GoodRX faces fines under FTC breach notification rule

Julie Rubash, Chief Privacy Counsel
February 7, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


CPPA Approves Final CPRA Regulations

The California Privacy Protection Agency (CPPA) approved, in its February 3 board meeting, final regulations under the California Privacy Rights Act (CPRA).

Other than minor, non-substantive changes, the regulations reflect the version released in November 2022.

The regulations will next be submitted to the California Office of Administrative Law for approval. If approved, the regulations are expected to take effect in April 2023. 


The CPRA enforcement grace period ends July 1, 2023, so the California regulations will provide businesses with guidance to understand how the CPRA will be interpreted by the CPPA for enforcement purposes.

The regulations include several requirements relevant to the digital marketing industry, including the manner in which businesses must or can respond to opt-out preference signals like the Global Privacy Control (GPC). 

Apple Receives Privacy Class Action New York, Adding to the List

A class action complaint was filed in New York federal court February 2, adding to a growing list of class actions against Apple across the U.S.

The lawsuits are all based on Apple’s allegedly deceptive use and sharing of first-party data after users have turned off the device’s analytics settings, and despite Apple marketing messages promising privacy.

This is the second lawsuit of its kind filed in New York, and three other lawsuits have been filed in Pennsylvania and California.


The complaints alleging various common law and state law violations, including invasion of privacy, breach of implied contract, unjust enrichment, and laws prohibiting deceptive acts or practices or false advertising.

Use of these types of laws and common law claims has increasingly become a common practice in privacy class action lawsuits, demonstrating a potential need for companies to take a step back from the granular requirements of GDPR and CCPA and ensure their privacy practices are conceptually clear and understood by consumers. 

FTC Files $1.5MM Enforcement Action Against GoodRX for Data Sharing

For the first time, the Federal Trade Commission leaned on the FTC Health Breach Notification Rule to take action against a digital health platform for sharing personal health information for advertising purposes. 

GoodRX, a telehealth and prescription drug discount provider, was allegedly engaged in various data sharing practices, including sharing lists of users who had purchased certain medications, along with contact information, with Facebook to identify their profiles and target them with health-related advertisements, in a manner inconsistent with the company’s privacy promises.

The FTC found that these practices constituted unauthorized disclosures under the Health Breach Notification Rule.

In its proposed order, which must be approved by a federal court before it is final, the FTC fined GoodRX $1.5 million, permanently prohibited GoodRX from disclosing user health information with third parties for advertising purposes, and required user consent (without dark patterns) for any other data sharing, among other requirements.


The FTC Health Breach Notification Rule was issued in 2009 and applies to entities that are not covered by the Health Insurance Portability and Accountability Act.

The rule requires notification to impacted consumers, the FTC, and in some cases the media, of any breach of unsecured identifiable health information.

It was never enforced, but in 2021, the FTC issued a statement putting mobile health apps on notice and reminding them to examine their obligations under the Rule.

The statement also clarified that a “breach” is not limited to cybersecurity intrusions but could also include sharing of covered information without individual authorization.

This GoodRX enforcement action is the FTC’s first action under such guidance.  


European Commission Publishes Study Indicating “A Strong Case to Reform Digital Advertising”

The European Commission on January 30, 2023 published a ‘Study on the impact of recent developments in digital advertising on privacy, publishers and advertisers“.

The study outlines the background of digital advertising, including how it has evolved and the impacts it (particularly targeting and profiling) has had on democracy and society in the EU, as well as the distribution of advertising spend across the digital advertising ecosystem.

It posits that “there is limited evidence to suggest that there are sufficient gains for advertisers and publishers in terms of efficiency and efficacy to outweigh the societal impacts, especially in relation to ads bought directly from large platforms” and assesses alternative digital advertising models that involve less or no personal data and/or less data sharing with third parties, including contextual advertising, local profiling and subscription models.


Overall, the study concludes that “there is a need to improve transparency and accountability, increase individuals’ control over how their personal data is used for digital advertising and address a number of obstacles that make it harder for advertisers and publishers to ‘know their audience'”. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]