New state privacy laws and recent Federal Trade Commission moves should spur all companies involved in digital advertising -- including agencies, brands and ad-tech businesses -- to take a close look at how they handle information related to consumers' health, according to the self-regulatory privacy group Network Advertising Initiative.
“'Health' information is no longer just about prescription records and medical diagnoses issued by doctors,” the organization says in a report released Wednesday. “It now represents a broad swath of data such as browsing history, purchase data, and location information that relates to a consumer’s health status.”
“Additionally, inferences represent a key element of the expanding approach to sensitive personal information, including instances where non-health information can be used to reveal an individual’s mental or physical health condition or diagnosis,” the self-regulatory group writes in the report, which analyzes new state privacy laws as well as recent Federal Trade Commission enforcement actions against companies like drug discounter GoodRx and therapy app BetterHelp.
In recent years, 12 states have passed comprehensive privacy laws -- and three states, including Washington, have passed privacy statutes that relate specifically to health data. Some of those efforts, including Washington state's, were spurred by the Supreme Court's decision in Dobbs v. Jackson Women’s Health Clinic, which allowed states to criminalize abortion.
The new laws and FTC reflect a sweeping definition of “sensitive health data” that could require advertising companies to revise their approach to any information relating to health, the organization says.
“In light of recent changes, commonly employed uses of data and business practices that have traditionally been considered non-sensitive may now require heightened consumer notice and consent, or may be off limits altogether,” the report states.
The group added in a statement accompanying the report that agencies, brands and ad-tech companies should “assess the potential applicability of rules governing the collection, disclosure and receipt of sensitive health information to their own organizations.”
“Entities on both sides of a data transaction may face potential liability,” the organization stated. “In light of new laws and regulations’ increased focus on inferences drawn from consumers’ personal information, what may not have traditionally been considered sensitive health data has the potential to reveal sensitive attributes about consumers' health, according to enforcement agencies.”
The self-regulatory group also warns in the report that the use of analytics and tracking technology on health sites could trigger scrutiny.
“Common technologies used regularly to facilitate targeted advertising and analytics have been the subject of multiple administrative efforts and enforcement actions over the course of the last 18 months,” the report states, citing FTC complaints against GoodRx and BetterHelp.
In both of those cases, the FTC alleged that tracking pixels enabled GoodRx and BetterHelp to share information about consumers' health with Facebook, Google and other outside companies.
“Entities operating pixels on third-party sites should pay careful attention to the content of the webpages they serve, particularly taking stock of when consumer activity could indicate a mental or physical health condition or otherwise relate to an individual’s health,” the report recommends.
The organization makes several other recommendations, including that companies obtain collecting, sharing or receiving sensitive health information obtain consumers' affirmative express consent.
Another recommendation is to provide consumers with all material information about the use of sensitive health data, and to treat that data in accordance with those representations.
The Network Advertising Initiative's self-regulatory code directs member companies to treat inferences about sensitive health or medical conditions as “sensitive information” -- meaning companies can't collect or use that information for ad targeting without consumers' opt-in consent.