Online drugstores and online shops share sensitive health data with Big Tech

Privacy First Foundation finds it shocking what is happening. Online shops, including large drugstores, send sensitive customer data to tech companies such as Facebook, Google and TikTok when you visit their websites and make purchases. Sometimes even email addresses and other identifying data are sent along. This is done via so-called server-side tracking. These are not innocent clicks, but information on, for example, pregnancy tests, morning-after pills or erectile dysfunction drugs.

And it gets worse. Even if you reject cookies, data via server-side tracking as yet to be forwarded. Explicit consent for sharing sensitive (medical or sexual) information is not asked separately, even though it must by law in the case of such special personal data. “Decline cookies” thus often gives a false sense of control.

This comes while the Personal Data Authority (AP) is still set to fine 600,000 in 2024[1] euro imposed on Kruidvat (after Kruidvat objected, this became 50,000 euro)[2] for using tracking cookies on their website without visitors“ consent. Especially at a drugstore, the risks are high. Indeed, purchases such as pregnancy tests or medication, combined with location data, can lead to extremely specific and invasive profiles. There seems to be no ”lessons learned" when looking at Investico's research findings.

Why is this problematic?

Why this is so problematic has to do with the fact that the risks are anything but theoretical. The risks are real and serious with the result that there is a total loss of privacy, trust is gone and there can also be legal consequences. Here are some examples of what can happen to the data collected:

• Profiling and resale: highly detailed profiles are built and resold in an opaque advertising ecosystem.
• Very specific features: those profiles may be so specific as to (implicitly) reveal someone's sexual preferences or medical situation.
• Criminal risks: in the US, we saw and see that purchase data and location data (and social media data) can be used in (criminal) investigations, for example around abortion[3] and visas[4].
• Regime change: Data that seems innocuous in the current political climate can suddenly be used against citizens under a different regime. What is marketing data today may be evidence tomorrow.
• Data breaches and blackmail: The data breach at Ashley Madison[5] showed how far-reaching the consequences can be when sensitive information becomes public. People lost their jobs, their relationships, some even committed suicide. Morally, you can think something of adultery, but it is not punishable. Publicly, though, people were condemned via leaked data.
• Incorrect links: sometimes e-mail addresses or data are used that are not certain to be correct. In a data breach, data may be wrongly linked to someone, resulting in reputational damage.
• Minors: if this kind of tracking also affects minors, the risks are even more serious.

This is not an abstract privacy debate. This is about power relations, about control, about vulnerability.

Who should protect consumers?

Not the consumers themselves. The idea that you are “safe” by rejecting cookies is outdated. In the first instance, online drugstores themselves are responsible for placing or allowing trackers to be placed. They decide which trackers are on their websites. The major platforms are partly responsible. Their pixels and ad networks make this tracking possible and profitable. They have also been repeatedly taken to task. Yet these practices persist, often hidden behind complex technical infrastructures. Finally, the AP should (continue to) monitor, educate and enforce. The AP has enough solid tools to do this. The tools range from conducting investigations, warning or reprimanding to imposing fines, shutting down processing operations and having data erased.

In recent years, the AP has shared a lot of information about cookies and says it will monitor more strictly. The Kruidvat fine shows that action is possible and necessary. But enforcement is often retrospective and piecemeal. By the time there is a fine, thousands if not millions of profiles have already been created and distributed.

Moreover, Privacy First believes that cookie banners are not the real solution. They are often unclear or misleading. People are “cookie tired” and quickly click “accept”, without any overview of what happens to their data or what databases they end up in. As a consumer, you do not know what profile you are in, what labels are attached to you, or who has access to them.

How should this be resolved?

Privacy First believes the time for “nuance and leniency” is over. Companies are collecting more data every day because it is profitable, until they are knocked back. As a society, we need to be clearer about where the line is drawn.

• The solution starts with companies having to comply with the law. Privacy by design should be the norm, especially with sensitive products.
• Tech companies must take responsibility. There must no tracking based on special personal data. Item.
• Stricter and faster enforcement is needed, despite the fact that the AP wants to make a move towards a helping, supportive organisation and perceives penalty processes as burdensome and time-consuming. The AP has the powers and they must be used firmly.
• More transparency About cookies and awareness remains a concern. If a cookie banner states that coffee purchases are shared with partners, the same applies to pregnancy tests and medication. That realisation needs to sink in. Furthermore, people need to be able to see what profile they are categorised in and what labels have been assigned to them. Without insight, no effective exercise of rights.
• Finally, we should continue to seriously consider a ban on tracking of sensitive personal data and its practical implementation. Especially when it comes to health and sexuality.

Conclusion

We can no longer pretend this is a technical detail. Passing on sensitive health data to ad platforms is a fundamental invasion of privacy.

Protecting consumers from this kind of data transfer is not an individual responsibility but a collective task. For online shops and drugstores. For tech platforms. For the regulator. And ultimately for the legislator. Sensitive health data does not belong in ad profiles. That should no longer be a discussion.

View HERE the television report and read HERE The corresponding article at Radar.  

[1] https://autoriteitpersoonsgegevens.nl/documenten/besluit-boete-as-watson-kruidvat

[2] https://autoriteitpersoonsgegevens.nl/documenten/besluit-op-bezwaar-as-watson-kruidvat

[3] https://www.americanprogress.org/article/stopping-the-abuse-of-tech-in-surveilling-and-criminalizing-abortion/

[4] https://www.bbc.com/news/articles/c1dz0g2ykpeo

[5] https://www.reuters.com/article/technology/two-people-may-have-committed-suicide-after-ashley-madison-hack-police-idUSKCN0QT1O6/