FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising

The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps. 

According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:

  • Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio. 
  • Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. 

Health Breach Notification Rule Violation

According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history. 

GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.

Proposed Order

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
  • Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. Commissioner Christine S. Wilson issued a concurring statement. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of California.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorney on the GoodRx matter was Ronnie Solomon of the FTC’s Bureau of Consumer Protection.

Source link

FTC Commissioners Vote to Deny Motion by the Agency’s Staff Seeking Summary Decision Against Intuit

FTC Commissioners voted to deny a motion by the agency’s Bureau of Consumer Protection seeking a summary decision against Intuit Inc. for engaging in allegedly deceptive advertising of its TurboTax tax preparation service.

In an Opinion and Order issued today, the Commission expressed concerns about the advertising campaign but determined that a decision on the merits of the case against Intuit “would be best made after fuller factual development at trial” which will proceed before FTC Administrative Law Judge D. Michael Chappell.

In the complaint against Intuit, the Bureau of Consumer Protection asserts that the company’s ads repeatedly claimed that consumers could file their taxes for free using TurboTax even though TurboTax is free for only some consumers, based on the tax forms they need.

The Commission vote to issue the Opinion and Order was 4-0.

Source link

Federal Trade Commission Extends Public Comment Period on Potential Updates to its Green Guides for the Use of Environmental Marketing Claims

On December 14, 2022, the Federal Trade Commission announced it is seeking public comments on potential updates and changes to the Green Guides for the Use of Environmental Claims. The Commission’s Green Guides help marketers avoid making environmental marketing claims that are unfair or deceptive under Section 5 of the FTC Act. The Commission seeks to update the guides based on increasing consumer interest in buying environmentally friendly products. The public comment period originally was set to expire on February 21, 2023.

At the request of several interested parties, the Commission has extended the public comment period for 60 days, until April 24, 2023. Information about how to submit comments can be found in the Federal Register notice announcing the extension.

The Commission vote approving extension of the public comment period was 4-0.

Source link

FTC Releases Reports on Cigarette and Smokeless Tobacco Sales and Marketing Expenditures for 2021

The number of cigarettes that the largest cigarette companies in the United States sold to wholesalers and retailers nationwide decreased from 203.7 billion in 2020 to 190.2 billion in 2021, according to the Federal Trade Commission’s most recent Cigarette Report. The report also states that in 2021, menthol flavored cigarettes comprised 37 percent of the market among major manufacturers, more than double the 16 percent market share they held in 1963.

The amount spent on cigarette advertising and promotion increased from $7.84 billion in 2020 to $8.06 billion in 2021. Price discounts paid to cigarette retailers ($6.01 billion) and wholesalers ($917 million) were the two largest expenditure categories in 2021. Combined spending on price discounts accounted for 86 percent of industry spending.

According to the Smokeless Tobacco Report, smokeless tobacco sales decreased from 126.8 million pounds in 2020 to 122 million pounds in 2021. The revenue from those sales rose from $4.82 billion in 2020 to $4.96 billion in 2021. Menthol flavored smokeless tobacco products comprised more than half of all sales and fruit flavored smokeless tobacco products comprised 2.7 percent.

Spending on advertising and promotion by the major manufacturers of smokeless tobacco products in the U.S. increased from $567.3 million in 2020 to $575.5 million in 2021. As with cigarettes, price discounts made up the two largest spending categories, with $308.2 million paid to retailers and $81.3 million paid to wholesalers in 2021. Combined spending on price discounts represented 67.7 percent of all industry spending.

Smokeless tobacco manufacturers also reported selling $804.8 million of nicotine lozenges or nicotine pouches in 2021, not containing tobacco, up from $422.7 million in 2020.

The Commission has issued the Cigarette Report periodically since 1967 and the Smokeless Tobacco Report periodically since 1987. The Commission vote to issue the reports was 4-0.

The primary staffer on the reports is Michael Ostheimer in the FTC’s Bureau of Consumer Protection.

Source link

FTC’s Bureau of Consumer Protection Issues Criminal Liaison Unit Report Detailing Efforts to Ensure Wrongdoers Face Accountability

The Criminal Liaison Unit of the Federal Trade Commission’s Bureau of Consumer Protection (BCP CLU) has issued its 2022 Criminal Liaison Unit Report, describing the history of the BCP CLU, its program operations, and major accomplishments over the past five years. In an effort to ensure criminal prosecution of appropriate consumer fraud cases, the BCP CLU refers cases to partner agencies with criminal jurisdiction, including U.S. Attorney’s Offices across the county, Divisions of the Department of Justice (DOJ) and others.

Explore Data with the FTC: Consumer Fraud

“For the worst individual and corporate wrongdoers, civil remedies may not be sufficient to protect the public from further harm,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Government works best when agencies work together toward a common goal, and we are proud that our partnership with criminal enforcers leads to justice for bad actors and a safer marketplace for us all.” 

The FTC, which is not authorized to bring criminal law enforcement actions, established the BCP CLU in 2002 to bring the “worst of the worst” offenders to the attention of prosecutors. As it grew, the BCP CLU worked to establish relationships with prosecutors and educate them about the Commission’s consumer fraud and deception cases. Success in initial cases proved that criminal consumer protection cases were not only viable, but could result in substantial prison sentences.

Over the past five years, the report notes, BCP CLU referrals have led to criminal charges against 107 new defendants, 145 total convictions, and 181 defendants sentenced for consumer fraud. The total sentence time for all defendants was 746 years, with the average sentence being 51 months (approximately 4.3 years) of incarceration.

The BCP CLU Report: 2018-2022

As the BCP CLU has grown over the past 20 years, the program has worked to address prosecutors’ concerns by communicating regularly to understand their priorities and to strategically refer cases most likely to be attractive to them, according to the report. The result has been an established reputation for presenting prosecutors with solid cases that will make the most of their limited time.

The BCP CLU also has established annual awards, which recognize the FTC’s best partners for their criminal prosecution efforts on behalf of U.S. consumers. In 2021, because of the importance of this work as well as BCP CLU’s success to date, the Commission issued a Statement Regarding Criminal Referral and Partnership Process, where the agency recommitted itself to a robust program of criminal referrals across both its competition and consumer protection missions.

The 2022 BCP CLU Report includes information on:

  • Significant early BCP CLU cases and their results;
  • An overview of BCP CLU program operations;
  • A description of BCP CLU cooperative efforts with other law enforcers;
  • A list of BCP CLU Award recipients;
  • A summary of BCP CLU accomplishments between 2018 and 2022; and
  • A look forward to the future of the program, including current priorities.

More information about the BCP CLU can be found here on the FTC’s website.

Sarah Waldrop, the BCP CLU Chief, was the lead staffer on this report.

Source link

FTC Finalizes Order with Ed Tech Provider Chegg for Lax Security that Exposed Student Data

The Federal Trade Commission has finalized its order with education technology provider Chegg Inc. for its careless data security practices that exposed sensitive information about millions of Chegg’s customers and employees, including Social Security numbers, email addresses, and passwords.

In a complaint first announced in October 2022, the FTC said that Chegg failed to protect the personal information it collected from users and employees. For example, the company stored users’ personal data on its cloud storage databases in plain text and, until at least 2018, employed outdated and weak encryption to protect user passwords. As a result of its poor data security, Chegg experienced four data breaches that exposed the personal information of about 40 million users and employees, including users’ email addresses and sensitive scholarship data such as their dates of birth, sexual orientation and disabilities, as well as financial and medical information about Chegg employees.

The FTC’s order requires Chegg to implement a comprehensive information security program, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to request access to and deletion of their data.

After receiving only one substantive comment, the Commission voted 4-0 to finalize the order with Chegg and send a letter to the commenter.

Source link

FTC Returns More Than $973,000 to Consumers Charged by NutraClick LLC for Unwanted Monthly Subscriptions for Supplements and Beauty Products

The Federal Trade Commission is sending payments totaling more than $973,000 to 17,064 people who lost money after NutraClick LLC automatically enrolled them in unwanted membership programs for supplements and beauty products and misled consumers about when they had to cancel trial memberships to avoid monthly charges.

The FTC will begin sending payments today by check. Consumers who get a check should cash it within 90 days. Recipients who have questions about their payment can call the refund administrator, Analytics, at 844-735-1139, or browse answers to frequently asked questions about FTC refunds. The Commission never requires people to pay money or provide account information to get a payment.

In 2016, NutraClick agreed to settle the FTC’s complaint alleging that it lured consumers with “free” samples of supplements and beauty products and then violated the law by charging them a recurring monthly fee without their consent. The settlement required NutraClick to clearly and conspicuously disclose the terms of its recurring membership programs going forward.

In September 2020, the FTC filed another complaint against the company, alleging it violated federal law and the 2016 settlement order by misleading consumers about when they had to cancel their free trial memberships to avoid monthly charges. The defendants agreed to pay $1.04 million for consumer refunds and are banned from such negative option marketing.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2021, Commission actions led to more than $472 million in refunds to consumers across the country, but these refunds were the result of cases resolved before the U.S. Supreme Court ruled in 2021 that the Commission lacks authority under Section 13(b) to seek monetary relief in federal court. Because of that ruling, the Commission no longer has its strongest tool to return money to consumers, and it will become harder to provide refunds to consumers harmed by deceptive and unfair conduct. The Commission has urged Congress to restore its ability to get money back for consumers.

Source link

FTC Marks Identity Theft Awareness Week for 2023 on January 30-February 3

The Federal Trade Commission will mark its annual Identity Theft Awareness Week with a series of free events January 30-February 3 focused on how identity theft affects people of every community and ways to reduce your risk.

Identity theft happens when someone uses your personal or financial information—such as your Social Security number or financial account information—without your permission.

This year’s events include webinars, podcasts and other activities. Participants will hear from experts from the FTC and its Identity Theft Awareness Week partners, including AARP, Consumer Action, the Identity Theft Resource Center (ITRC), the IRS, the Maryland Library for the Blind and Print Disabled, the Small Business Administration, and the Department of Veterans Affairs.

The week’s activities will formally kick off on January 30 with a webinar by the ITRC and FTC offering an overview of the financial, emotional, and physical impacts of identity theft, and a discussion of how identity theft happens and how to lower your risk. The week will end February 3 with a podcast discussion with college students about financial aid scams, job scams, and other tactics identity thieves use to steal personal information.

Find the full list of events at ftc.gov/IDTheftweek. Consumers who have experienced identity theft can report it to the FTC and get a personalized recovery plan at IdentityTheft.gov.

Source link

FTC Finalizes Order Requiring Credit Karma to Pay $3 Million and Halt Deceptive ‘Pre-Approved’ Claims

Following a public comment period, the Federal Trade Commission finalized a consent order settling charges that credit services company Credit Karma for deploying dark patterns to misrepresent that consumers were “pre-approved” for credit card offers.

The FTC’s complaint, first announced in September 2022, said that the company used claims that consumers were “pre-approved” and had “90% odds” to entice them to apply for offers that, in many instances, they ultimately did not qualify for.

The FTC’s consent order requires the company to pay $3 million that will be sent to consumers who wasted time applying for these credit cards and to stop making these types of deceptive claims.

The Commission vote to approve the final order and letters to commenters was 4-0.

Source link

FTC Order Requires HomeAdvisor to Pay Up To $7.2 Million and Stop Deceptively Marketing its Leads for Home Improvement Projects

The Federal Trade Commission today issued an order requiring Denver-based HomeAdvisor, Inc. – a company affiliated with Angi, formerly known as “Angie’s List” – to pay up to $7.2 million for using a wide range of deceptive and misleading tactics in selling home improvement project leads to service providers, including small businesses operating in the “gig” economy.

The administrative order also bars HomeAdvisor from the deceptive conduct detailed in the Commission’s complaint against the company, which the complaint alleged occurred over many years, and sets up two redress funds to provide money to defrauded service providers. The administrative order will be subject to public comment after which the Commission will decide whether to make the order final.

“Today’s order requires HomeAdvisor to refund home service providers millions of dollars and stop misleading them about the quality of its leads,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Even as the nature of work and the economy change, the FTC will continue to combat dishonest commercial practices aimed at consumers, workers, and small businesses.”

Today’s action is the first announced since the Commission issued its Policy Statement on Enforcement Related to Gig Work, which committed the agency to rooting out unfair, deceptive, or anticompetitive practices in the gig economy. It builds on other efforts to protect gig workers and small businesses, including the Commission’s Notice of Penalty Offenses on Money-Making Opportunities, and ANPR on Earnings Claims.

HomeAdvisor, which also does business as Angi Leads and HomeAdvisor Powered by Angi, recruits service providers, such as general contractors and lawn care businesses, to join the company’s network. Once service providers join the network, HomeAdvisor sells them leads, which the service providers use to contact potential customers for home repair and maintenance projects.

Service providers who join HomeAdvisor’s network generally pay an annual membership fee of $287.99, in addition to a separate fee for each lead they receive. As part of their HomeAdvisor membership package, many service providers have also paid an additional $59.99 for an optional one-month subscription to a service called mHelpDesk, which includes software that helps with scheduling appointments and processing payments.

The FTC’s March 2022 administrative complaint against HomeAdvisor charged that since at least mid-2014 it has made false, misleading, or unsubstantiated claims about the quality and source of the leads the company sells to service providers who are in search of potential customers. For example, the complaint alleged that, while HomeAdvisor has represented that service providers only will receive leads matching the types of services they provide and their preferred geographic area, many of them do not.

The complaint also alleged that HomeAdvisor often tells service providers that its leads result in jobs at rates much higher than it can substantiate. Finally, the complaint alleged that HomeAdvisor’s sales agents misrepresented that the optional one-month mHelpDesk subscription was free.

In addition to requiring that HomeAdvisor pay up to $7.2 million for redress, the proposed order prohibits the company from making any false or misleading claims regarding its leads, including that they concern individuals who are ready to hire a service provider or who submitted a request for home services directly to HomeAdvisor. It also bars HomeAdvisor from misrepresenting its products as free when they are not, or making unsubstantiated claims about the rate at which its leads convert into paying jobs.

The redress program included in the order would administer two separate funds. The first would make payments of up to $30 to service providers affected by HomeAdvisor’s misrepresentations about its lead quality. The second would make payments of up to $59.99 to service providers who were told that the first month of their mHelpDesk subscription was free.

The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Comments must be received 30 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120.

The lead staff attorney on the HomeAdvisor matter was Sophia H. Calderón of the FTC’s Northwest Region.

Source link

Scroll to Top
Scroll to Top