Tom Williams/CQ Roll Call via AP Images
The Health Breach Notification Rule requires companies with access to personal health records to explain to consumers when that data has been shared without their knowledge.
The old adage about the internet platform economy goes like this: “If something is free, you are the product.” Facebook, Google, and other sites invite users into a world and try to keep them there as long as possible to target ads, conducting mass surveillance that tracks your every waking move. And this has been effectively sanctioned through a disinclination to enforce various privacy rights and laws.
While it’s easy to blame Big Tech for this conduct, those companies also rely on partners who sell them information to use in their targeted surveillance regimes. The Federal Trade Commission took action against one of them today, in what could become a model for how to handle the panopticon economy in the future.
Anyone who has had their insurance company deny access to a prescription drug (in other words, anyone) has probably heard of GoodRx, which provides free discount coupons for medications. I have often wondered how they make that work economically. In part, it’s because they do the legwork of finding the cheapest of the various drug prices across the country, and negotiating with drug companies to broaden them. But that’s not really a moneymaking strategy for GoodRx. For that, it turns out that you are the product.
Consumer Reports broke the story in March 2020 that GoodRx sells customer data to over a dozen internet companies, including Google and Facebook. This allows tech firms to tie the names of the medications people research to their phone or laptop.
It also violates health privacy laws, which are among the strongest. The FTC has had a Health Breach Notification Rule in place since 2009, which requires companies with access to personal health records to explain to consumers when that data has been shared with others without their knowledge. In September 2021, under new chair Lina Khan, the agency warned health apps that they must comply with the rule. Yesterday, it took action against GoodRx, wielding the health breach rule for the first time.
The fine of $1.5 million was smaller than I’d have liked. But beyond that, the FTC prohibited GoodRx from sharing user data with any third parties for the purpose of selling ads, required it to seek user consent (in a straightforward manner, without deceptive user screens) for any sharing of health information whatsoever, forced it to get third parties to delete the data they have, and limited the time frame for GoodRx to retain that data. This is the first time a government agency has asserted that sharing health data for ads is illegal.
The FTC has issued an advance notice of proposed rulemaking on digital surveillance, and you could see this order as the blueprint for how to proceed with that: banning some forms of surveillance and data sharing, requiring direct consent for all others, and limiting data retention. You could see other rules layered onto that, but that’s the core. (I would love if regulators banned targeted advertising altogether, and hopefully we’ll get there someday.)
We’ve become so accustomed to getting ripped off, or having our data used against us, that when the government tries to ban junk fees (as the president announced yesterday) or prevent surveillance marketing, industries that rely on such tactics freak out. That must mean that Lina Khan and her colleagues are doing something right.