Yes, GoodRx sent sensitive prescription data to Facebook and other third-party advertisers without explicit patient consent. Between 2020 and 2023, the company used automatic tracking pixels and software development kits (SDKs) embedded in its mobile app and website that silently collected information about prescription medications and health conditions users searched for, then transmitted that data directly to Facebook, Google, Criteo, Branch, and Twilio. A federal class action lawsuit filed in February 2023 alleges this violated consumer privacy rights, and GoodRx now faces a $32 million settlement—more than 21 times larger than the $1.5 million penalty the Federal Trade Commission imposed in February 2023 for the same violations.
Table of Contents
- How Did GoodRx Share Prescription Data Without Authorization?
- What Was the FTC’s Role and Why Is This Enforcement Action Historic?
- Why Were the Settlements Rejected and What Happens Next?
- Who Is Eligible to Claim and How Much Might Consumers Receive?
- What About Data Already Shared with Facebook, Google, and Criteo?
- What Does This Mean for Other Health and Pharmacy Apps?
- What Happens if the Settlement is Finally Approved?
How Did GoodRx Share Prescription Data Without Authorization?
GoodRx embedded “plug and play” tracking technology directly into its platform without prominently disclosing that health data would be shared with advertisers. When users searched for medications on the GoodRx app or website, the automatic tracking pixels and SDKs silently collected not just what drug they searched for, but also the prescription strength, dosage, and health conditions associated with that search. This data was then transmitted to Facebook’s Pixel, google Analytics, and other advertising networks in real time.
For example, a user searching for “Zoloft 50mg for anxiety” would have that specific information sent to Facebook’s servers, where it could be used to target ads to that person or others with similar health profiles. The FTC found that GoodRx did not obtain express, informed consent for this data sharing and did not even adequately disclose it in the privacy policy. GoodRx claimed that users consented via general terms of service, but the FTC determined this was insufficient because the company obscured the fact that prescription data specifically—one of the most sensitive categories of health information protected under privacy law—was being shared with third-party ad networks. This distinction matters: privacy policies that vaguely mention “third-party services” are not the same as clearly telling a user that their specific medication and health condition data will be sold to Facebook for targeted advertising.
What Was the FTC’s Role and Why Is This Enforcement Action Historic?
In February 2023, the Federal Trade Commission fined GoodRx $1.5 million for violating the Health Breach Notification Rule—a critical detail because this was the FTC’s first-ever enforcement action under that rule against a company for unauthorized health data disclosure. The Health Breach Notification Rule requires companies that collect health information to implement reasonable safeguards and report breaches promptly; GoodRx had done neither. The company had failed to report the unauthorized disclosures to the FTC and to affected consumers, meaning millions of people never learned that their medication searches and health data had been shared with advertisers. The FTC’s enforcement action established that “health data” includes prescription medications and health conditions users search for on digital platforms, not just data explicitly labeled as medical records.
However, the $1.5 million fine, while a historic enforcement action, represented only a fraction of the damages consumers claimed through the subsequent class action lawsuit. The FTC can impose penalties, but it cannot award compensation to individual victims. That’s why the class action litigation became critical—it was the mechanism for affected consumers to recover money for the unauthorized use of their sensitive health data. The fact that a federal judge has now rejected two proposed settlements (first at $25 million, then again at $32 million) suggests the courts believe consumers’ claims may be worth even more, or at least that the proposed settlements have not adequately accounted for the strength of those claims.
Why Were the Settlements Rejected and What Happens Next?
A federal judge in the Northern District of California, Judge Araceli Martinez-Olguin, rejected GoodRx’s first proposed settlement of $25 million in 2024, then rejected a revised $32 million settlement in January 2026. The judge’s primary criticism was that GoodRx and the plaintiffs’ attorneys had not provided detailed analysis of the strength of each claim—in other words, they hadn’t adequately justified why the settlement amount was fair given the seriousness of the privacy violations and the number of affected consumers. Federal courts take this seriously because settlements represent a trade-off: consumers give up the right to sue in exchange for a potential payout, so the judge must ensure the amount reasonably reflects what they might have won at trial. The settlement rejections mean the litigation is “back to the drawing board,” as one legal publication noted.
No settlement amount has been finalized, and the case continues in federal court. Meanwhile, GoodRx’s co-defendants—Meta Platforms (Facebook’s parent company), Google, and Criteo—remain in the litigation and are not party to any of the proposed settlements. This means those companies have not agreed to pay anything and continue defending themselves against claims that they received and used the health data knowingly. For consumers, the rejection of two settlements creates both risk and opportunity: there’s no guarantee a final settlement will be larger, but the judge’s skepticism suggests the courts believe the violations were serious enough to warrant additional scrutiny.
Who Is Eligible to Claim and How Much Might Consumers Receive?
The class action broadly includes anyone who used GoodRx to search for prescription information between 2020 and 2023 and whose data was shared with third-party advertisers. GoodRx has not disclosed the total number of affected users, but the company processes millions of pharmacy discount lookups annually, so the potential class is enormous. If a $32 million settlement is eventually approved (or negotiated upward), the per-person payout would depend on the total number of valid claims submitted. For comparison, in other health data breach class actions, individual consumers have received anywhere from $10 to $500 per person, depending on the settlement size and number of claimants.
To file a claim, consumers typically need to provide documentation that they used GoodRx during the relevant period and had their data shared. Since GoodRx collects this information internally, the company will likely provide a database to the settlement administrator, and consumers can claim by verifying their account or phone number. However, consumers should not wait passively—claims in class action settlements have filing deadlines, often 60 to 90 days from settlement approval notice, and claims submitted after the deadline are usually forfeited. If you believe you were affected, monitor the official settlement website (which will be announced once a settlement is approved) rather than relying on third-party claim processors or ads promising to help you file, as those can introduce delays or fraud.
What About Data Already Shared with Facebook, Google, and Criteo?
This is a critical limitation: even if GoodRx pays a settlement, the data that has already been transmitted to Facebook, Google, Criteo, Branch, and Twilio may not be deleted or purged from those companies’ systems. Those third parties received the data and may continue to use it for their own purposes (such as ad targeting or analytics) unless they are separately compelled by law to delete it. The GoodRx lawsuit does not automatically result in data deletion at Meta, Google, or other recipients.
In fact, Meta Platforms and Google have not agreed to any settlement terms and are actively defending the case, meaning they claim they either did not know the data was obtained without proper consent, or that their use of such data is permissible under their own terms of service. Additionally, even if the settlement is approved and GoodRx implements stronger privacy safeguards going forward, the company may argue that some data was still legally shared with advertisers under state privacy laws (such as CCPA in California) that permit opt-out data sales. This creates a gray area: GoodRx may owe consumers compensation for unauthorized disclosure under federal health privacy law, but federal courts have sometimes found that state privacy laws allow certain disclosures that health law does not. If you submitted a CCPA opt-out request to GoodRx, that provides stronger evidence of non-consent, but many users never knew such an option existed.
What Does This Mean for Other Health and Pharmacy Apps?
The GoodRx enforcement action and litigation have sent a clear signal to other health apps, pharmacy services, and telehealth platforms that the FTC and courts are now actively monitoring how prescription data is handled. Several other pharmacy discount services have been scrutinized in related investigations, and consumer privacy advocates have called for stronger regulatory oversight of health data sharing by non-medical digital platforms. While most legitimate pharmacy apps now include clearer consent prompts, smaller or less-resourced services may still use opaque tracking pixels similar to what GoodRx did, meaning the risk of unauthorized health data sharing remains.
This case also highlights a common consumer expectation gap: many users assume that “free” services like GoodRx make money by helping pharmacy transactions or offering advertising to pharmacies—but the company’s actual business model includes monetizing user data through targeted advertising. The FTC’s enforcement action essentially said that monetizing health data this way, without clear and explicit consent, is illegal. However, federal regulation of health apps remains fragmented across the FTC, state attorneys general, and specialized health privacy laws like HIPAA (which typically applies only to doctors and insurers, not apps).
What Happens if the Settlement is Finally Approved?
Once a settlement is approved by a judge—and it will be, eventually, as the parties cannot litigate indefinitely—GoodRx will be required to pay into a settlement fund, a claims administrator will be appointed to verify and process claims, and consumers will be able to submit documentation of their GoodRx use during the class period. Consumers should expect to receive payment within several months of submitting a claim, though the exact timeline depends on the settlement process and administrative efficiency. Some settlement agreements also include “cy pres” awards, where unclaimed settlement money is directed to charities or advocacy organizations working on health privacy or consumer protection.
For GoodRx itself, the settlement will likely include injunctive relief requiring the company to implement stronger data privacy practices, obtain explicit consent before sharing health data, and submit to third-party audits of its data-sharing practices for several years. These requirements are standard in FTC settlements and are designed to prevent recurrence. However, the co-defendants (Meta, Google, and Criteo) may face additional litigation unless they too reach settlements or are found not liable. The broader takeaway for consumers is that this case demonstrates that federal and state courts are taking unauthorized health data sharing seriously, and litigation in this area is likely to continue as digital health services expand and regulation catches up.