I'm sure many of you have seen already but the FTC just slapped GoodRx for sharing health data without their knowledge to third parties like facebook and google ftc.gov/system/files/f
Conversation
Replying to
it's a big deal for a few reasons:
1) the way GoodRx was sharing data with advertisers—to target ads to consumers— is a widely held practice.
1
5
5
2) it's the first time the commission has used the health breach data notification rule, which was designed to account for health data not covered by HIPAA or otherwise under the purview of HHS.
1
4
3
The rule was put into place back in 2009 in a stimulus bill and has never been used. But the commission has been signaling via public statements that it is going to interpret the rule this way.
1
2
3
If the court agrees with this order, GoodRx is going to have to stop sharing personal health data with Google, Facebook, etc. for advertising purposes and make sure that third parties delete data it's previously shared, which is also a big deal.
1
1
5
Though ad platforms and data aggregators are not the focus here, the FTC could follow up to make sure that these companies are not inadvertently in possession of data that was collected in ways that violated the HBNR
1
1
The other thing to pay attention to— in addition to this new enforcement tool that we're likely to see more of— is that the FTC also is in the process of proposing new rules on commercial surveillance and data security
1
1
obviously we don't know what those will be, but the agency may seek to more firmly codify what it's doing in these actions through new rules
1
