Information about our health is supposed to be sacred, but the internet has basically thrown that tenet of society out the window.
A new report from the Financial Times has found that the extent to which consumer medical websites share data with internet advertisers like Google, Facebook, and others, is vast. The report specifically looked at UK websites, and there is no concrete indication that this is the case for the U.S. However, the revelation about health data’s place in the advertising information ecosystem is still revealing no matter the country: When you search websites like WebMD, advertisers know about it and can use that data to build upon what they know about you, and sell you things.
To which we say: duh. Anyone who doesn’t think advertisers are watching your every move online hasn’t been paying attention. In our ad-driven, data-sucking digital universe, why would your WebMD visits be any different?
The types of information advertisers learn about are physical symptoms you could be experiencing, women’s health information like menstruation or pregnancy, or prescriptions you’re taking. The FT report specifically ties WebMD search queries to Facebook: When you visit WebMD and enter your stuffy nose and sore throat into its “symptom finder,” and then get a diagnosis (it’s lupus!), Facebook, thanks to a data-sharing agreement, knows about it.
That could be troubling purely if you care about your privacy, but also because it could be used as part of discriminatory marketing campaigns. For example, if these health searches reveal that you have a disability, then advertisers for services like jobs, housing, and credit could adjust the offers they show based on that fact.
The report sounds especially alarming because it categorizes searches people conduct online on websites including WebMD, Healthline, Drugs.com, BabyCentre (a website owned by Mashable’s parent company, J2) and others, as “health data.” But, are your Google searches really in the same category as the health information gathered by your doctor?
Activity on these websites can certainly include revealing information with the potential for privacy violations and discriminatory advertising. But as a whole, we’re not so sure lumping data from your doctor in with your hypochondriacal Google searches is so clear-cut.
Even if the issue is a bit murky, the European Union has taken a stand: It views health-related activity online as “sensitive.”
FT’s report points out that the EU categorizes online health information as “special category data,” which gives it more stringent protections under the General Data Protection Regulation (GDPR), the broad privacy legislation the EU passed in 2018. Under GDPR, collecting and using online health data for advertising is illegal if the websites don’t get explicit consent and transparently explain what they’re doing with your data, and who’s getting it.
Websites have until the end of the year to clean up their act in the UK, but the FT’s report suggests that the online architecture will make disentangling online health data from other types of activity difficult.
Take Facebook’s response. Facebook basically told Mashable and FT that it doesn’t want websites doing this, and that they should stop. Then again, Facebook built the system, via the Facebook pixel — a line of code embedded in websites that allows Facebook to track online activity — that allows it to follow people around the internet wherever they go (whether they’re Facebook users or not).
It opened the door to the hen house. Are advertisers just supposed to not go in?
Here’s Facebook’s statement.
“We don’t want websites sharing people’s personal health information with us — it’s a violation of our rules, and we enforce against sites we find doing this. We’re conducting an investigation and will take action against those sites in violation of our terms.”
Google says that it does treat data from health-based websites differently from other types of web activity. Apparently, it’s able to flag sites like WebMD as “sensitive,” and does not use web activity for general ad targeting. It does use pixel tracking for other purposes like measuring interactions with ads and preventing the same ads from being shown too many times.
“Google does not build advertising profiles from sensitive data, including health conditions such as depression or heart disease, and has strict policies preventing advertisers from using such data to target ads. Third-party cookies have a variety of uses, from enabling basic site functions such as payment processing and video player embeds to serving and measuring advertising.”
That sounds reassuring. Then again, the report found that Google (via its advertising arm DoubleClick) receives nearly twice as much browser health data as the next largest advertiser, Amazon.
Whether or not you’re more alarmed by the collection of health data than other types of data, there’s a question of who should be responsible: the advertisers, or the websites? Advertisers are the ones collecting and using the data, but websites are the ones that build the way in and then make money off the data collection, too. Mashable has reached out to health websites including WebMD and Healthline about this particular conundrum, and will update this story when and if we hear back.
Until the issue shakes out, though, there are a few things you can do. First of all, maybe don’t turn to the internet for every sniffle. But if you do want to access these resources, take these privacy precautions first.