Companies Outside “Health Space” Should Understand Rules Governing Sensitive Health Data, Says NAI Legal Analysis
NAI breaks down new legal requirements and recommends practical steps to protect consumers
WASHINGTON, DC (September 6, 2023) – An NAI legal analysis of recent state privacy laws, federal enforcement actions, and associated guidance over the last 18 months finds significant new conclusions regarding how sensitive health data should be defined and treated. These conclusions will ultimately change the way members of the digital advertising industry approach data collection and use – even for those that work with information that has not traditionally been considered “sensitive” or “health-related.”
“Health-related advertising has been around nearly as long as advertising itself, but the regulatory landscape in this area has evolved at a pace difficult for even the most well-meaning companies to maintain,” said Leigh Freund, President and CEO of the NAI. “There remain viable paths for companies to engage in health-related advertising if they understand the new regulatory rules of the road.”
The NAI recommends that digital advertising companies – including agencies, brands and ad-tech firms – assess the potential applicability of rules governing the collection, disclosure and receipt of sensitive health information to their own organizations. Entities on both sides of a data transaction may face potential liability. In light of new laws and regulations increased focus on inferences drawn from consumers’ personal information, what may not have traditionally been considered sensitive health data has the potential to reveal sensitive attributes about consumers’ health, according to enforcement agencies.
“Though the majority of legal action related to sensitive health data has involved companies that operate in the traditional ‘health space,’ the potential for liability spreads much further,” said NAI Counsel Meaghan Donahue. “Even companies whose business models do not fit squarely in the health space or do not work directly with traditional health data – such as many third-party digital advertising companies – should take stock of their data collection and handling practices.”
In addition to useful summaries of recent FTC enforcement actions and definitions of health data in state and federal laws, the NAI offers general suggestions based on recent regulatory trends, including:
o Say what you do, do what you say, and be mindful of what you don’t say. Companies’ data handling practices should be consistent with their privacy policy and other public statements. Companies must disclose all material information about uses of sensitive health information to consumers.
o Health data is broadly defined and includes inferences. Health information is not just about prescription records and medical diagnoses. It now represents a broad range of data such as browsing history, purchase data, and location that relates to a consumer’s health status. Inferences include instances where non-health information can be used to reveal an individual’s mental or physical health condition or diagnosis.
o Ensure sensitive health information you collect or receive is properly permissioned. Both FTC guidance and state laws require consent before a company can process sensitive health information. Any sharing without consumer authorization could be considered a breach, and trigger the Health Breach Notification Rule’s disclosure requirements.
o Common ad targeting technology may trigger new obligations. Multiple enforcement and regulatory actions have focused on common technologies to facilitate ad targeting and analytics, such as tracking pixels, that could convey sensitive health information.
o False or misleading compliance seals could lead to deception charges. Only federal and state enforcement officials have the authority to determine compliance with various laws and regulations. Displaying a compliance seal or stating otherwise could be deceptive.
o Closely review your partner contracts and the data you share or receive. Partner contracts should not permit unauthorized receipt, use or onward disclosure of sensitive information without proper permissions.
o Benchmarking can help you understand where you stand. Understanding the practices of similarly situated companies can reduce uncertainty and risk. The NAI and its working groups provide a trusted space for member companies and working group participants to compare their practices to the broader industry.
o Don’t let the perfect be the enemy of the good. Interpretations of the law will continue to evolve and regulators generally understand that there is a necessary learning curve associated with new and novel legal requirements.
The NAI has long noted the significance of inferences about health information. The NAI Code of Conduct recognizes that inferences about sensitive health or medical conditions or treatments, including cancer, mental health conditions, sexually transmitted diseases, should be treated as sensitive information, even when these inferences are made from traditionally non-sensitive information.