GoodRx, the popular prescription drug discount platform used by millions of Americans, has been hit with class action litigation alleging the company secretly shared sensitive prescription and health data with third parties including Facebook and Google through tracking pixels embedded on its website and mobile app. The lawsuits claim that when users searched for medication prices, filled prescriptions, or browsed health-related content on GoodRx, that activity was transmitted to advertising giants without users’ knowledge or meaningful consent, potentially violating federal and state privacy laws. The Federal Trade Commission also took action against GoodRx, resulting in a proposed order that prohibited the company from sharing user health data with advertising platforms going forward.
For consumers who used GoodRx and are concerned about their prescription data being shared, this situation represents one of the most significant health data privacy enforcement actions in recent years. The GoodRx case is particularly notable because it was the first time the FTC used the Health Breach Notification Rule against a company, signaling a broader crackdown on digital health platforms that monetize user data through advertising technology. If you used GoodRx’s website or app to look up drug prices, refill prescriptions, or manage your health information, you may want to understand what happened and what your options are.
Table of Contents
- What Prescription Data Did GoodRx Allegedly Share With Facebook and Google Through Tracking Pixels?
- How the FTC Enforcement Action Changed the Landscape for Health Data Privacy
- The Private Class Action Lawsuits and What They Seek for Affected Users
- How to Determine If You Are Eligible and What Steps to Take Now
- The Broader Problem of Tracking Pixels on Health Websites
- State Privacy Laws Are Filling the Gap That HIPAA Leaves Open
- What the GoodRx Case Means for the Future of Health Data Privacy
- Frequently Asked Questions
What Prescription Data Did GoodRx Allegedly Share With Facebook and Google Through Tracking Pixels?
According to the FTC’s complaint and related class action lawsuits, GoodRx embedded tracking pixels and software development kits from Facebook (now Meta), Google, and other advertising companies directly into its website and mobile application. These pixels are small pieces of code that, once loaded, can transmit detailed information about a user’s activity back to the advertising platform. In the case of GoodRx, this allegedly included the names of medications users searched for, whether they purchased prescription discount coupons, pharmacy preferences, and in some cases information that could be linked to specific health conditions. For example, if a user visited GoodRx to compare prices on a medication commonly used to treat HIV, diabetes, or a mental health condition, that browsing activity could be packaged up and sent to Facebook’s advertising infrastructure.
Facebook could then use that data to build advertising profiles, serve targeted ads, or include those users in custom audience segments. The complaint alleged that GoodRx had been engaging in this practice since at least 2017, affecting potentially millions of users who had no idea their sensitive health browsing was being funneled to social media companies. What makes this especially troubling is that GoodRx’s privacy policy historically told users it would never share personal health information with advertisers. The FTC found this promise to be deceptive. The disconnect between what users were told and what was actually happening with their data formed the core of both the regulatory action and the private class action claims.
How the FTC Enforcement Action Changed the Landscape for Health Data Privacy
The FTC’s action against GoodRx, announced in early 2023, resulted in a proposed consent order that carried a $1.5 million civil penalty and imposed significant restrictions on the company’s data practices going forward. GoodRx was prohibited from sharing health data with advertising platforms, required to instruct third parties to delete previously shared health data, and mandated to implement a comprehensive privacy program. The company was also required to notify affected users about the data sharing. However, consumer advocates noted that the $1.5 million penalty was relatively modest for a company of GoodRx’s size, which has reported hundreds of millions of dollars in annual revenue.
The fine amounted to a fraction of the profits the company may have derived from the data-sharing practices. Critics argued the penalty was not large enough to serve as a meaningful deterrent to other digital health companies engaged in similar practices. If you are expecting a large individual payout from the FTC action alone, it is worth understanding that FTC enforcement actions do not always result in direct consumer restitution in the same way that class action settlements can. The more significant impact may be the precedent the case set. By invoking the Health Breach Notification Rule, which had never been used in an enforcement action before, the FTC signaled that companies handling health data outside of HIPAA’s traditional scope are still subject to federal oversight. GoodRx is not a covered entity under HIPAA because it is not a healthcare provider, insurer, or clearinghouse, but the FTC made clear that health-adjacent tech companies cannot freely monetize sensitive data simply because they fall outside HIPAA’s narrow definitions.
The Private Class Action Lawsuits and What They Seek for Affected Users
Separate from the FTC’s enforcement action, private plaintiffs filed class action lawsuits against GoodRx in federal court. These cases allege violations of various state consumer protection statutes, the California Confidentiality of Medical Information Act, the federal Electronic Communications Privacy Act, and common law privacy torts. The lawsuits seek monetary damages, injunctive relief, and attorneys’ fees on behalf of classes of GoodRx users whose data was allegedly shared without proper consent. One of the key cases was filed in the Northern District of California, where plaintiffs argued that GoodRx’s conduct was particularly egregious because the company actively marketed itself as a trusted steward of health information.
Users signed up and provided sensitive health data specifically because they believed it would remain private. The complaint details how GoodRx allegedly used Facebook’s tracking pixel to create “lookalike audiences,” essentially using its users’ health data to help Facebook find similar people to target with GoodRx advertising. As of recent reports, the litigation has been proceeding through the courts, though the exact status of any settlement negotiations or trial dates may have changed. Consumers who believe they were affected should monitor court filings directly or check for any settlement website that may be established if the parties reach a resolution. It is not uncommon for cases of this magnitude to take several years to fully resolve, and any settlement would need court approval before payments are distributed.
How to Determine If You Are Eligible and What Steps to Take Now
If you created a GoodRx account, used the GoodRx website or mobile app to search for prescription drug prices, or used a GoodRx coupon at a pharmacy, you may be a potential class member in the litigation. Eligibility typically depends on the specific time period covered by the lawsuit and whether your data was among that allegedly shared with third-party advertising platforms. The FTC’s own notification requirement meant that GoodRx was obligated to contact affected users, so check your email, including spam folders, for any notices from the company. There is an important tradeoff to understand when it comes to class action participation versus individual legal claims. Class action settlements typically provide modest per-person payments but require minimal effort from participants.
If the privacy violation caused you specific, demonstrable harm, such as targeted advertising that revealed a medical condition to family members or coworkers, or identity-related issues tied to the data exposure, you might have grounds for a stronger individual claim, though pursuing one requires more time, effort, and legal expense. Most consumers will find that participating in any class settlement, if one is reached, is the more practical path. In the meantime, review your GoodRx account settings and consider whether you want to continue using the platform. GoodRx has stated that it has ceased sharing health data with advertising platforms and has made changes to its privacy practices. Whether those changes are sufficient is a judgment each user must make individually. You can also request deletion of your account data directly from GoodRx.
The Broader Problem of Tracking Pixels on Health Websites
The GoodRx case is not an isolated incident. Investigations have revealed that tracking pixels from Meta, Google, and other ad-tech companies have been found on a wide range of health-related websites, including hospital systems, telehealth platforms, and mental health apps. In some cases, these pixels transmitted sensitive information such as appointment details, symptom checker responses, and even data entered into patient portal login pages. The fundamental problem is that tracking pixels are designed to be easy to install and often transmit data by default unless carefully configured to exclude sensitive fields. A critical limitation to understand is that even when companies remove tracking pixels after being caught, the data that was previously transmitted cannot be fully recalled.
Facebook and Google’s data retention policies, internal data processing pipelines, and the downstream uses of that data within machine learning models make it functionally impossible to guarantee that all traces of improperly shared health data have been eliminated. The FTC’s order requiring GoodRx to instruct third parties to delete the data is a step, but enforcement of deletion across complex advertising ecosystems is inherently difficult to verify. Consumers should be aware that using any health-related website or app creates potential exposure to this type of data sharing. Browser extensions that block tracking scripts, using privacy-focused browsers, and declining unnecessary cookies can reduce but not eliminate the risk. The most sensitive health searches might warrant extra caution, such as using a browser’s private or incognito mode, though even this is not a complete safeguard against all tracking mechanisms.
State Privacy Laws Are Filling the Gap That HIPAA Leaves Open
Because HIPAA only applies to covered entities like doctors, hospitals, and insurance companies, a large swath of health-related technology falls outside its protections. GoodRx, period-tracking apps, mental health platforms, and genetic testing services all handle deeply personal health information but are not subject to HIPAA’s rules. States have begun stepping in to fill this gap.
Washington State passed the My Health My Data Act, and other states including Connecticut, Nevada, and Oregon have enacted or proposed health data privacy legislation that goes beyond HIPAA’s reach. For consumers, this means your legal protections depend significantly on where you live. A GoodRx user in California, for instance, has stronger privacy rights under the California Consumer Privacy Act and the Confidentiality of Medical Information Act than a user in a state with no equivalent legislation. This patchwork of protections is one reason why federal comprehensive privacy legislation continues to be debated in Congress, though no bill has yet been enacted into law.
What the GoodRx Case Means for the Future of Health Data Privacy
The GoodRx enforcement action and class action litigation mark a turning point in how regulators and courts treat digital health platforms that monetize user data. The FTC has signaled that it will continue to pursue companies that share health information with advertising platforms, and the agency has since taken similar actions against other telehealth and health app companies. This trend suggests that the GoodRx case was not a one-off but the beginning of sustained regulatory attention to the health data practices of technology companies.
For consumers, the long-term takeaway is that the privacy policies of health-related apps and websites deserve closer scrutiny than most people give them. The era of assuming that health information shared with a digital platform stays private is over. Going forward, expect more enforcement actions, more class action litigation, and ideally stronger legal protections at both the state and federal level. In the meantime, staying informed about pending settlements and claim deadlines is the most practical step for anyone who used GoodRx during the relevant time period.
Frequently Asked Questions
Do I need to do anything right now if I used GoodRx?
At this time, monitor your email for any official settlement notices from GoodRx or a court-appointed settlement administrator. If a class action settlement is approved, there will be a specific claim filing deadline and process. You do not need to take immediate legal action, but you should avoid discarding any communications from GoodRx related to the privacy matter.
Is GoodRx still sharing my prescription data with Facebook and Google?
According to GoodRx and the terms of the FTC consent order, the company has stopped sharing health data with advertising platforms and has made changes to its privacy practices. However, independent verification of these changes is limited, and past data that was already transmitted may still exist in third-party systems.
Does HIPAA protect my GoodRx data?
No. GoodRx is not a covered entity under HIPAA because it is not a healthcare provider, health insurer, or healthcare clearinghouse. This is exactly the gap that the FTC’s action and state privacy laws are attempting to address. Your prescriptions filled through a pharmacy are protected by HIPAA, but your activity on GoodRx’s platform historically was not.
How much money could I receive from a class action settlement?
It is too early to say. If the private class action lawsuits result in a settlement, individual payments will depend on the total settlement fund, the number of claimants, and how the distribution plan is structured. Health data privacy settlements have varied widely in recent years, and no approved settlement amount has been publicly confirmed in the GoodRx class action as of recent reports.
Can I opt out of the class action and sue GoodRx individually?
If a class action settlement is reached and you receive notice, you will typically have the option to opt out and pursue your own legal claims. This may be worthwhile if you suffered specific, demonstrable harm from the data sharing, but individual litigation is more expensive and time-consuming. Consulting with a privacy attorney can help you evaluate whether an individual claim makes sense in your situation.