A composite of the GoodRx and Facebook logos.

GoodRx has stopped sending data about users’ prescriptions to Facebook, and is rolling out new tools to give consumers a measure of control over the company’s handling of personal information.

The changes come after a Consumer Reports investigation found GoodRx sharing its customers’ data with more than 20 third-party companies. Facebook, Google, and a company called Braze received the names of medications users researched, along with unique ID numbers used by advertisers and data companies to track individuals—a practice which alarmed doctors and GoodRx users we contacted  during our investigation.

GoodRx and the other companies involved all said this prescription information isn't used for selling ads. 

In addition to ending the practice of sending personal health information to Facebook, the company has introduced controls for deleting data collected by GoodRx and opting out of all cookies and tracking, including any tracking being done by third parties on the GoodRx platform. The new California Consumer Privacy Act, or CCPA, provides California residents the right to tell companies to delete their data, along with other protections, and GoodRx says it is extending the same rights to people across the United States.

The company also appointed a vice president of data privacy, charged with overseeing the company's privacy practices, and says it has audited its agreements with the third-party service providers that process user data.

More on Privacy

In a press release, GoodRx credited CR’s investigation as the impetus for the changes. “In the course of our review, we found that in the case of Facebook advertising, we were not living up to our own standards. For this we are truly sorry, and we will do better,” GoodRx said.

Bill Fitzgerald, a privacy researcher in the Consumer Reports Digital Lab who led the original investigation, reexamined GoodRx after the company announced its updates. In the new testing, Fitzgerald did not observe any information being sent to Facebook.

GoodRx users can ask for their data to be deleted using a form on the company’s website. Users can opt out of tracking, which GoodRx says will stop any data sharing with third parties such as Facebook and Google, by using the “Cookie Preferences” button at the bottom of any page on GoodRx.com. The company says it will make this opt-out available in the mobile app “soon.”

However, consumers need to take additional steps to get a handle on data GoodRx has already sent to other companies. In some cases, there may be nothing you can do to delete the information.  

According to a company spokewoman, when people ask GoodRx to delete their data, it will be deleted from Braze as well. However, you'll need to go to Facebook to do anything to control GoodRx data that's already been sent to the social media giant. GoodRx recommends Facebook's new "Clear History" tool—but keep in mind that clearing your history doesn't actually delete any data, it just disconnects it from your Facebook account. GoodRx did not offer a solution for users who want to delete data the company has sent to Google.

Like most businesses with an internet presence, including Consumer Reports, GoodRx relies on third-party companies for some processing of user information for specific services that are difficult to perform in-house. However, privacy experts and health practitioners CR consulted say the standards should be higher when personal health data is involved.

GoodRx says it shares health information with Braze for email and text reminder services, which consumers can opt in to voluntarily. GoodRx says it works with Facebook and Google for advertising and analytics purposes. 

However, GoodRx says its users' health data is never used for advertising, and its agreements with its service providers prevent those companies from sharing the data or using it for other purposes. Spokespeople for Braze, Facebook, and Google all gave Consumer Reports similar assurances. 

You might assume that health information like the medications you take has legal protections, but that's only true in limited circumstances. The Health Insurance Portability and Accountability Act, better known as HIPAA, restricts how doctors and insurance companies can process and share health data, but “direct-to-consumer” health companies like GoodRx are essentially unregulated.

As a result, when consumers sign up for health and fitness apps, they’re often unwittingly entering data sharing relationships with companies they’ve never heard of for purposes they may not like.

“This episode highlights the fact that consumers need their right to data privacy clearly enshrined in a strong federal law. Consumers should not have to rely on individual businesses like GoodRx to step up and do the right thing,” says Dena Mendelsohn, a senior policy counsel for Consumer Reports.