GoodRx, the website and app that has a seemingly endless TV marketing budget, has been sharing their consumer data with Facebook, Google, and others according to a recent article by Consumer Reports. During testing, Consumer Reports found that, “a company could infer highly intimate details about GoodRx users suffering from serious chronic conditions and make educated guesses about their sexual orientation.”
One company that GoodRx has shared consumer information with is Braze, a marketing firm, which claims that the data they collect is only used to target GoodRx users with information and not shared broadly with other advertising companies. GoodRx states Braze is used to send email or text reminders when a consumer is running low on their medication. Another company, Branch, claims it uses GoodRx data to make sure links work correctly in the mobile app.
According to Consumer Reports, both Facebook and Google have denied that they use prescription information to target consumers with ads, especially based on sensitive information like a person’s personal health information. However, Consumer Report’s Digital Lab observed sensitive information being passed to these companies and believes the app and website could be redesigned to prevent it from happening.
The big questions are: Is this legal? Doesn’t HIPAA apply?
Because GoodRx is a private company with no doctors or hospitals involved, it does not have to protect the health data a consumer gives it. Many consumers would be surprised to hear about this, although it is good to remember that if a service is free, the real product is the consumer and his or her data, and how a company shares consumer data is usually located in the fine print.
Shortly after the Consumer Report’s article came out, GoodRx posted a statement apologizing for the Facebook advertising in particular and vowing to “do better.” They also stated they would appoint a new VP of Data Privacy, make it possible for consumers to opt-out from cookies and tracking, and allow consumers to delete their data.