You don’t have to pay for shipping, and you’ll never be asked for a credit card or bank account number. You only need to give a name and shipping address. If you’d like an email confirmation and delivery updates from the U.S. Postal Service, you can submit your email address. Anyone who asks for more information than that is a scammer. So, remember:
Only go to COVIDtests.gov to order your free test kits from the federal government. When you click to order, you’ll be redirected to special.usps.com/testkits. If you’re following a link from a news story, double-check the URL that shows in your browser’s address bar.
No one will call, text, or email you from the federal government to ask for your information to “help” you order free kits. Don’t give out your credit card, bank account, or Social Security number. Do not respond. Instead, report it to the FTC at ReportFraud.ftc.gov.
The Federal Trade Commission has begun notifying people who may be entitled to compensation stemming from a settlement finalized in March 2023 with Epic Games over allegations that the Fortnite video game maker used dark patterns and other deceptive practices to trick players into making unwanted purchases.
In a complaint first announced in December 2022, the FTC alleged that Epic games deployed a variety of design tricks aimed at getting consumers of all ages to make unintended in-game purchases. The company also made it easy for children to rack up charges without parental consent and locked the accounts of consumers who disputed unauthorized charges with their credit card companies.
The money provided as part of the $245 million settlement with Epic Games will go to provide refunds to consumers. The FTC has begun the process of notifying more than 37 million people by email that they may be eligible for compensation, a process that will take one month to complete. Consumers will have until January 17, 2024 to submit a claim.
Information about how to file a claim can be found at www.ftc.gov/Fortnite. Consumers who have questions about the claims process can contact the administrator by phone at 1-833-915-0880 or by email at [email protected].
The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2022, Commission actions led to more than $392 million in refunds to consumers across the country.
GoodRx is a telehealth and prescription drug discount provider.
The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.
In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps.
According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:
Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.
Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.
Health Breach Notification Rule Violation
According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.
GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.
Proposed Order
In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:
Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.
The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. Commissioner Christine S. Wilson issued a concurring statement. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of California.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.
The lead staff attorney on the GoodRx matter was Ronnie Solomon of the FTC’s Bureau of Consumer Protection.
Company claimed its product could grow bone and cartilage, relieve joint pain
ZyCal Bioceuticals
The Federal Trade Commission today announced an order settling a 2020 federal lawsuit against defendants ZyCal Bioceuticals Healthcare Company, Inc. (ZyCal) and its president James J. Scaffidi, which charged them with deceptively claiming that their products grow bone and cartilage and relieve joint pain.
The order bars the ZyCal defendants from making these claims unless supported by randomized controlled clinical trials. It also bars them from providing anyone else with the means to make false or misleading claims. The FTC filed the orderin the U.S. District Court for the District of Massachusetts, and it must be approved and signed by a judge to become final.
“The Commission sued these defendants to halt bogus claims that their products grow bone and cartilage and relieve joint pain,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This settlement is an important reminder that health-related advertising claims require rigorous substantiation in the form of competent and reliable scientific evidence. Unfortunately, the Supreme Court decision in AMG Capital Management prevented us from obtaining refunds for consumers in this case. The Commission has urged Congress to enact legislation to restore the agency’s ability to obtain critical relief for consumers through federal court actions.”
The FTC’s February 2020 complaintalleged the ZyCal defendants marketed oral products containing the ingredient Cyplexinol, which they touted was a stem cell activator that could grow bone and cartilage in users and relieve joint pain, including for people with osteoporosis and osteoarthritis. They also claimed that these health benefits were clinically or scientifically proven. The ZyCal defendants marketed Cyplexinol products directly to consumers under the brand name Ostinol, and indirectly through health practitioners and third-party distributors.
The complaint further alleged that the ZyCal defendants supplied a company, Excellent Marketing Results, Inc. (EMR), with the means and instrumentalities to deceptively market a copycat Cyplexinol product called StimTein. While the Commission announced a settlement with the EMR defendants when the complaint was announced in early 2020, litigation continued against the ZyCal defendants. The consent order announced today resolves the agency’s complaint against ZyCal and Scaffidi.
The settlement bars the ZyCal defendants from making bone and cartilage growth and joint pain claims for any food, drug, or dietary supplement, unless they are not misleading and are substantiated by competent and reliable scientific evidence, including randomized clinical trials. It also prohibits them from making other health benefit claims for the same products unless they are supported by reliable scientific evidence.
Finally, the order prohibits the defendants from misrepresenting that bone and cartilage growth claims, pain claims, and related claims are clinically or scientifically proven; from misrepresenting the existence, contents, or results of any scientific test or study; and from providing anyone else with the means to make false or misleading statements. ZyCal also must send a notice of the settlement with the FTC to a number of consumers, health practitioners, and other purchasers who bought Cyplexinol products from the company on or after January 1, 2018.
The Commission vote approving the stipulated final order was 4-0. The staff attorney handling the case is Mary L. Johnson in the FTC’s Bureau of Consumer Protection.
NOTE: Stipulated final orders or injunctions have the force of law when approved and signed by the District Court judge.
