Health Websites Share Sensitive Personal Data with Advertisers Without Required Consent: Report
Investigative reporters probing alleged misuse of the sensitive data of Europeans found that health websites were illegally sharing peoples information with ad-targeting companies including Google, Amazon, and Facebook.
The personal data shared without users explicit consent—a requirement under European data protection laws—includes medical symptoms, diagnostic information, as well as names of drugs.
Reporters at the Financial Times used an analytical tool called WebXray to analyze 100 health websites, including WebMD, Healthline, and Babycentre, according to an article headlined “How top health websites are sharing sensitive data with advertisers.”
The FTs investigation found that 79 percent of the sites installed “cookies” on users computers without consent. In Europe, it is a legal requirement for websites to seek explicit consent to install chunks of code that allow third-party companies to track peoples online activity.
Computer scientist Tim Libert, who created the open-source tool WebXray that the FT used in its investigation, told the publication that the problem is that companies could use medical information to prey on the ill and vulnerable.
“There is a whole system that will seek to take advantage of you because youre in a compromised state. I find that morally repugnant,” Libert told the FT.
He said people profiled on the basis of their assumed medical condition might face discrimination.
“As medical expenses leave many with less to spend on luxuries, these users may be segregated into data silos of undesirables who are then excluded from favorable offers and prices,” Libert told the FT. “This forms a subtle, but real, form of discrimination against those perceived to be ill.”
Data Protection in Europe
In May 2018, the EU adopted the General Data Protection Regulation (GDPR), which subjects online marketers to tighter constraints.
Under the new rules, advertisers are prohibited from sharing “special category” data without explicit consent, in which the user is informed how their sensitive data will be used and by whom.
According to the British Information Commissioners Office, an independent authority set up to uphold information rights in the public interest, “special category” data “is more sensitive, and so needs more protection.”
“There are 10 conditions for processing special category data in the GDPR itself, but the Data Protection Act 2018 introduces additional conditions and safeguards,” the agency said.
The agency notes that “special category” data includes the following: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.
“In particular, this type of data could create more significant risks to a persons fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination,” it notes.
The FT wrote in its report that none of the websites tested asked for the type of explicit and detailed consent required under law.
The report follows the earlier findings of data privacy advocacy group Privacy International, which reviewed the data gathering habits of 136 popular mental health web pages in France, Germany, and the UK.
In a publication titled “Your Mental Health for Sale,” the group noted its findings that the mental health websites examined shared users sensitive personal data with advertisers without the required consent.
The sensitive data tracked and shared with third-party marketers includes information from depression websites and the results of online mental health check tests.
“Our findings show that many mental health websites dont take the privacy of their visitors as seriously as they should,” Privacy International wrote in its report. “This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws.”
Regulators Probe Google-Ascension Deal
A U.S. federal regulator has initiated an investigation into a cloud computing deal between Alphabet Incs Google and Ascension Health, which would give Google access to detailed health information of millions of patients, Read More – Source