GoodRX faces fines under FTC breach notification rule

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

CPPA Approves Final CPRA Regulations

The California Privacy Protection Agency (CPPA) approved, in its February 3 board meeting, final regulations under the California Privacy Rights Act (CPRA).

Other than minor, non-substantive changes, the regulations reflect the version released in November 2022.

The regulations will next be submitted to the California Office of Administrative Law for approval. If approved, the regulations are expected to take effect in April 2023. 

TAKEAWAY

The CPRA enforcement grace period ends July 1, 2023, so the California regulations will provide businesses with guidance to understand how the CPRA will be interpreted by the CPPA for enforcement purposes.

The regulations include several requirements relevant to the digital marketing industry, including the manner in which businesses must or can respond to opt-out preference signals like the Global Privacy Control (GPC). 

Apple Receives Privacy Class Action New York, Adding to the List

A class action complaint was filed in New York federal court February 2, adding to a growing list of class actions against Apple across the U.S.

The lawsuits are all based on Apple’s allegedly deceptive use and sharing of first-party data after users have turned off the device’s analytics settings, and despite Apple marketing messages promising privacy.

This is the second lawsuit of its kind filed in New York, and three other lawsuits have been filed in Pennsylvania and California.

TAKEAWAY

The complaints alleging various common law and state law violations, including invasion of privacy, breach of implied contract, unjust enrichment, and laws prohibiting deceptive acts or practices or false advertising.

Use of these types of laws and common law claims has increasingly become a common practice in privacy class action lawsuits, demonstrating a potential need for companies to take a step back from the granular requirements of GDPR and CCPA and ensure their privacy practices are conceptually clear and understood by consumers. 

FTC Files $1.5MM Enforcement Action Against GoodRX for Data Sharing

For the first time, the Federal Trade Commission leaned on the FTC Health Breach Notification Rule to take action against a digital health platform for sharing personal health information for advertising purposes. 

GoodRX, a telehealth and prescription drug discount provider, was allegedly engaged in various data sharing practices, including sharing lists of users who had purchased certain medications, along with contact information, with Facebook to identify their profiles and target them with health-related advertisements, in a manner inconsistent with the company’s privacy promises.

The FTC found that these practices constituted unauthorized disclosures under the Health Breach Notification Rule.

In its proposed order, which must be approved by a federal court before it is final, the FTC fined GoodRX $1.5 million, permanently prohibited GoodRX from disclosing user health information with third parties for advertising purposes, and required user consent (without dark patterns) for any other data sharing, among other requirements.

TAKEAWAY

The FTC Health Breach Notification Rule was issued in 2009 and applies to entities that are not covered by the Health Insurance Portability and Accountability Act.

The rule requires notification to impacted consumers, the FTC, and in some cases the media, of any breach of unsecured identifiable health information.

It was never enforced, but in 2021, the FTC issued a statement putting mobile health apps on notice and reminding them to examine their obligations under the Rule.

The statement also clarified that a “breach” is not limited to cybersecurity intrusions but could also include sharing of covered information without individual authorization.

This GoodRX enforcement action is the FTC’s first action under such guidance.  

EUROPE

European Commission Publishes Study Indicating “A Strong Case to Reform Digital Advertising”

The European Commission on January 30, 2023 published a ‘Study on the impact of recent developments in digital advertising on privacy, publishers and advertisers“.

The study outlines the background of digital advertising, including how it has evolved and the impacts it (particularly targeting and profiling) has had on democracy and society in the EU, as well as the distribution of advertising spend across the digital advertising ecosystem.

It posits that “there is limited evidence to suggest that there are sufficient gains for advertisers and publishers in terms of efficiency and efficacy to outweigh the societal impacts, especially in relation to ads bought directly from large platforms” and assesses alternative digital advertising models that involve less or no personal data and/or less data sharing with third parties, including contextual advertising, local profiling and subscription models.

TAKEAWAY

Overall, the study concludes that “there is a need to improve transparency and accountability, increase individuals’ control over how their personal data is used for digital advertising and address a number of obstacles that make it harder for advertisers and publishers to ‘know their audience'”. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.