health Breach Notification Rule (a 10-year-old guideline that hadn’t been used until today).

GoodRx is a classic example of rule-breaking, but it was fueled by the proliferation of online healthcare services in recent years, especially with the advent of the COVID-19 pandemic. More enforcement of rules.

The FTC recently issued a warning for 2021 (it made that warning more formally a year ago), and the rule will also apply to app developers and fitness device makers to ensure consumers are not impacted by their health data. He warned that he would take action against companies that didn’t tell him they would. Shared for advertising or user analytics.

This rule is especially important in light of the fact that more medical services are being brought online than ever before. Just last week Amazon launched his RxPass. This is a Prime add-on that allows you to fill all your prescriptions for a set of conditions using generic prescriptions for a flat monthly fee. TechCrunch reached out to Amazon to specify its own policy using customer data. I will update this post with any answers.

“Don’t use highly sensitive health information”

According to the FTC complaint, GoodRx shares the names of medicines and related health conditions users search for on GoodRx with platforms like Google.com and Facebook, as well as ad tech companies like Meta, Google and Criteo. I was. and Instagram, as well as other sites and apps.

An FTC official told reporters by phone on Tuesday that some of the information contained sensitive information about people’s health conditions.

The FTC also created a list of users for whom GoodRx purchased certain medications, particularly heart disease and blood pressure, and uploaded their email addresses, phone numbers, and pseudonymized device advertising IDs to Facebook so that GoodRx could You said you identified who it was so you could target it. in health-related advertising.

The agency also accused GoodRx of “falsely implying” to consumers that it complies with the U.S. Health Privacy Act, the Health Insurance Portability and Accountability Act, or HIPAA. FTC officials said consumers were misled into thinking their data was protected because much of GoodRx’s business is not covered by the law.

This order prohibits GoodRx from disclosing users’ health information to third parties for advertising purposes. You must also limit how long personal and health information can be retained “according to a data retention schedule” and provide detailed explanations to users about what you are collecting and why. They also need to implement a privacy program to protect consumer data in the future.

The FTC also requires GoodRx to contact the companies with which GoodRx has shared your data and ask them to delete the data. However, an FTC official confirmed that the enforcement action was binding on his GoodRx and not coercing the companies that received the data to comply with the takedown request. GoodRx must also establish a comprehensive privacy program and “prominently” detail the data it discloses to third parties.

Samuel Levine, director of the FTC’s Office of Consumer Protection, said in a statement: “The FTC has informed us that it will exercise all legal powers to protect sensitive data of U.S. consumers from misuse and unlawful exploitation.”

Since 2017, approximately 55 million consumers have visited the GoodRx website.

FTC orders are subject to federal court approval.