Report: Personal health data should be off-limits to common marketing practices
The authors -- who were instrumental in the creation of the Children’s Online Privacy Protection Act -- call for governmental and industry safeguards.
Personal wearables that track health data can boost your exercise routine or monitor a medical condition.
The devices — including digital watches, sensor-equipped clothes and apps in smartphones — can track heart rates, sleep patterns, calories and stress levels, and someday may store information on our DNA.
But, according to an extensive new report from the Center for Digital Democracy (CDD) and American University, their information shouldn’t be treated like ordinary marketing data.
The report, “Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection,” says that many common techniques for utilizing marketing data — including lookalike modeling, predictive analytics, scoring, programmatic advertising and “buying and selling of individual consumers” — threaten consumer privacy in unprecedented ways when it comes to health data and status.
“Health data is personal information and should get higher standards” than other kinds of data, CDD executive director and report co-author Jeffrey Chester told me.
The report’s three authors — Kathyrn Montgomery, Chester and Katharina Kopp — say they were behind the 1990s campaign that led to COPPA, the influential Children’s Online Privacy Protection Act.
The standards should include “complete transparency and user consent,” Chester said, but he added that “consent is no longer good enough” by itself. The reason: it is “easily obtained,” can be unclear about what it permits, and correlations between data can violate personal privacy.
In other words, he indicated, if you allow some data from your exercise wristband to be used anonymously for targeted ads, it can then be combined with other kinds of data, like the location patterns of your daily travel and IP-triangulation of where your device resides at night, to infer where you live, who you are and what you buy.
What if you want to receive targeted ads about diabetes?
The problem, he said, is that combining the consented data with other kinds of data — such as location — and then analyzing large datasets to find similar profiles could reveal more than what you’d want, such as the likelihood that you also have high blood pressure. The consequences of this information becoming generally available could affect one’s insurance policies, employment, security clearance, credit rating or housing, among other possible impacts.
The system for handling personal health status needs to move beyond privacy self-management, the report said.
But health-related data isn’t the only way to find out about one’s health. Modern marketing analytics can also determine your health condition from, say, purchasing patterns.
There’s the now well-known story, originally reported in The New York Times, where the father of a teenaged girl was upset because a Target store was sending her mailers appropriate for pregnancy-related products. He angrily insisted to the store manager that she wasn’t, but the retailer’s marketing analytics had looked at her purchasing patterns. It turns out Target was correct. From the report:
While personal health information should clearly be considered sensitive, it is important to understand that in the Big-Data era, no single piece of data or category of information can easily be isolated for special handling. We need to view current data practices more holistically, as the aggregation of many “data points” about an individual, across multiple platforms and digital devices, online and off, that reveals important and “actionable” insights about a person’s health.
Chester told me that there “is a continuum” of data and data uses, emphasizing the report’s central recommendation: there should be a dedicated effort by various industries and the federal government to research all these issues and establish safeguards and formal processes for employing health status and data.
Existing guidelines and best practices in the US, the report said, are a “patchwork of competing and sometimes overlapping systems,” and self-regulation by itself has proven insufficient to handle the scope of the problem.
The report, funded by the Robert Wood Johnson Foundation, was based on industry reports, trade publications, scholarly and legal literature, policy documents and interviews with experts.