Health sites are 'unlawfully' sharing medical data with Facebook and Google

Irish DPC warns that tracking allows sensitive information to be shared with major internet firms

Health-related websites are embedded with third-party trackers and cookies that may be leaking users’ sensitive medical data to internet giants for advertising purposes.

Special category data, such as the details of illnesses or conditions a user may search for on healthcare websites, are being shared with parties such as Facebook and Google, according to the Irish Data Protection Commission (DPC). 

Advertisement - Article continues below

This transfer of data is either done through the use of explicit user profiles of logged-in customers, or through predictive profiles based on unique identifiers. This, a report by the regulator suggests, is being done without a lawful basis.

The DPC refrained from mentioning any particular company but noted a few prominent examples of bad practice. 

Health insurers, for example, were found to use advertising and targeting cookies, including cookies set by the Google-owned DoubleClick. Another health-related site used targeted cookies, with cookies used to send users relevant ads when they visited other sites. 

The Irish DPC conducted a desktop examination of a slither of organisations - 38 in total - to assess whether they were complying with data protection regulations around advertising and user consent.

Each website was examined in a clean browser, and assigned a green, amber, or red rating depending on their level of compliance. Two organisations were awarded a green rating, with one achieving a borderline green to amber rating. While 20 were given an amber rating, three received a borderline amber to red grade, and a staggering 12 achieved red. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Data controllers in the media and publishing, the banking and finance and health insurance sector had a significant level of third-party trackers, including advertising trackers which track users across the web.

One controller, alarmingly, had 150 third-party trackers as well as dozens of third-party analytics cookies set without consent. 

The Information Commissioner’s Office (ICO), the Irish DPC’s UK counterpart, had previously expressed its deep concerns over reports that some of the most popular health websites were sharing sensitive data with advertisers. 

Related Resource

Feeding the content-data loop

Like data, content must be well-managed, trustworthy, and secure

Download now

A Financial Times (FT) probe of 100 prominent health sites found that tracking cookies are embedded in users’ browsers without explicit consent to allow third-party companies to track users while they surf the web. This data is then transmitted to advertising platforms. 

The ICO has also conducted its own examination of the multi-billion pound adtech industry and published a report in June 2019 highlighting several issues around data protection violations, particularly around the concept of real-time bidding (RTB).

Advertisement - Article continues below

Companies in this space are openly violating standards set out under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

Data rights campaigners have threatened to take the ICO to court, however, over its lack of action given the scale of violations that its investigators have exposed.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
UK government may trace COVID-19 patients using mobile phone data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020