Health sites are 'unlawfully' sharing medical data with Facebook and Google

Irish DPC warns that tracking allows sensitive information to be shared with major internet firms

A stethoscope on top of a MacBook keyboard

Health-related websites are embedded with third-party trackers and cookies that may be leaking users’ sensitive medical data to internet giants for advertising purposes.

Special category data, such as the details of illnesses or conditions a user may search for on healthcare websites, are being shared with parties such as Facebook and Google, according to the Irish Data Protection Commission (DPC). 

This transfer of data is either done through the use of explicit user profiles of logged-in customers, or through predictive profiles based on unique identifiers. This, a report by the regulator suggests, is being done without a lawful basis.

The DPC refrained from mentioning any particular company but noted a few prominent examples of bad practice. 

Health insurers, for example, were found to use advertising and targeting cookies, including cookies set by the Google-owned DoubleClick. Another health-related site used targeted cookies, with cookies used to send users relevant ads when they visited other sites. 

The Irish DPC conducted a desktop examination of a slither of organisations - 38 in total - to assess whether they were complying with data protection regulations around advertising and user consent.

Each website was examined in a clean browser, and assigned a green, amber, or red rating depending on their level of compliance. Two organisations were awarded a green rating, with one achieving a borderline green to amber rating. While 20 were given an amber rating, three received a borderline amber to red grade, and a staggering 12 achieved red. 

Data controllers in the media and publishing, the banking and finance and health insurance sector had a significant level of third-party trackers, including advertising trackers which track users across the web.

One controller, alarmingly, had 150 third-party trackers as well as dozens of third-party analytics cookies set without consent. 

The Information Commissioner’s Office (ICO), the Irish DPC’s UK counterpart, had previously expressed its deep concerns over reports that some of the most popular health websites were sharing sensitive data with advertisers. 

Related Resource

Feeding the content-data loop

Like data, content must be well-managed, trustworthy, and secure

Download now

A Financial Times (FT) probe of 100 prominent health sites found that tracking cookies are embedded in users’ browsers without explicit consent to allow third-party companies to track users while they surf the web. This data is then transmitted to advertising platforms. 

The ICO has also conducted its own examination of the multi-billion pound adtech industry and published a report in June 2019 highlighting several issues around data protection violations, particularly around the concept of real-time bidding (RTB).

Companies in this space are openly violating standards set out under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

Data rights campaigners have threatened to take the ICO to court, however, over its lack of action given the scale of violations that its investigators have exposed.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021