Constangy Cyber Advisor 

Privacy policies should no longer be boilerplate for organizations that handle consumer data. Although the policies may be viewed by some organizations as an unimportant “box to check,” they are increasingly being scrutinized in court and contrasted with the organizations’ actual privacy practices.

High-profile companies such as GoodRx, Yahoo, and Motorola have all faced these challenges recently. In Part One of this three-part series, we will look at the cases involving the three companies.

GoodRx: Privacy promises targeted in class action

GoodRx has a website and app that allow patients and health care providers to shop for the best prices for prescription medications and other medical products in specified geographical areas. As you probably suspect, this requires the users to enter the medications they want to purchase, the applicable geographical area, and, possibly, even information about their medical conditions. In other words, highly confidential information.

In 2023, a proposed class action was filed in California against GoodRx. The lawsuit alleges that various tech companies collected or intercepted user data without the consent of the users – which conflicted with the disclosures that GoodRx made in its privacy policy.

GoodRx filed a motion to dismiss the lawsuit at the earliest stage, and in July 2025 a federal judge ruled that most of the claims in the suit can move forward. According to the court, the plaintiffs have sufficiently alleged that GoodRx may have violated promises made in its privacy policy.

(It is important to note that at this early stage, the court is required to assume that all of the plaintiffs’ allegations in the lawsuit are true. Thus, the court’s denial of the motion to dismiss does not mean that the lawsuit allegations are actually true or that GoodRx will lose the case in the end.)

Yahoo: Deceptive business practices?

Similarly, in Caplan v. Yahoo, the plaintiffs allege that the company’s actual data tracking, collection, and sharing practices conflict with representations made in its privacy policy.

As with most privacy-related lawsuits, the plaintiffs allege a variety of claims, including invasion of privacy. But particularly problematic are claims alleging that Yahoo engages in deceptive business practices. The alleged “deception” is the difference between what Yahoo promises in the way of privacy versus what it (allegedly) actually does.

According to the plaintiff, Yahoo’s promises of privacy increase users’ expectation of privacy of their data.

Motorola: Stale cookies?

Finally, a federal court in California recently allowed most privacy-related claims against Motorola to proceed in a proposed class action lawsuit. As with GoodRx and Yahoo, the plaintiffs argued that the company’s data privacy practices failed to match its promises. According to the plaintiffs, the Motorola website had a pop-up “cookie consent” banner that offered the option for users to “Reject All [cookies].” The plaintiffs contend that the company nonetheless collected data from users who chose this option.   

Although the Motorola case involves a cookie banner rather than a privacy policy, the outcome was essentially the same: Corporate statements related to privacy gave plaintiffs some of the key leverage they needed to survive a motion to dismiss. As in the GoodRx case, the court assessed the plaintiffs’ allegations of improper data collection in contrast to the company’s written representations. The cookie policy language resulted in denial of the company’s motion to dismiss the lawsuit.

(As with the GoodRx ruling, the court’s denial of Motorola’s motion to dismiss does not necessarily mean that Motorola will lose the lawsuit.) 

Beware!

Privacy policies are no longer mere “background documents.” Instead, they are surfacing as evidence in lawsuits and playing a key role in shaping litigation outcomes, at least at the preliminary stages. Privacy-related policies and other documents that are publicly disseminated can also draw the initial attention of government regulators and provide support for further action. (In the case of GoodRx, its privacy practices were the subject of regulatory action by the Federal Trade Commission, which GoodRx settled, before the lawsuit was filed.)

Organizations should expect plaintiffs’ attorneys and regulators to examine every word in their privacy policies and how those policies are carried out as a matter of actual practice.

In Part Two of this series, we’ll explore how regulators are dissecting these same documents and the additional risks for businesses who rely on public-facing commitments to data privacy.

The Constangy Cyber Team assists businesses of all sizes and industries with compliance needs. If you would like additional information, please contact us at cyber@constangy.com.