Telemedicine platform company and drug discounter GoodRx will pay $25 million to settle a consolidated class action lawsuit. When users became aware that GoodRx used website tracking tools on its platform and shared website visitor information with third parties like Google, Meta Platforms, and Criteo for marketing purposes without obtaining user permission, they filed the lawsuit as a response.
The tracking systems, also referred to as pixels, are snippets of code that are put on web pages to monitor user activities. The data collected on visitors may be used to enhance websites and can also be transmitted to third parties for promotional purposes. The Federal Trade Commission (FTC) investigated GoodRx for using tracking tools and established its violation of the FTC Act. GoodRx had repeatedly assured its users that their sensitive information would not be provided to third parties, but it used tracking tools on its web pages and disclosed identifying data, which includes sensitive health data, to third parties without the knowledge or permission of users. The FTC likewise stated a violation of its Health Breach Notification Rule because GoodRx did not inform users concerning the data sharing.
GoodRx denied the FTC’s conclusions, saying it had addressed the issue about 3 years ago even prior to FTC’s investigation. It maintains that it did nothing wrong. GoodRx stated that it used tools for marketing purposes in a way that was compliant with all laws. GoodRx resolved the alleged violations by paying the FTC $1.5 million instead of facing them in court. The settlement agreement likewise necessitates GoodRx to stop disclosing users’ health data with third parties for marketing purposes and to get permission before sharing information for non-marketing purposes.
Immediately after announcing the FTC settlement, there was a class action lawsuit submitted to the U.S. District Court of the Northern District of California against GoodRx with the same allegations as the FTC. Allegedly, personal data was shared with third parties without the awareness or permission of users, although the website posted information from October 2017 to March 2019 stating that personal data are not shared with third parties. The plaintiffs specifically mentioned in the website post that GoodRx never gives promoters or any other third parties any data related to a personal medical condition or personal health data.
The lawsuit made the following claims: unjust enrichment, intrusion upon seclusion, common law invasion of privacy, violations of the California Invasion of Privacy Act, violations of the California Confidentiality of Medical Information Act (CMIA), supporting and abetting violations of CMIA, violations of the California Business and Professional Code, and violations of the California Consumers Legal Remedies Act. A few other lawsuits were submitted related to the privacy violations combined into one action – Jane Doe et al. v. GoodRx Holdings, Inc., et al. The combined lawsuit made the following claims: negligence, negligence per se, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act and New York’s General Business Law.
Google, Meta, and Criteo are co-defendants in the lawsuit and are seeking to dismiss the claims against them. District Court Judge Araceli Martinez-Olguin will decide on the plaintiffs’ motion to accept the $25 million settlement. If the settlement is approved, the plaintiffs will be allowed to file claims against co-defendants that are not part of the offered settlement.
If approved, victims of the privacy rules violations will be allowed to file claims for a portion of the settlement fund, after deducting attorneys’ fees, legal costs and expenses, and service awards. The plaintiffs’ lawyers want 33% of the settlement amount or $8.33 million.
Image credits: Yulia, AdobeStock
