We believe searching for health information should stay a private matter
A stressed patient goes online searching for a coupon for their expensive medication. A soon-to-be parent opens an app on her phone to track her ovulation. A young person types, “I think I need a therapist” into a search bar and finds a site for online counseling. None of these hypothetical people expect their sensitive data to be shared for marketing. Unfortunately, a variety of loopholes in health privacy law allow for the possibility of companies sharing sensitive consumer data. In the past few years, new state laws have attempted to add extra protections for sensitive consumer data.
We built bots to investigate health sites
After Consumer Reports published the 2022 story “I Said No to Online Cookies. Websites Tracked Me Anyway” in partnership with privacy company Boltive, our team decided to investigate whether these new laws have helped curb data sharing on health-related websites. We use Boltive’s Privacy Guard tool to create consumer persona bots that visited ten sites looking for help with addiction treatment, sexual issues, disability aids, and other health needs. Some of the bots used cookie tools or webforms to opt out of data sharing. Some of the bots did the opposite, opting in to data collection. The bots then continued with everyday browsing.
We collected and examined site cookies, advertising content, metadata, and privacy policies for evidence of collection and sharing to answer the research questions: Are health websites sharing personal or sensitive data? Do consumers have the ability to control this sharing? Do new state privacy laws seem to protect sensitive data in practice?
We were concerned about possible sharing from health sites
Out of the ten sites we checked, nine of them raised a red flag when it comes to consumer privacy. Some of the sites collected data that might be considered sensitive under new state laws. However, we found that due to ambiguity and exceptions in the laws, it is often unclear which laws apply to which businesses and data. For example, we sometimes don’t know if a law applies to a site because many state privacy laws only cover companies that collect or sell data from a large, specific number of consumers. In the full report, we do a deep-dive into three case studies we examined: an asthma medication site, a personalized vitamin retailer, and a regional treatment center for teens.
We were concerned to find technical issues and confusing privacy information on several sites. Some of the sites that offered cookie and sharing controls seemed to have technical issues that prevented our bots from limiting cookies related to interest-based advertising. Two sites said in their privacy policy that they do not sell or share covered data, but both seemed to allow third-party marketing cookies; sharing marketing information via cookies might legally be considered a sale in some states.
We hope to protect consumers by changing company culture and refining policy
On the whole, it seemed that despite new health privacy protections in state laws, many health-related sites we examined shared data with third parties, often without easy-to-use controls. While we can’t know exactly what data was shared and for what purpose, we’re still disappointed that these wellness sites seemed to default to sharing. Despite these concerns, we’re hopeful for improvement. Even during the process of conducting this research, we saw an increase in attention and privacy enforcement related to sensitive data. (We even had to re-write sections of the report as new cases were released!).
Our report ends with short recommendations for policymakers and businesses. We encourage policymakers to focus on data minimization for sensitive data, to define “sensitive” in a way that matches consumer expectations, to make sure any rules that require consent are practical, and to throw businesses a bone by helping with education on the complex laws. But no matter how complex, businesses are still beholden to protect consumers by minimizing third-party sharing, keeping an eye on the vendors they hire, and auditing their technical opt-out tools.