Health websites are ‘violating UK law by sharing users’ search terms with Google, Facebook and Amazon’ and logging what symptoms, medicines and illnesses people look up
- Some 79 out of 100 websites used in the UK had cookies sharing sensitive data
- One expert warned advertisers could build profiles of people likely to be poor
- Information about periods and search terms like ‘overdose’ and ‘abortion’
Health websites are sharing people’s personal search data with online giants including Google, Amazon and Facebook, an investigation has revealed.
The arrangements are accused of taking sensitive information without people’s consent and therefore breaching British data protection laws.
A total of 79 out of 100 websites were implicated in the Financial Times investigation include WebMD, Healthline, BUPA and the British Heart Foundation.
Search terms such as ‘drug overdose’, ‘heart disease’ and ‘considering abortion’ were shared through advert-targeting schemes, as well as symptoms and drug names.
One critic suggested that companies could use the cookies to build profiles of people who were likely to spend so much on medical expenses that they wouldn’t be able to afford luxury goods, and then choose not to advertise to them (stock image)
The process of sharing the data happens through websites implanting cookies into users’ internet browsers.
Cookies which record people’s search terms and browsing history are then used to help build an online profile for them which third party advertisers can target.
In principle this means people who search for headache symptoms might begin to see adverts for painkillers when they’re online.
‘There is a whole system that will seek to take advantage of you because you’re in a compromised state,’ Tim Libert, a computer scientist at Carnegie Mellon University in Pittsburgh, told the Financial Times.
WHAT ARE DATA PROTECTION RULES?
The European Union’s General Data Protection Regulation (GDPR) is a law that came into force on May 25, 2018.
It offers stronger data protection for all people in the European Union (EU).
This means cracking down on how companies use and sell the data they collect on their users.
The law marked the biggest overhaul of personal data privacy rules since the birth of the internet.
Under GDPR, companies are required to report data breaches within 72 hours, as well as to allow customers to export their data and delete it.
Part of GDPR is the right for people to know ahead of time whether their personal data is being collected and used, and for the company holding the data to be transparent about exactly what it’s doing with personal information.
The company holding the data must also make it freely available to the person it concerns.
Under the right to be forgotten, also known as Data Erasure, people are entitled to have the company erase their personal data, stop sending it to other parties, and potentially prevent third parties from using it, too.
This means people can withdraw their consent for information about them to be used, even after they’ve handed it over.
This right requires companies to balance the person’s rights with the ‘public interest in the availability of the data’ when considering such requests.
‘The internet has turned into a privacy wasteland. But there’s a suspension of disbelief in the [ad] industry.
‘Companies say they are GDPR-compliant, there’s a codependency where everybody pretends everything is OK, but the deep technical architecture is fundamentally incompatible with the right to privacy.’
The site which absorbed the most information was Google’s advertising section, DoubleClick, which was in action on 78 per cent of websites tested.
While Amazon was receiving cookies from 48 per cent of sites, and Facebook and Microsoft were among the major targets.
Google told the FT any information considered sensitive is quarantined internally and not used in its algorithms used to personalise the adverts people see.
But critics are concerned accumulating data relating to people’s medical conditions could lead to a database of ‘undesirable’ people to whom companies won’t advertise.
Mr Libert added: ‘As medical expenses leave many with less to spend on luxuries, these users may be segregated into “data silos” of undesirables who are then excluded from favourable offers and prices.
‘This forms a subtle, but real, form of discrimination against those perceived to be ill.’
In the UK, GDPR regulations mean it is illegal for companies to share people’s personal information without explicit consent.
This is why most websites now have buttons you have to press to accept the terms and conditions before you can enter.
And cookies – the small pieces of stored information which are responsible – cannot be got rid of because they’re so useful.
Cookies, for example, are what remembers passwords on website logins and are how sites like YouTube can predict what people will want to watch next.
Other companies named in the FT investigation were Made for Mums, Self.com and Babycentre – the newspaper did not release the full list.
BUPA told the FT: ‘Advertising cookies are used on our site but we have set them so that no personal data about visitors to our websites, including our health information pages, is passed on to third parties.’
British Heart Foundation said: ‘The data captured by the cookies on our website is protected (pseudonymised) so it doesn’t directly identify individuals. We don’t sell data and we don’t share sensitive personal data on areas such as ethnic origin and health that could directly identify people.’
MailOnline has contacted all the companies named in this article for comment.