Prescription coupon apps, like GoodRx or WellRx, provide patients with digital coupons to save money on prescription medications. But how well are they protecting your personal data? You might expect that as they handle sensitive data about prescriptions, which are directly linked to medical records, that they might be subject to HIPAA privacy rules, but they are not. Generally, HIPAA is meant to  assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care but does not apply in all cases.

In the context of a post-Roe world, how could their weak privacy policies impact someone seeking birth control or abortion medication in an era where decisions around reproductive health care are being criminalized? While companies like GoodRx don’t cover the leading abortion medication Mifepristone, they do cover Misoprostol and birth control medications. We have reason to be concerned about their data sharing policies – last year, the FTC filed an enforcement action against GoodRx for failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies. Current U.S. privacy regulations – or the lack thereof – allow many companies to legally collect, share, and sell — in other words, broker — access to Americans’ health data.

We looked at three different coupon companies – GoodRx, WellRx, and SingleCare – to understand how they handle consumer data. Turns out, they are blatantly collecting and selling consumers’ personal information.

Most pharmacy coupon companies collect and share your data with third parties. GoodRx, for example, shares information with a variety of third party services such as data warehouses, cloud computing providers, and credit card and payment processors, but they don’t specify for which purposes they share data with these third-parties. They also collect a range of personal data – from commercial information like purchase and usage history, to “insurance information, demographic information, interest information” and personal identifiers. They use this data for a variety of purposes – from personal communications with users to “to advertise and market to you on websites, mobile applications, and third-party platforms.”

This data is also shared to enforce “legal rights.” WellRx’s policy states that they may “comply with a valid legal process, such as a subpoena, court order, or search warrant, or where there is a lawful request.” This is especially concerning in light of situations where a patient may be seeking abortion medication from an out-of-state pharmacy, and purchasing decisions are surveilled by law enforcement seeking to prosecute people seeking an abortion.

Sensitive data is also subject to targeted advertising. Pharmacy coupon companies collect hoards of sensitive personal information – from credit card information, to purchase history, to addresses. All of this information can be used to track and target users, serving them false or misleading advertising based on their prescription purchase histories. Some companies, like RxSaver (GoodRx) do not use your personal info for targeted ads, others like GoodRx explicitly share data with third parties for these purposes: using “technology from Google, Facebook, and others, to help us track, segment, and analyze usage of the Services, and to help us or those companies serve more targeted advertising on the Services and across the Internet.”

Information is aggregated and collected from other Third Parties. Some companies, like GoodRx, receive information from a range of other third parties about you – through referral links, healthcare professionals, health insurance plans, etc. They combine all of this data, creating dangerous profiles about individuals, which can paint a comprehensive picture about a person’s reproductive choices. 

These companies are part of the surveillance advertising ecosystem. They profit from the collection and monetization of sensitive personal data – a practice that has myriad harms for consumers but is especially worrying in a post-Roe era when abortion has become criminalized. In some places, like Texas,  private citizens can even pursue legal action if they have evidence of an abortion occuring. With anti-choice extremists threatening health care workers – and even abortion patients – the surveillance advertising business model provides a dangerous digital trail of evidence, data which should be private and protected. Much can and should be done to close this loophole, which is why Accountable Tech has called to ban surveillance advertising.