Health sites are 'unlawfully' sharing medical data with Facebook and Google

Irish DPC warns that tracking allows sensitive information to be shared with major internet firms

Health-related websites are embedded with third-party trackers and cookies that may be leaking users’ sensitive medical data to internet giants for advertising purposes.

Special category data, such as the details of illnesses or conditions a user may search for on healthcare websites, are being shared with parties such as Facebook and Google, according to the Irish Data Protection Commission (DPC). 

This transfer of data is either done through the use of explicit user profiles of logged-in customers, or through predictive profiles based on unique identifiers. This, a report by the regulator suggests, is being done without a lawful basis.

The DPC refrained from mentioning any particular company but noted a few prominent examples of bad practice. 

Health insurers, for example, were found to use advertising and targeting cookies, including cookies set by the Google-owned DoubleClick. Another health-related site used targeted cookies, with cookies used to send users relevant ads when they visited other sites. 

The Irish DPC conducted a desktop examination of a slither of organisations - 38 in total - to assess whether they were complying with data protection regulations around advertising and user consent.

Each website was examined in a clean browser, and assigned a green, amber, or red rating depending on their level of compliance. Two organisations were awarded a green rating, with one achieving a borderline green to amber rating. While 20 were given an amber rating, three received a borderline amber to red grade, and a staggering 12 achieved red. 

Data controllers in the media and publishing, the banking and finance and health insurance sector had a significant level of third-party trackers, including advertising trackers which track users across the web.

One controller, alarmingly, had 150 third-party trackers as well as dozens of third-party analytics cookies set without consent. 

The Information Commissioner’s Office (ICO), the Irish DPC’s UK counterpart, had previously expressed its deep concerns over reports that some of the most popular health websites were sharing sensitive data with advertisers. 

Related Resource

Feeding the content-data loop

Like data, content must be well-managed, trustworthy, and secure

Download now

A Financial Times (FT) probe of 100 prominent health sites found that tracking cookies are embedded in users’ browsers without explicit consent to allow third-party companies to track users while they surf the web. This data is then transmitted to advertising platforms. 

The ICO has also conducted its own examination of the multi-billion pound adtech industry and published a report in June 2019 highlighting several issues around data protection violations, particularly around the concept of real-time bidding (RTB).

Companies in this space are openly violating standards set out under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

Data rights campaigners have threatened to take the ICO to court, however, over its lack of action given the scale of violations that its investigators have exposed.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020