In a groundbreaking decision,¹ the Federal Trade Commission (FTC) announced it was diagnosing GoodRx’s use of tracking pixel codes and analytics, its digital strategy, as not only an unfair or deceptive act or abusive practice but also as a data breach. A proposed class action lawsuit filed in a California state court last week contains similar allegations.² Reaching well beyond the healthcare space, the FTC, state regulators, and courts can be expected to grapple with whether or not companies’ digital strategies (such as tracking codes and related analytics including those that target information presented to consumers) run afoul of the privacy promises they make to consumers.

At issue is how to harmonize privacy policies promising consumers both that their personal information will not be shared with third parties and will only be used for specific purposes with organizations’ use of digital resources to track, analyze and personalize consumers’ online and app experiences. In the GoodRx enforcement action the FTC alleged the practice is not only an unfair or deceptive act or practice – but also a “breach” because the company’s online and app resources include third party data analytics and session replay resources. This interpretation afforded the FTC the opportunity to assess the digital practice as “a data breach” under its Health Care Breach Notification Rule (HBNR).³ In short, these digital strategies are undergoing regulatory and judicial scrutiny under both privacy laws as well as the very broad and unfair or deceptive act or practice (UDAP) analysis.⁴

This is not a case of a hacker causing a ransomware attack, or a failure to keep up with software maintenance, or some other malicious third party intervention or interruption of GoodRx’s information systems. Instead the FTC found that GoodRx, contrary to its privacy promises to users, was sharing users’ nonpublic information with Google, Blaze, Branch, Criteo, Twilio, Facebook and others. The allegations in the California class claim state that the defendants who maintained a website for the benefit of their consumers led those consumers to have a “reasonable belief that [the company] would take appropriate steps to maintain the privacy of these communications” but instead “without the [consumers’] knowledge or consent” shared their personal information with Meta, Google, Microsoft Bing, and other marketing and social media platforms or businesses."⁵

In other words, the FTC is effectively joining states like California in clamping down on the sale or sharing of personal data—including cookie data—for cross-context behavioral advertising purposes without sufficient user disclosures, contractual protections by third parties, and potentially without the appropriate user consents. The FTC like California’s privacy regulator interpret the terms “sale” and “sharing” broadly to include trusted vendors’ “uses” of personal data solely to render digital services in conjunction with companies’ online resources.

Specifically, and despite vigorous objection from GoodRx, the FTC opined that GoodRx violated the law Federal Trade Commission Act in these ways:

• By sharing personal information with third party advertising companies and advertising platforms;
• By using non-public personal health information to target market to its users;
• By failing to limit third parties’ use of GoodRx users’ data when third parties were using such data for their own research, development and advertising purposes while falsely claiming it was complying with Digital Advertising Alliance principles (that expect companies to get consumer consent before using health information for advertising);
• By falsely suggesting it had a seal confirming its HIPAA compliance (when no such certifications exist); and
• By failing to have sufficient policies and controls in place to protect users’ personal health information (until its conduct was exposed by a “consumer watchdog” in a 2020 expose).^6,7

In addition to the FTC’s signaling that it too will be heavily regulating cookie data, the opinion signals that the FTC’s use of HBNR to enforce protections of health data beyond that provided by the Health Insurance Portability and Accountability Act of 1996 and its accompanying regulations (collectively, HIPAA). Passed in 2009, the FTC’s HBNR was intended to apply to vendors of personal health records or “PHRs” that may not themselves be HIPAA governed even though the health information contained in PHRs may be (in other settings). Just over a year ago the FTC issued guidance cautioning consumers to think before sharing personal health data when using smartwatches and wearable fitness trackers.⁸ The FTC noted that many companies that are not covered by HIPAA may be collecting, using and disclosing their customers’ personal health information.⁹ The FTC recognized that HIPAA and its breach notification rule enforced by the US Department of Health and Human Services as well as by state attorneys’ general, applies to HIPAA covered information and activities. However, the FTC cautioned that online and app vendors collecting consumers’ personal health record information should be mindful of their compliance responsibilities under the FTC’s HBNR.

Here are some practical steps companies may want to consider as a result of the GoodRx enforcement action:

First, ensure enhanced and accurate disclosures of the collection, use and sharing of personal information, even if enhanced state privacy laws do not necessarily apply, and ensure that each privacy promise made in the disclosure can be honored.

Second, employ enhanced consents, especially for cookies. One powerful method is to implement a “cookie door,” whereby users have to affirmatively consent to all but essential cookies, including tracking, advertising and third-party analytical cookies. This cookie door also lowers state regulatory risks, including under the California Consumer Privacy Act (CCPA), and even class action litigation risk.¹⁰

Third, ensure the company uses appropriate contractual terms with third parties who participate in a company’s mobile and cyber ecosystem. These contractual terms should strictly lay out how any consumers’ non-public information can and will be used by the third party, and limit the use of such consumer data by the third party for any other purpose. A CCPA-compliant Data Processing Agreement (DPA), for example, would largely be sufficient for FTC purposes.