GoodRx agreed to pay $32 million to settle a class action lawsuit over unauthorized sharing of consumers’ prescription and health data with major tech companies like Meta, Google, and Criteo for targeted advertising purposes. This settlement represents a significant victory for privacy advocates, particularly because it was increased from an originally proposed $25 million deal that a federal court rejected in June 2025. Judge Araceli Martinez-Olguin found multiple deficiencies in the initial settlement, including inadequate fund size and problems with how the settlement class was defined, forcing GoodRx and plaintiffs back to the negotiating table.
Beyond the class action settlement, GoodRx was also required to pay $1.5 million in civil penalties to the Federal Trade Commission as part of a separate enforcement action and faces ongoing restrictions on its data sharing practices. The combined enforcement actions underscore how prescription and health data—information that should be among the most protected categories of personal information—was being weaponized for profit without meaningful consumer consent. For anyone who used GoodRx’s platform to look up prescription prices or obtain coupons, this settlement may entitle you to compensation.
Table of Contents
- How Did GoodRx Share Your Prescription and Health Data?
- Why Did the Original $25 Million Settlement Get Rejected?
- What Did the FTC Action Add to This Settlement?
- Who Can Claim from This Settlement and How Much Could You Receive?
- What Laws Did GoodRx Violate and Why Does That Matter?
- What Privacy Changes Is GoodRx Required to Make?
- What Does This Settlement Mean for Healthcare Privacy Broadly?
How Did GoodRx Share Your Prescription and Health Data?
GoodRx operates a popular online platform where millions of Americans search for prescription drug prices and find manufacturer coupons. What many users didn’t realize was that these searches for sensitive health information were being tracked and shared with advertising giants. When you searched for medications on GoodRx’s website, the company embedded tracking technologies that captured your prescription searches, extracted your personal health information from that behavior, and transmitted it to Meta Platforms (Facebook/Instagram), Google, and the ad technology company Criteo. These tech companies then used that health data to build advertising profiles and target you with customized ads across their platforms.
The data sharing wasn’t incidental or anonymized—it was systematic and highly identifying. When you searched for a specific medication like insulin, blood pressure medication, or psychiatric drugs, GoodRx’s trackers recorded that behavior and passed it downstream to advertisers. This allows Meta and Google to know your health conditions with startling precision, enabling them to target you with ads for competing pharmaceutical products, supplement companies, or health services based on your actual medical profile. Crucially, this data sharing occurred without explicit informed consent from users and raised serious questions about whether users could have reasonably anticipated their prescription searches would be weaponized for behavioral advertising.
Why Did the Original $25 Million Settlement Get Rejected?
In June 2025, U.S. District Judge Araceli Martinez-Olguin rejected the initially proposed $25 million settlement, finding it insufficient and inadequately structured to address the harms involved. The judge identified several critical problems: the settlement class definition didn’t clearly specify who was entitled to compensation, the scope of claims being released was too broad relative to the fund size, and the settlement provided no claim-by-claim payout analysis showing how individual plaintiffs would actually receive compensation.
Essentially, the court found that the proposed deal prioritized speed and affordability for GoodRx over actual compensation for harmed consumers. This rejection is important because it shows that courts are increasingly scrutinizing class action settlements involving privacy and health data to ensure they deliver real value to consumers rather than serving as cheap releases for defendants. The judge’s decision required the parties to substantially improve the settlement terms, which resulted in a $32 million agreement—a 28% increase. However, consumers should understand that even $32 million spread across millions of GoodRx users means individual payouts are unlikely to be substantial, highlighting the limitation that settlement funds often don’t meaningfully compensate for privacy violations when divided across large classes.
What Did the FTC Action Add to This Settlement?
The Federal Trade Commission conducted a parallel enforcement action against GoodRx, separate from the class action settlement, resulting in $1.5 million in civil penalties and strong injunctive relief. The FTC found that GoodRx’s practices violated the Health Breach Notification Rule and engaged in unfair and deceptive trade practices under Section 5 of the FTC Act. Beyond the financial penalty, the FTC order prohibited GoodRx from sharing sensitive health information for advertising purposes going forward and required the company to implement comprehensive privacy safeguards and regular audits of its data handling practices.
The FTC action is significant because regulatory enforcement and class action litigation work differently. The class action settlement compensates harmed consumers, while the FTC penalty focuses on deterring future violations and mandating compliance mechanisms. Together, the $32 million consumer settlement plus the $1.5 million FTC penalty create a combined $33.5 million enforcement outcome that sends a message: even dominant platforms in the healthcare technology space cannot treat consumer health data as a commodity for advertising revenue without facing serious legal and financial consequences. However, critics note that $1.5 million is relatively small for a company of GoodRx’s scale and market position, raising questions about whether penalties alone deter bad behavior.
Who Can Claim from This Settlement and How Much Could You Receive?
If you used GoodRx’s website or mobile app to search for or obtain information about prescription medications at any time during the class period (typically several years before the lawsuit was filed), you may be eligible for compensation from the settlement. However, the actual amount you receive depends on how many valid claims are submitted—the $32 million fund is divided among all qualifying claimants, so the more people who claim, the smaller each individual award becomes. Some settlements of this type result in per-person payments of $10 to $50, while others deliver more substantial compensation depending on claim volume.
To claim compensation, you’ll typically need to file a claim form with the settlement administrator, providing information about your GoodRx usage during the class period. Many settlements allow for “no-proof” claims where you simply attest that you used the service, though some may require proof like receipts or account records. The deadline to file claims is critical—missing it means forfeiting your right to compensation entirely, even if you’re eligible. Settlement notices should be sent to email addresses associated with GoodRx accounts, but they sometimes go to spam, so it’s worth proactively checking the settlement website once the court approves the final settlement agreement.
What Laws Did GoodRx Violate and Why Does That Matter?
The litigation against GoodRx alleged violations of multiple federal statutes, including the federal wiretapping laws (which prohibit unauthorized interception of electronic communications), state consumer protection laws, and broader privacy statutes. The core legal theory is that when GoodRx embedded tracking pixels and code on its website to capture prescription search data and transmit it to third parties without proper authorization, it was effectively “intercepting” sensitive health information in real time—similar to wiretapping in the digital context. This framing is important because it elevates the violation beyond ordinary data sharing into territory treated as serious criminal conduct.
A key limitation in these privacy cases is that the law hasn’t fully caught up to modern data practices. While the wiretapping statutes were written decades ago for telephone lines, courts have extended them to digital data transmission, but there remain significant gray areas about what constitutes illegal interception versus standard website analytics. Additionally, the terms of service that users accept when signing up for GoodRx often include language permitting data collection and sharing, which tech companies argue provides legal cover. However, the GoodRx case and similar settlements suggest courts and regulators believe that consent obtained through generic fine-print language about “data partners” and “advertising” isn’t meaningful informed consent when it comes to highly sensitive health information.
What Privacy Changes Is GoodRx Required to Make?
As part of the settlement and FTC order, GoodRx must implement enhanced privacy controls, including explicit notice to users about data sharing practices, opportunities to opt out of certain data transfers, and regular privacy audits by independent third parties. The company must also designate a chief privacy officer responsible for compliance and establish procedures for responding to consumer privacy inquiries. These requirements acknowledge that preventing future violations requires structural organizational changes, not just financial penalties.
In practice, these reforms mean GoodRx users should see clearer disclosures about where their data goes and have better tools to control how their prescription searches are used. However, the limitation is that these requirements primarily benefit future users; they don’t undo past privacy violations or provide additional compensation to people already harmed. Additionally, enforcement of these ongoing obligations depends on the FTC’s ability to monitor compliance, which is resource-constrained.
What Does This Settlement Mean for Healthcare Privacy Broadly?
The GoodRx enforcement actions are part of a broader pattern of regulatory attention to how tech companies and digital health platforms handle sensitive health information. The FTC has become increasingly aggressive about challenging claims that companies are providing free services when the actual payment is in the form of users’ data being monetized for advertising. This settlement sends a signal that the healthcare vertical—where data involves medication, illness, and health conditions—will receive heightened scrutiny compared to other types of personal data.
Moving forward, consumers should expect that digital health platforms and pharmacy discount services will face growing pressure to minimize third-party data sharing and provide more strong privacy controls. However, the business model of many free-to-consumers health platforms fundamentally relies on monetizing user data, so meaningful change may require either regulatory prohibition of certain practices or significant user migration to privacy-focused alternatives. The GoodRx case demonstrates that litigation and enforcement actions can impose costs on bad actors, but systemic privacy protection likely requires going beyond settlements to regulatory reform that fundamentally restricts how health data can be monetized.
You Might Also Like
- Marriott Starwood $52 Million Data Breach Settlement
- BetterHelp $7.8 Million FTC Privacy Settlement
- Motel 6 Guest Data Sharing ICE Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: