Health sites are 'unlawfully' sharing medical data with Facebook and Google

Irish DPC warns that tracking allows sensitive information to be shared with major internet firms

Health-related websites are embedded with third-party trackers and cookies that may be leaking users’ sensitive medical data to internet giants for advertising purposes.

Special category data, such as the details of illnesses or conditions a user may search for on healthcare websites, are being shared with parties such as Facebook and Google, according to the Irish Data Protection Commission (DPC). 

Advertisement - Article continues below

This transfer of data is either done through the use of explicit user profiles of logged-in customers, or through predictive profiles based on unique identifiers. This, a report by the regulator suggests, is being done without a lawful basis.

The DPC refrained from mentioning any particular company but noted a few prominent examples of bad practice. 

Health insurers, for example, were found to use advertising and targeting cookies, including cookies set by the Google-owned DoubleClick. Another health-related site used targeted cookies, with cookies used to send users relevant ads when they visited other sites. 

The Irish DPC conducted a desktop examination of a slither of organisations - 38 in total - to assess whether they were complying with data protection regulations around advertising and user consent.

Each website was examined in a clean browser, and assigned a green, amber, or red rating depending on their level of compliance. Two organisations were awarded a green rating, with one achieving a borderline green to amber rating. While 20 were given an amber rating, three received a borderline amber to red grade, and a staggering 12 achieved red. 

Advertisement - Article continues below
Advertisement - Article continues below

Data controllers in the media and publishing, the banking and finance and health insurance sector had a significant level of third-party trackers, including advertising trackers which track users across the web.

One controller, alarmingly, had 150 third-party trackers as well as dozens of third-party analytics cookies set without consent. 

The Information Commissioner’s Office (ICO), the Irish DPC’s UK counterpart, had previously expressed its deep concerns over reports that some of the most popular health websites were sharing sensitive data with advertisers. 

Related Resource

Feeding the content-data loop

Like data, content must be well-managed, trustworthy, and secure

Download now

A Financial Times (FT) probe of 100 prominent health sites found that tracking cookies are embedded in users’ browsers without explicit consent to allow third-party companies to track users while they surf the web. This data is then transmitted to advertising platforms. 

The ICO has also conducted its own examination of the multi-billion pound adtech industry and published a report in June 2019 highlighting several issues around data protection violations, particularly around the concept of real-time bidding (RTB).

Advertisement - Article continues below

Companies in this space are openly violating standards set out under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

Data rights campaigners have threatened to take the ICO to court, however, over its lack of action given the scale of violations that its investigators have exposed.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020