GoodRx agrees to a $25 million settlement over a data privacy class action lawsuit

GoodRx, a leading telemedicine platform and prescription drug discount provider, has agreed to settle a consolidated class action lawsuit for $25 million. The legal action stems from allegations that the company used website tracking technologies to share users’ sensitive data with third parties, including Meta Platforms, Google, and Criteo, for advertising purposes without user consent.

The tracking technologies, commonly called pixels, are snippets of code embedded in websites to monitor user interactions. These tools enable website operators to enhance user experience and transmit information to third parties for targeted advertising. The lawsuit alleges that GoodRx employed these tools between October 2017 and March 2019 to disclose sensitive health information, including data indicating users’ health conditions, despite assurances on its website that such data would remain confidential.

The settlement follows an earlier Federal Trade Commission (FTC) investigation, which found that GoodRx violated the FTC Act by sharing users’ health information without consent and failing to notify users as required under the Health Breach Notification Rule. The FTC determined that GoodRx had made misleading promises about safeguarding user privacy while sharing sensitive data with third parties. Although GoodRx denied the FTC’s findings, it settled those allegations for $1.5 million in February 2023. The settlement also imposed requirements to prevent sharing of user health data without consent and to ensure compliance with privacy regulations.

The class action lawsuit, filed in the U.S. District Court for the Northern District of California, echoes many of the FTC’s concerns. The plaintiffs accuse GoodRx of violating several privacy and consumer protection laws, including California’s Confidentiality of Medical Information Act (CMIA) and the California Consumer Legal Remedies Act. Additional claims cite unjust enrichment, negligence, and violations of privacy laws in New York and Illinois. The lawsuit also names Meta, Google, and Criteo as co-defendants, alleging they knowingly participated in or benefited from the unauthorized data sharing. These companies are seeking to have the claims against them dismissed.

The proposed $25 million settlement awaits approval from District Court Judge Araceli Martinez-Olguin. Individuals affected by the data-sharing practices can file claims to receive a portion of the settlement fund if approved. However, the distribution will occur after deducting attorneys’ fees, service awards, and other legal costs. Plaintiffs’ attorneys have requested $8.33 million, or one-third of the settlement amount, for their services.