The world of data tracking and sharing is a minefield. We’re bombarded with cookies and pop-ups – sometimes you’re asked for consent which feels like you’re signing your life away, other times you don’t even need to click a button.
It’s confusing for consumers – and worrying when it comes to your more personal stuff. An investigation by the Financial Times has found health websites have been sharing people’s data including medical symptoms, diagnoses, drug names, and menstrual and fertility information, with third parties – think digital advertising giants, data brokers and adtech firms.
The analysis of 100 health websites found 79% of them dropped cookies – a small file downloaded onto your device when you visit a website, which then gathers information about you – without obtaining user consent.
The data was grabbed when people went on these sites searching for specific information – symptoms, drug names, or advice on abortion, for example. This data can be used by advertisers to target ads.
Experts warned in the BMJ earlier this year that sharing of user data by popular mobile health apps is routine, yet far from transparent. Their analysis of 24 apps for Android phones found 19 of them shared user data outside the app.
Reporter Talia Shadwell discovered data from her period app had been shared with advertisers – and revealed the personal impact. When her period was late, she started receiving baby-related ads on Facebook. She realised she hadn’t logged her period and when she did, the adverts stopped. “The app likely concluded I was pregnant and began communicating the information to third party apps and algorithms,” she tweeted in a thread that went viral.
The health data of an individual is classified as “special category” data under the EU General Data Protection Regulation (GDPR), explains GDPR specialist Philippe Ruttley, from Keystone Law.
Collecting this data and processing it requires the consent of the person whose data it is – and this appears to be where the line is blurred. Some people aren’t being asked for their consent (as the FT investigation showed), but others might be ticking boxes without thinking about it.
Ruttley explains that sharing a person’s health data with third parties without their consent is “a serious infringement of GDPR rules”, for which the UK data protection authority – the Information Commissioner’s Office (ICO) – can impose tough penalties.
Simon McDougall, the ICO’s executive director for technology policy and innovation, said the latest findings “highlights the ICO’s concerns about the processing of special category data in online advertising”, as well as the role that site owners and publishers play in this ecosystem”. Special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to, or discrimination against, individuals, he said.
The ICO is assessing the information provided by the FT before considering next steps. While that happens, consumers might be left scratching their heads about the best way to protect their data. Here are some tips for keeping your cookies under control.
1. Change your browser.
It might seem like a faff but actually, switching your browser gives you greater control over how much of your data is shared. Safari and Firefox claim to block most third-party cookies by default, while users of Google Chrome must manually change their settings. As an experiment, Geoffrey Fowler from the Washington Post switched from Chrome to Firefox – and shared the results. In a week of web surfing on his desktop, he discovered 11,189 requests for tracker cookies that Chrome would have allowed, but were automatically blocked by Firefox.
2. Be cookie savvy.
If you’re going on sites where you’re searching for health-related information, take a little look at the cookie pop-up. Make sure you’re not ticking ‘yes’ to cookie tracking if you want what you’re searching for to remain private.
Consent must be obtained by the data collector so check there are no pre-ticked boxes or statements in the cookie pop-up at the bottom of your screen. If there are, untick them so you’re not consenting to sharing your data.
“Websites should not only say what cookies are doing, but also what data’s being collected and, if they’re really compliant, what programmes are being loaded,” says Ruttley.
To confuse matters, there are a few different types of cookie. While “functional” cookies are usually pretty innocent, “targeting or advertising” cookies are the ones you want to be mindful of.
3. Get friendly with your settings.
It’s not glamorous, it’s not fun, but it is another way to try and tackle the problem. You can usually turn off tracking, or send a ‘Do Not Track’ request, in the settings of your internet browser. It might be worth clearing your cookies (and other browsing data) while you’re at it.
4. Complain.
Consumers need to be aware of their rights relating to consent. If you believe your health data has been shared without your consent, you can send a complaint to the ICO. “People must be aware of their rights,” concludes Ruttley, “because that information – the collecting and harvesting of private data – is one of the banes of the modern world.”