The Department of Justice finalized the FTC settlement levied against GoodRx and ordered the digital health company to take corrective actions in order to rectify the privacy violations, including sending consumer breach notices outlining the unauthorized data sharing.
DoJ announced the Feb. 17 stipulated order late Thursday, which finalizes the $1.5 million penalty and issues a host of corrective actions GoodRx must take to prevent unauthorized disclosures of consumer data in the future and ensure compliance with the FTC Act and rules.
Namely, GoodRx must notify its users of the past disclosures to third-party data brokers, while solidifying the FTC and DoJ ban against the company from ever disclosing the health data of its users for advertising purposes again. The company is also prohibited from further misrepresentations and from disclosing health data without affirmative user consent and notice.
The federal agencies are also requiring GoodRx to notify users in the event of another privacy breach, in addition to mandating the company improve its record-keeping, certification, monitoring, and compliance obligations.
GoodRx is currently defending itself from a class action lawsuit filed against the company and Meta in the wake of the FTC filing levied against the company, which detailed a host of privacy violations. Namely that it violated the FTC’s Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the unauthorized disclosure of health data.
The initial filing alleged the company engaged in “repeated, unauthorized disclosures of users’ personal and health information
Read more