Popular health websites are sharing sensitive data—relating to medical symptoms, diagnoses and drug names—with companies including Google, Amazon, Facebook and Oracle, and ad brokers including Scorecard and Open X, according to a report in the Financial Times.
Using open-source tools, the newspaper analysed 100 health sites—including WebMD, Healthline, BabyCentre and Bupa—and found that 79% of them dropped cookies that allow other parties to track people around the web. This is being done without legal consent.
ISBA director-general Phil Smith pointed out that the European Union's General Data Protection Regulation is unambiguous around the "need for explicit consent for the sharing of ‘special category data’". He added: "We expect advertisers to investigate the FT’s claims thoroughly and take remedial action if required. We stand ready to offer further guidance to members as needed."
IPA director of legal and public affairs Richard Lindsay described the FT allegations as "concerning".
The FT report found that Google’s ad arm, DoubleClick, was the most common destination for the data "by far" according to the FT, showing up on 78% of tested sites, followed by Amazon (48%), Facebook, Microsoft and adtech company AppNexus.
This data-sharing differs from that of data used to optimise web performance by site publishers themselves, where consent is given. The FT reporters who consented to privacy policies were not told that sensitive information would be shared with third parties for any reason.
For instance, drug names entered into Drugs.com were sent to DoubleClick, symptoms typed into WebMD were shared with Facebook, menstrual and ovulation information from BabyCentre was delivered to Amazon and terms such as "heart disease" and "considering abortion" were shared by sites including the British Heart Foundation, Bupa and Healthline.
GDPR makes it illegal to share most sensitive data without explicit consent, whereby users agree to "special category" data-sharing. None of the sites that the FT investigated requested this consent.
Lindsay noted that the Information Commissioner's Office "called out the use of special category data without the explicit consent of the individual". He continued: "As the FT report explains, special category data merits enhanced protection because it is, by its very nature, sensitive. The use of people’s health information without their consent should certainly raise alarm bells."
In response, Google told the FT that it did not "build advertising profiles from sensitive data... and has strict policies preventing advertisers from using such data to target ads". It said that the sites investigated by the newspaper had been marked "sensitive" internally and that information gleaned was excluded from the databases used for personalised advertising.
Google did admit that its technology might be used to serve contextual ads based on page content, but not user information. The company said that a publisher might choose to share information on visitors’ last periods in the URL but that its systems would not understand what the data represented, nor would they use it to create user profiles.
Facebook was unable to confirm what it did with the information. A spokesman told the FT: "We don’t want websites sharing people’s personal health information with us—it’s a violation of our rules and we enforce against sites we find doing this. We’re conducting an investigation and will take action against those sites in violation of our terms."
Amazon insisted it did not use the data to "inform advertising audience segments" but did not say what it did with the information.
Meanwhile, publishers did not give details as to why the data was being shared or what would be done with it once it was sent to the platforms.
The FT article has gathered responses from some of those that responded. Bupa, for example, told the publication: "Advertising cookies are used on our site, but we have set them so that no personal data about visitors to our website, including our health information pages, is passed on to third parties.
"Unique IDs are shared with some third parties in order to measure website performance and engagement. This is anonymised data and is not personally identifiable. No health information of visitors to our website is shared with third parties."
The British Heart Foundation said that its data capture via cookies was "pseudonymised" and did not "directly identify individuals". It added: "We don’t sell data and we don’t share sensitive personal data on areas such as ethnic origin and health that could directly identify people."
Smith referred advertisers to ISBA's own guidance. He said: "ISBA, with Bristows, published a comprehensive suite of guidance notes for its members in 2018 and has run seminars and webinars covering the subject."
Lindsay added: "The IPA has been working with agencies on the points addressed in the ICO’s report and GDPR compliance is, of course, critical to a vibrant, successful, online advertising industry."