You may have noticed more online ads lately related to health and medical conditions—perhaps conditions that you have, or that someone in your household has. Increasingly, online ad platforms have begun selling access to targeted audiences of users with presumed or inferred medical conditions. These “audiences”— essentially, cookie pools or (if mobile) sets of device identifiers, targeted through web and mobile ad platforms — are available for a range of categories, from “allergy” sufferers, to “circulatory” disorders, to visual and hearing impairments. This data is sourced in a variety ways, including de-identified data from HIPAA-regulated providers, data drawn from users that have opted in, and (most commonly), from users’ anonymous online habits.
However, the online ecosystem has only begun to develop customs and best practices applicable to these “health data segments” or “health segments.” Websites, ad exchanges and platforms, and data providers should therefore be careful when handling this data or related ads, and should be aware of what rules and customs affect these segments — and how they are evolving. Below are some of the key points and practices around using or offering online health segments.
1. NAI Code of Conduct
The NAI (Network Advertising Initiative) is an industry and self-regulatory organization governing its membership of nearly 100 ad exchanges, data management platforms, ad servers and other service providers. The NAI Code of Conduct is the primary guide for “best practices” for ad exchanges and ad networks, and it provides guidance regarding use of health data segments.
In addressing how to “sell” to audiences with particular health interests or conditions, the NAI distinguishes between “sensitive” and “non-sensitive” health segments. Under the NAI Code, whether a condition, treatment or interest is sensitive is based on “the seriousness of the condition, its prevalence, whether it is something an average person would consider particularly private in nature, whether it is treated by over-the-counter or prescription medications, and whether it can be treated by modifications in lifestyle as opposed to medical intervention.”
So for instance, mental health-related conditions, cancer, specific medical conditions (Parkinson’s disease, Alzheimer’s disease, all cancer types and sexually transmitted diseases, etc.), would be considered “sensitive” and would require opt-in consent. On the other hand, certain “lesser” conditions (allergies, acne) or “general” categories (weight loss, cholesterol management) are less likely to be “sensitive,” and thus would not require a specific opt-in.
a. “Transparency Principle”
Under the Code’s “transparency” principle — applicable to both “non-sensitive” and “sensitive” data segments — those offering the segments must disclose that fact, usually in a list of applicable segments in (or in a link from) their privacy policies. In principle, users can then review these segments, and decide to opt-out of that platform if they don’t want to be targeted in that way.
b. “Opt-In” Requirement
The NAI Code presents additional, more significant obstacles to using “sensitive” health data segments in serving ads. Namely, an NAI member must obtain “opt-in” consent—informed (and presumably, revocable) consent from a user, before that user is targeted via any such data segment regardless how that data segment was created (e.g., whether through actual, inference or modeled data). This may be difficult not only to obtain, but also to demonstrate in each case—particularly as to modeled data.2.
2. FTC
The FTC appears to be at least generally aligned with the NAI’s approach. In a May 2014 report on data brokers, titled “Data Brokers, a Call for Accountability and Transparency,” the FTC’s recommendations included the following:
“Congress should also consider protecting sensitive information, such as certain health information, by requiring that consumer-facing sources obtain consumers’ affirmative express consent before they collect sensitive information.” (A requirement already in place under the NAI Code);
as well as the observation that
“Allowing consumers to access data about themselves is particularly important in the case of sensitive information—and inferences about sensitive consumer preferences and characteristics — such as those relating to certain health information.” (While the NAI Code does not require “access” — which may be difficult to achieve in real time — its principles outlined above require significant transparency of sensitive data that may be used.)
For its part, the FTC described pregnancy, diabetes and high cholesterol as “potentially sensitive” data segments, although those conditions may not be deemed sensitive under the NAI Code.
Ad platforms therefore should be aware that the use or creation of “sensitive” data segments may invite public or regulatory scrutiny — which may come from the FTC or State Attorneys General. The Illinois Attorney General, for instance, conducted an investigation during 2013 into how health data was used and shared for online and offline advertising.
3. HIPAA
When online ads are sent using data sourced from actual health care providers (e.g., through de-identified data cookie pools), HIPAA may also apply. The United States Department of Health and Human Services (“HHS”) has issued strict de-identification guidelines, setting out how Personal Health Information may be exempted from HIPAA’s restrictions on use or disclosure. HHS provides that, “[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.” The HHS in turn sets out two ways of achieving this de-identification – the first involving an “expert determination,” and second involving adherence to a Safe Harbor standard whereby all personal identifiers (including IP addresses) are removed – details of which are set forth in the guidelines linked to above.
4. What’s Next?
Regulators, government officials, and privacy advocates have, unsurprisingly, guided companies to use discretion when using health data for marketing purposes. Alongside traditional data privacy concerns regarding health-related information lie concerns that targeted medical ads (particularly for serious conditions) may affect or degrade the browsing experience. Pharmaceutical companies do of course have societally compelling reasons to target products to audiences likely to have the ailments treated by those products — but in light of the increased acceptance of the above rules, they will likely need to focus on contextual advertising rather than reliance on targeted segments.
Featured Photo by NEC Corporation of America from Flickr