Wednesday's crackdown by federal regulators on GoodRx highlights increasing efforts by the FTC under activist chair Lina Khan to protect consumers' digital health privacy.
Why it matters: The proposed order could have broad implications for the health tech sector, in which ad-targeting practices — particularly among direct-to-consumer businesses — are nearly ubiquitous.
Catch up quick: The order marks two firsts for the FTC:
The first use of its Health Breach Notification Rule, which requires health apps to notify users of infringements upon their information.
The first time it has sought with such an order to expressly ban a company from using consumer health data for ad-targeting.
Context: Startups and large tech companies collect troves of personal data on fertility, exercise, health conditions and prescriptions that are not expressly protected like other data covered by HIPAA.
Zoom in: Specifically, the FTC's complaint alleges that GoodRx shared with Google and Facebook individually identifiable data on users' prescription medications and health conditions.
The complaint also alleged that GoodRx targeted users of its telemedicine service, HeyDoctor, who'd searched online about STDs with ads for STD testing services.
The complaint characterized such practices as deceptive and unauthorized, something that could have broad implications for a sector in which such practices are common.
Yes, but: GoodRx agreed to settle the case Wednesday but said it disagreed with the agency’s allegations and admitted no wrongdoing.
Flashback: Although the FTC has ramped up its actions against health tech companies in recent years with similar actions, the GoodRx order goes further than previous cases by aiming to ban the company from future ad-targeting.
In 2021, for example, the FTC found fertility tracking app developer Flo sharing menstrual cycle and pregnancy data with Google and Facebook, and although Flo agreed as part of a settlement to get user consent before sharing such information, it was not expressly barred from such behavior.
The other side: In a statement issued alongside the court order, FTC commissioner Christine S. Wilson said the settlement falls short in that it "does not hold senior executives liable, and does not modify the core GoodRx business model."
"I would have supported a larger civil penalty," Wilson writes, noting the company's previous market valuation of $18 billion and adding, "I believe the company profited significantly from its silence about its scurrilous privacy practices — far in excess of the $1.5 million penalty."
Axios Reporter: Erin Brodwin