Yesterday, an investigative report from the Financial Times revealed that some of the UK’s most popular health websites are sharing people’s sensitive data — including medical symptoms, diagnoses, drug names and menstrual and fertility information — with dozens of companies around the world, ranging from ad-targeting giants such as Google, Amazon, Facebook and Oracle, to lesser-known data-brokers and adtech firms like Scorecard and OpenX.
Using open-source tools to analyse 100 health websites, which include WebMD, Healthline, Babycentre and Bupa, an FT investigation found that 79 per cent of the sites dropped “cookies” — little bits of code that, when embedded in your browser, allow third-party companies to track individuals around the internet. This was done without the consent that is a legal requirement in the UK.
Consent and awareness are key principals of privacy, and there’s nothing more private than one’s healthcare information. The presumption health websites have in sharing data with advertisers is that the person investigating the health concern is in fact in the market for some remedy. Presumption is not consent and isn’t an invitation to share information with third parties. In each of these instances, the websites appear to place a priority on advertising practices over data protection and the reality is that given access to any data, people will find a way to use, and potentially misuse it. With complex digital supply chains involved in data processing, transferring data from one organisation to another is in effect a case of trusting the security practices continue to align with expectations set when the supply chain vendor relationship was created.
With organisations having data usage goals, consumers should continuously question what information they share and look for signs that their information is being misused. A tell-tale example is when advertising related to a search starts to appear both within the current site and elsewhere. For the targeted advert to be shown, targeting information is required and that could easily be from your original search. In such instances, it’s well within your rights to ask the website why they sold your data to an ad network and where that was disclosed and how you consented to the transfer.