• by Wendy Davis  @wendyndavis, March 13, 2012

Microsoft has updated its privacy policy to specify that it serves health-related ads to users based on their Web activity, including whether they have visited sites with information about conditions like diabetes, cholesterol or osteoporosis.

"Microsoft personalizes ads on many different segments, including those that are health-related," the company says on a new page about health-related targeting. Microsoft adds that the health-related segments it currently uses include "allergy researchers," "cholesterol researchers" and "diabetes researchers."

A Microsoft spokesperson said the company added that information to its privacy policy on Feb. 28 in order to comply with a new health transparency policy of the self-regulatory group Network Advertising Initiative. The NAI last year said it would require members to disclose behavioral-advertising segments based on any activity related to health or medical issues. The organization intends to start enforcing that policy this year, says executive director Marc Groman.

Microsoft might be the latest company to disclose that it allows behavioral targeting based on health information, but it's hardly the only one to do so.

Yahoo discloses on its Web site that it allows companies to target users based on categories including hypertension, blood sugar management and arthritis. AOL also reveals on its site that standard categories include asthma, blood pressure and infections. In yet another example, AudienceScience revised its privacy policy last August to specify that it "may use health related segments, such as Cholesterol and Dental, Oral Care."

But privacy advocates have long argued that transparency isn't enough when it comes to targeting people based on medical issues. Instead, that type of targeting should require users' explicit consent, advocates say. "If people start seeing online ads from third-party ad networks targeted to medical 'research,' they may be deterred from similar research in the future, which would be a terrible result," says Justin Brookman, director for consumer privacy at the digital rights group Center for Democracy & Technology.

Self-regulatory principles of both the NAI and the Digital Advertising Alliance generally allow companies to target Web users based on health information on an opt-out basis, although the groups say that opt-in consent should be required in some situations. The DAA's principles call for opt-in consent before collecting "pharmaceutical prescriptions or medical records related to a specific individual.”

The NAI says that opt-in consent is required for health-related targeting based on "precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic and family medical history."

But ad networks have a lot of leeway in deciding how to interpret that principle.

"Other than to make clear to members that some health conditions, such as cancer, mental health-related conditions, and sexual health-related conditions, are 'precise' conditions that would require opt-in consent, the NAI has not developed an extensive blacklist of every condition that it considers to be 'precise,'" Groman says.

He adds that the group's new policy, which requires members to disclose that they engage in health-related targeting, will help the NAI determine whether they are targeting people based on sensitive data. "NAI staff looks not only at the name of the segment, but at the nature of the condition to which the segment relates, including, among other things, the seriousness of the condition, its prevalence, whether the condition is something that an average user would consider to be embarrassing, whether it is treated by OTC or prescription medications, and whether the condition can be treated by modifications in lifestyle as opposed to medical intervention."

Groman says that the NAI intends to explore the issue this year as part of comprehensive code revisions. "Unlike more concrete examples of sensitive data, such as a Social Security number or financial account number, this category inherently has shades of grey."