On February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule. Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by that individual. But one particularly noteworthy aspect of the stipulated order that may affect companies beyond the healthcare arena is the FTC’s requirement that GoodRx must implement a data retention schedule that does not permit “indefinite retention of any Covered Information.”
Background
GoodRx offers consumers free coupons for discounts on medications, and also operates a telehealth platform. Consumers could download the GoodRx app and obtain discount coupons at their local pharmacy, and the pharmacy would receive the consumer’s information and pay GoodRx a fee. GoodRx assured consumers in its privacy policy that it would not share personal health information with advertisers, but would instead limit sharing for limited purposes like delivery of services (the pharmacist has to know this information to provide consumers the appropriate discount). GoodRx also stated that it would restrict third parties’ use of personal health information when it did share such information.
According to the complaint, GoodRx allegedly shared individually identifiable information with third parties, such as social media sites and advertisers, and GoodRx used personal information to target users with ads on social media. The complaint claims that GoodRx signed the third parties’ standard terms or otherwise entered into agreements that permitted these third parties to use the information for their own purposes, included advertising. The complaint also alleged that GoodRx did not have sufficient policies and procedures with respect to how all types of personal information could be shared.
In February of 2020, a national consumer watchdog organization published an article about GoodRx sharing this information with third parties. The same day the article appeared, GoodRx issued a statement apologizing, and stating that it had made changes. According to the complaint, however, the sharing continued until at least November of 2020.
The FTC claimed, in the complaint, that these actions violated Section 5 of the FTC Act, including violations of the Health Breach Notification Rule (third party acquisition of personal health information without user consent), as well as misrepresentations with respect to disclosure of personal information and failure to limit third-party use of that information. The FTC also claimed that GoodRx committed deceptive acts by failing to implement policies and procedures to prevent unauthorized disclosures of personal information.
Stipulated Order
Under the stipulated order, in which GoodRx neither admits nor denies the allegations of the complaint, GoodRx has agreed to: (1) pay a $1.5 million civil penalty, (2) ban disclosure of personal health information for advertising purposes; (3) a prohibition against disclosure of personal health information without notice and user consent; (4) email all users for which it has an email address and conspicuously post a notice to users summarizing the order’s requirements; (5) third party assessments of its privacy practices; (6) notify all third parties that received the information and require that those third parties delete the information; and (7) implement a comprehensive privacy program. That privacy program includes a requirement for a data retention policy that, at a minimum includes:
a. a retention schedule that limits the retention of Covered Information for only as long as is reasonably necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be destroyed, and may be disclosed, to the extent requested by a government agency is required by law, regulation, or court order; and
b. a requirement that each Covered Business document, adhere to, and make publicly available in its terms of service or terms of use a retention schedule for Covered Information setting forth: (1) the purposes for which such information is collected; (2) the specific business need for retaining each type of Covered Information; and (3) a set timeframe for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumer) that precludes indefinite retention of any Covered Information.
(Order, § VII.E.7 (emphasis added).) “Covered Information” was defined as Personal Information, Health Information, or PHR (Personal Health Record) Identifiable Health Information.
Our Take
Although much of the order’s data retention language may remind our readers of California’s requirements, the FTC went one step further and flatly prohibited indefinite (permanent) storage of personal information. The order appears to tie the prohibition of indefinite retention to HIPAA-covered entities and business associates under HIPAA and the HITECH Act, but it remains unclear whether the FTC holds the same view for personal information held by non-HIPAA covered entities under FTC jurisdiction (including personal information held by financial institutions under the Safeguards Rule). Does your company’s retention policy permit permanent storage of personal data? When was the last time you reviewed your company’s record retention policy?
