Newly released Federal Trade Commission data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30 percent over the previous year.

Consumers reported losing more money to investment scams—more than $3.8 billion—than any other category in 2022. That amount more than doubles the amount reported lost in 2021. The second highest reported loss amount came from imposter scams, with losses of $2.6 billion reported, up from $2.4 billion in 2021.

The FTC received fraud reports from 2.4 million consumers last year, with the most commonly reported being imposter scams, followed by online shopping scams. Prizes, sweepstakes, and lotteries; investment related reports; and business and job opportunities rounded out the top five fraud categories.

The FTC’s Consumer Sentinel Network is a database that receives reports directly from consumers, as well as from federal, state, and local law enforcement agencies, the Better Business Bureau, industry members, and non-profit organizations. Twenty-three states contribute data to Sentinel.

Sentinel received more than 5.1 million reports in 2022; these include the fraud reports detailed above, as well as identity theft reports and complaints related to other consumer issues, such as problems with credit bureaus and banks and lenders. In 2022, there were over 1.1 million reports of identity theft received through the FTC’s IdentityTheft.gov website.

The FTC uses the reports it receives through the Sentinel network as the starting point for many of its law enforcement investigations, and the agency also shares these reports with approximately 2,800 federal, state, local, and international law enforcement professionals. While the FTC does not intervene in individual complaints, Sentinel reports are a vital part of the agency’s law enforcement mission.

A full breakdown of reports received in 2022 is now available on the FTC’s data analysis site at ftc.gov/exploredata. The data dashboards there breakdown the reports across a numbers of categories, including by state and metropolitan area, as well as exploring a number of subcategories of fraud reports.

Federal Trade Commission staff sent 24 cease and desist letters to eye care prescribers after receiving complaints claiming that the prescribers failed to comply with the Contact Lens Rule. Some letters also cited potential violations of the Ophthalmic Practice Rules (known as the Eyeglass Rule). These rules ensure consumers the right to comparison shop for prescription lenses. The FTC is not making the names of the prescribers receiving letters public at this time.

As detailed in the letters, the Contact Lens Rule:

•  requires prescribers to provide a copy of the contact lens prescription to the patient at the end of the contact lens fitting, even if the patient does not request it; 
•  prohibits prescribers from requiring that patients buy contact lenses, pay additional fees, or sign a waiver or release, as a condition of releasing or verifying the prescription; and
•  requires a prescriber with a direct or indirect financial interest in the sale of contact lenses to ask patients to confirm that they received their prescription by signing an acknowledgement of receipt, a prescriber-retained copy of the prescription, or a copy of the examination receipt.

Some letters also addressed complaints that prescribers were not complying with the Contact Lens Rule when they prescribe private label (or store-brand) lenses, by failing to provide information required by the rule, such as the name of the manufacturer and trade name of the private label brand. Such information allows consumers to comparison shop for the prescribed contact lens or one “identical” to the prescribed lens.

Other letters addressed complaints that prescribers were improperly responding to third-party seller requests to verify contact lens prescription information by providing general denials. The letters reminded prescribers of their obligation, if the prescription information is inaccurate, expired or otherwise invalid, to specify the basis for the inaccuracy or invalidity of the prescription and, if it is inaccurate, to correct it.

Finally, some letters addressed the Contact Lens Rule’s requirement that, when responding to authorized third-party seller requests for a copy of a consumer’s prescription, prescribers must provide the prescription (or indicate that it is no longer current or valid) within forty business hours of receipt of the request.

Where violations of the the Eyeglass Rule were alleged, the letters reminded prescribers of the requirement to provide their patients with a copy of their eyeglass prescription immediately after an eye exam, even if the patient does not request it. The letters warn the prescribers that violations of the Contact Lens Rule or Eyeglass Rule may result in legal action, including civil penalties of up to $50,120 per violation.

Along with the letters, staff also provided prescribers with links to its business guidance pieces, FAQs: Complying with the Contact Lens Rule and The Contact Lens Rule: A Guide for Prescribers and Sellers and, where appropriate, Complying with the Eyeglass Rule .

The FTC has recently updated information to help consumers understand their rights under federal law. See: Buying Prescription Glasses or Contact Lenses: Your Rights.

The primary staffer responsible for the cease and desist letters announced today is Alysa Bernstein in the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission sued to stop an interconnected web of operations responsible for delivering tens of millions of unwanted Voice Over Internet Protocol (VoIP) and ringless voicemail (RVM) phony debt service robocalls to consumers nationwide. The Department of Justice (DOJ) filed the complaint in federal court on the FTC’s behalf.

The DOJ also filed a proposed consent order against one of the companies and individuals involved in the operation, which would, if approved by the court, bar them from making further misrepresentations about debt relief services and ordering them to comply with the Telemarketing Sales Rule (TSR).

“This case targets the ecosystem of companies who perpetrate illegal telemarketing to cheat American consumers who are struggling financially,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC will continue to take aggressive action to protect consumers from the scourge of illegal robocalls.”

“The Department of Justice is committed to stopping individuals and companies from making illegal robocalls and peddling predatory debt relief services,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to work with the FTC to enforce the FTC Act and the Telemarketing Sales Rule against those who use misleading sales tactics to prey on consumers.”

According to the complaint, Stratics Networks, Inc.’s outbound calling service enabled its clients to route and transmit millions of robocalls using VoIP technology. From at least 2013 to 2020, Stratics sold its wholesale SIP termination service to other VoIP technology service providers, including Texas-based defendants Netlatitude, Inc. and its owner Kurt Hannigan, and many others. Stratics also sold access to its platform for delivering RVM, a call that goes to a consumer’s voicemail without ringing their phone. Netlatitude used Stratics’ wholesale SIP termination services to operate its own RVM service, which it then sold to a foreign telemarketer of debt relief services.

Other Stratics customers included lead generation telemarketers that allegedly used Stratics’ services to blast illegal robocalls to millions of consumers nationwide. Despite receiving repeated notices from USTelecom’s Industry Traceback Group that some customers’ robocall traffic was likely illegal, the complaint outlines how Stratics continued to assist a California-based debt relief scheme, which included defendants Kasm, and the related companies of Atlas Marketing Partners, Inc.; Atlas Investment Ventures, LLC; Tek Ventures, LLC, doing business as Provident Solutions, and the companies’ owners.

The complaint alleges that these companies used Stratics’ RVM service to run an illegal robocall campaign pitching supposed debt relief services to consumers. Another defendant, Nevada-based Ace Business Solutions LLC and its owner, Sandra Barnes, allegedly provided debt validation letter writing services and payment processing as part of Provident Solutions’ debt relief scam.

The complaint alleges that this web of interconnected platform providers, lead generators, telemarketers, and debt relief service sellers violated the TSR in many ways, including:

• Making misrepresentations regarding debt relief services (Atlas Marketing Partners, Atlas Investment Ventures, Tek Ventures also d/b/a Provident Solutions, Eric Petersen, Todd DiRoberto, Kasm, and Kenan Azzeh);

• Assisting and facilitating violations of the TSR by knowing, or consciously avoiding knowing, that their customers’ operations caused the initiation of telemarketing calls to numbers on the FTC’s Do Not Call Registry, as well as calls in which telemarketers failed to disclose the identity of the seller and services being offered (Stratics, Netlatitude, and Kurt Hannigan);

• Initiating illegal pre-recorded telemarketing messages, commonly known as robocalls (Atlas Marketing Partners, Atlas Investment Ventures, Tek Ventures, LLC also d/b/a Provident Solutions, Eric Petersen, Todd DiRoberto, Kasm, and Kenan Azzeh);

• Failing to make oral disclosures required by the TSR, including the identity of the debt relief sellers (Atlas Marketing Partners, Atlas Investment Ventures, Tek Ventures also d/b/a Provident Solutions, Eric Petersen, Todd DiRoberto, Kasm, and Kenan Azzeh);

• Misrepresenting material aspects of debt relief services (Atlas Marketing Partners, Atlas Investment Ventures, Tek Ventures also d/b/a Provident Solutions, Eric Petersen, Todd DiRoberto, Kasm, and Kenan Azzeh); and

• Charging or receiving a fee from consumers before providing a debt relief service (Atlas Marketing Partners, Atlas Investment Ventures, Tek Ventures also d/b/a Provident Solutions, Eric Petersen, Todd DiRoberto, Ace Business Solutions, and Sandra Barnes).

The Kasm Consent Order

One set of defendants has agreed to settle the complaint in this case. A proposed court order announced today, would, if approved by the court, prohibit debt relief lead generator KASM, also doing business as Kasm, Inc., and the company’s owner, Kenan Azzeh, from making the misrepresentations alleged in the complaint and from violating the TSR. It also requires the defendants to review the methods used by their existing lead generators, determine and obtain leads sold or offered to them illegally, and stop buying leads from any lead generator found to have sold them such leads.

Finally, the proposed consent order imposes a $3.38 million judgment against the defendants, which will be partially suspended based on their inability to pay, after they pay the FTC $7,500 to be used for consumer redress. If they are later found to have misrepresented their financial condition, the full amount will immediately become due.

The Commission vote authorizing the staff to refer the complaint and proposed consent order to the Department of Justice for filing was 4-0. The DOJ filed the documents in the U.S. District Court for the Southern District of California. Litigation continues against the non-settling defendants. Christopher E. Brown was the primary FTC staffer on this matter.

NOTE: The Commission refers a complaint for civil penalties to the DOJ for filing when it has “reason to believe” that the named defendants are violating or are about to violate the law and that a proceeding is in the public interest. The case will be decided by the court.

The Federal Trade Commission took action today against a marketer of vitamins and other supplements called The Bountiful Company (Bountiful) for abusing a feature of Amazon.com to deceive consumers into thinking that its newly introduced supplements had more product ratings and reviews, higher average ratings, and “#1 Best Seller” and “Amazon’s Choice” badges.

The case against Bountiful marks the FTC’s first law enforcement challenging “review hijacking,” in which a marketer steals or repurposes reviews of another product. Bountiful carried out this deceptive tactic by merging its new products on Amazon with different well-established products that had more ratings, reviews, and badges, the FTC said.

“Boosting your products by hijacking another product’s ratings or reviews is a relatively new tactic, but is still plain old false advertising,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The Bountiful Company is paying back $600,000 for manipulating product pages and deceiving consumers.”

Bountiful, based in Bohemia, New York, manufactures vitamin, mineral, and other nutritional supplements. Its brands include Nature’s Bounty and Sundown. Bountiful sells its supplements to Amazon, which then sells them to consumers on Amazon.com.

According to the FTC, Bountiful took advantage of an Amazon feature that allows vendors to create or request the creation of  “variation” relationships between some products that are similar but differ only in narrow, specific ways – such as color, size, quantity, or flavor. Products with a variation relationship share the same product detail page on Amazon.com and appear as alternative choices, so shoppers can compare and choose among similar products.

The product detail page of products that are in a variation relationship displays the total number of ratings, the average star rating, and the reviews for all of the products in the variation relationship, the FTC said in its complaint. They also share any “#1 Best Seller” or “Amazon’s Choice” badges.

According to the FTC’s complaint, during 2020 and 2021, Bountiful asked Amazon to create numerous variation relationships for its supplement products with different formulations. According to one internal Bountiful communication, the company created variations with some new products “to try and ramp them faster as they were NOT selling and we wanted to give them a little boost in R[atings]&R[eviews] to gain visibility and allow them to also borrow the ‘amazon choice’ badge and best seller badge which worked.”

For example, in March 2020, the company began selling two new products: Nature’s Bounty Stress Comfort Mood Booster and Nature’s Bounty Stress Comfort Peace of Mind Stress Relief Gummies. It requested that Amazon combine the new products in a variation relationship with three of its established products, all with different formulations. “Unfortunately people d[id] not love the [Stress Comfort] product[s],” but sales “spiked the second we variated the pages and they continue to grow,” according to one internal company email.

The FTC’s complaint alleges that by manipulating product pages, Bountiful misrepresented the reviews, the number of Amazon reviews and the average star ratings of some products, and that some of them were number one best sellers or had earned an Amazon Choice badge.

In addition to requiring that Bountiful pay $600,000 as monetary relief for consumers, the proposed order prohibits Bountiful from making similar types of misrepresentations and bars the company from creating a variation relationship – or using other deceptive review tactics – that distort what consumers think about its products or services.

Review hijacking is one of the clearly deceptive or unfair practices involving reviews on which the Commission sought comment in October 2022 when it announced an advance notice of proposed rulemaking.

The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Comments must be received 30 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

The lead staffer on this matter was Michael Ostheimer of the FTC’s Bureau of Consumer Protection.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120.

More than $115 million in refunds are being sent to consumers nationwide as a result of a 2018 action the Federal Trade Commission and the U.S. Department of Justice brought against MoneyGram for failing to crack down on scammers using their payment system.

The 2018 action charged that MoneyGram violated an FTC settlement from 2009, along with a 2012 DOJ agreement in which the company agreed to take proactive steps to reduce scammers’ ability to use their payment system to receive money from consumers.

“MoneyGram violated an FTC order by continuing to let scammers rip off its customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is pleased to be working with our law enforcement partners to provide refunds to claimants. Other firms that facilitate fraud and ignore FTC orders should expect to face similar consequences.”

“This distribution of $115.8 million to nearly 40,000 victims—each of whom is being fully compensated for their losses—demonstrates the Department of Justice’s continued commitment to making victims whole,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This is an example of how the Department will use every tool at its disposal, including in corporate criminal matters, to provide justice to victims.”

“This $115 million disbursement provides a measure of financial justice for the many victims who were harmed by fraudsters who preyed on them,” said Inspector in Charge Christopher A. Nielsen, U.S. Postal Inspection Service, Philadelphia Division. “The U.S. Postal Inspection Service is proud to be part of this exemplary collaborative effort with our law enforcement and regulatory partners, particularly the U.S. Attorney’s Office for the Middle District of Pennsylvania, the DOJ Money Laundering and Asset Recovery Section and the Federal Trade Commission, to facilitate a process where victims are delivered restitution.”

In the 2009 settlement with the FTC, MoneyGram agreed to put in place a fraud prevention program which, among other things, required the company to promptly investigate, restrict, suspend, and terminate high-fraud agents. The FTC charged that MoneyGram was aware of continued fraud on their payment network after the settlement, turning a blind eye for years to numerous instances of suspicious payment activity by the company’s agents.

Consumers receiving refunds in this distribution are those who submitted claims during the open claims process in 2021. More information about the MoneyGram refund program and its compensation to consumers who were harmed is available on DOJ’s MoneyGram remission website https://moneygramremission.com. Further questions may be directed to DOJ’s MoneyGram Remission Administrator by phone at 844-269-2630 or by email at info@moneygramremission.com

The staff of the Federal Trade Commission has provided the Consumer Financial Protection Bureau (CFPB) an annual summary of its activities enforcing the Equal Credit Opportunity Act (ECOA).

The FTC is responsible for ECOA enforcement and education regarding most non-bank financial service providers. In its summary, FTC staff describes the Commission’s work on ECOA-related issues, including activities addressed in enforcement, research, and policy development such as:

• two cases against auto dealership groups—Napleton Auto and Passport Auto that charged the dealerships violated ECOA by discriminating with respect to interest rate markups and illegal junk fees;
• a staff report cautioning about relying on artificial intelligence to combat online problems, noting concerns that these tools can have inherent potential for inaccuracy, bias, and discrimination, and can harm marginalized communities;  
• the FTC’s participation as a member of the Interagency Task Force on Fair Lending, a joint undertaking with the CFPB, DOJ, the Department of Housing and Urban Development (HUD), and the federal banking agencies, which shares information and discusses policy issues; and
• the FTC’s participation as a member of the Interagency Fair Lending Methodologies Working Group, with the CFPB, the Federal Housing Finance Agency, DOJ, HUD, and the federal banking agencies, to coordinate and share information on analytical methodologies used in enforcement of and supervision for compliance with fair lending laws, including ECOA.

The summary also outlines the Commission’s business and consumer education efforts on fair lending issues.

A copy of the summary was also provided to the Federal Reserve Board.

The lead attorney on this matter was Carole Reynolds in the Bureau of Consumer Protection.

Following a public comment period, the Federal Trade Commission has finalized consent orders against Google LLC and iHeartMedia, Inc. settling allegations that they produced and aired nearly 29,000 deceptive first-person endorsements by radio personalities promoting the personalities’ use of and experience with Google’s Pixel 4 phone in 2019 and 2020. 

According to the FTC, in 2019, Google hired iHeartMedia and 11 other radio networks in ten major markets to have radio personalities record and broadcast first-person endorsements of the Pixel 4 phone. Google provided iHeartMedia with scripts detailing the personalities’ experiences with the Pixel 4. However, the personalities were not provided with Pixel 4s before recording and airing most of the ads, and therefore did not own or regularly use the phones.

The final orders approved by the Commission settle the allegations and bar Google and iHeartMedia from similar misrepresentations. Separate state judgments also require them to pay a total of $9.4 million in penalties.

The Commission vote approving the final consent orders and response to one public commenter was 4-0. The staff attorneys on this matter are Karen Mandel and Laura Sullivan of the FTC’s Bureau of Consumer Protection.

New data released today by the Federal Trade Commission sheds new light on the lies that romance scammers use to take advantage of people—lies that reports to the FTC show cost nearly 70,000 consumers $1.3 billion in 2022.

Using data from the FTC’s Consumer Sentinel Network, the new data spotlight breaks down the most common lies that consumers reported being told when they were contacted by romance scammers last year.

Topping the list was scammers telling consumers that they needed money because a friend or relative was sick, hurt or in jail – a lie consumers reported hearing in nearly a quarter of reports. The next most commonly reported lie was that the scammer had great investment advice to share with their newfound romantic interest, followed closely by the lie that the scammer was in the military, or that they needed help making some sort of important delivery.

The data spotlight also highlights a growing tactic used by romance scammers: sextortion, when a romance scammer convinces a consumer to share explicit photos and then threatens to share those photos with the consumer’s social media contacts. The spotlight notes these reports have increased more than eightfold in the past three years, with consumers ages 18-29 six times more likely than older consumers to report this form of romance scam.

According to the spotlight, consumers most often report being contacted by romance scammers via social media, though they often push to move to other messaging apps. Consumers also reported losing more money by sending cryptocurrency than any other method.

The Federal Trade Commission today announced an order settling a 2020 federal lawsuit against defendants ZyCal Bioceuticals Healthcare Company, Inc. (ZyCal) and its president James J. Scaffidi, which charged them with deceptively claiming that their products grow bone and cartilage and relieve joint pain.

The order bars the ZyCal defendants from making these claims unless supported by randomized controlled clinical trials. It also bars them from providing anyone else with the means to make false or misleading claims. The FTC filed the order in the U.S. District Court for the District of Massachusetts, and it must be approved and signed by a judge to become final.

“The Commission sued these defendants to halt bogus claims that their products grow bone and cartilage and relieve joint pain,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This settlement is an important reminder that health-related advertising claims require rigorous substantiation in the form of competent and reliable scientific evidence. Unfortunately, the Supreme Court decision in AMG Capital Management prevented us from obtaining refunds for consumers in this case. The Commission has urged Congress to enact legislation to restore the agency’s ability to obtain critical relief for consumers through federal court actions.”

The FTC’s February 2020 complaint alleged the ZyCal defendants marketed oral products containing the ingredient Cyplexinol, which they touted was a stem cell activator that could grow bone and cartilage in users and relieve joint pain, including for people with osteoporosis and osteoarthritis. They also claimed that these health benefits were clinically or scientifically proven. The ZyCal defendants marketed Cyplexinol products directly to consumers under the brand name Ostinol, and indirectly through health practitioners and third-party distributors.

The complaint further alleged that the ZyCal defendants supplied a company, Excellent Marketing Results, Inc. (EMR), with the means and instrumentalities to deceptively market a copycat Cyplexinol product called StimTein. While the Commission announced a settlement with the EMR defendants when the complaint was announced in early 2020, litigation continued against the ZyCal defendants. The consent order announced today resolves the agency’s complaint against ZyCal and Scaffidi.

The settlement bars the ZyCal defendants from making bone and cartilage growth and joint pain claims for any food, drug, or dietary supplement, unless they are not misleading and are substantiated by competent and reliable scientific evidence, including randomized clinical trials. It also prohibits them from making other health benefit claims for the same products unless they are supported by reliable scientific evidence.

Finally, the order prohibits the defendants from misrepresenting that bone and cartilage growth claims, pain claims, and related claims are clinically or scientifically proven; from misrepresenting the existence, contents, or results of any scientific test or study; and from providing anyone else with the means to make false or misleading statements. ZyCal also must send a notice of the settlement with the FTC to a number of consumers, health practitioners, and other purchasers who bought Cyplexinol products from the company on or after January 1, 2018.

The Commission vote approving the stipulated final order was 4-0. The staff attorney handling the case is Mary L. Johnson in the FTC’s Bureau of Consumer Protection.

NOTE: Stipulated final orders or injunctions have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps. 

According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:

• Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio. 

• Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.

• Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.

• Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.

• Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. 

Health Breach Notification Rule Violation

According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history. 

GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.

Proposed Order

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

• Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.

• Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.

• Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.

• Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.

• Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. Commissioner Christine S. Wilson issued a concurring statement. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of California.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorney on the GoodRx matter was Ronnie Solomon of the FTC’s Bureau of Consumer Protection.