If consumers knew how companies use their data, would they think it’s fair?
That’s the question businesses should be answering about their data usage beyond simply getting an opt-in, said Arielle Garcia, chief privacy officer of IPG-owned agency UM Worldwide, speaking at AdExchanger’s Industry Preview in New York City on Tuesday.
Platforms may ask consumers for consent to collect their data, but they “aren’t asking consumers if they’re OK with the inadvertent harms that can occur from the misuse of their data,” Garcia said.
And the harms aren’t theoretical.
Sensitive data, such as health and location-related information, “came into the spotlight” after SCOTUS overturned Roe v. Wade last year, Garcia said.
Sensitive nature
Regulators have been paying special attention to abuses related to sensitive data.
GoodRx settled with the FTC earlier this month over allegations that it shared personal health information with Facebook and Google for targeted advertising.
And Meta made headlines over the summer when an investigation by The Markup found that Meta’s site pixel, which is used to track site activity, was sending sensitive health and prescription data from hospital websites back to Meta, where it could be used for targeted advertising. Meta now faces a class action lawsuit for allegedly violating HIPAA.
After The Markup’s investigation, some hospitals immediately removed the pixel from their sites, implying they might have been unaware of how patient data was being shared, said Sisi Wei, editor-in-chief of The Markup, also speaking at Industry Preview.
Plenty of companies “want to do well by consumer privacy but [just] don’t know how to,” Wei added.
Facing the consequences
The pressure is on to strike the right balance between business needs and preserving privacy, because the repercussions for privacy infractions are becoming more severe.
GoodRx wasn’t simply fined. The FTC permanently prohibited the telehealth company from sharing health data with any third-party partners for advertising purposes.
And this legal pressure isn’t specific to health-related data.
A separate investigation by The Markup in November uncovered that Meta was using its pixel to collect sensitive financial information from tax services, including TaxSlayer and H&R Block. Both companies removed the pixel from their sites after they were contacted by The Markup.
The definition of sensitive data is expanding to include personal information, including race and ethnicity, Garcia said, which means companies need to consider whether they’re collecting data that could be used to identify an individual.
For example, the HIPAA complaint against Meta was filed by a patient who received targeted ads on Facebook about her health condition.
As advertisers, “we have to make sure we understand the ramifications of our campaigns,” Garcia said, because privacy legislation alone can only go so far.
Legal prowess
Data privacy legislation is ramping up around the world.
According to Garcia, Europe is “rewriting the rules” of digital privacy with the Digital Services Act, which regulates user interfaces for unfair data practices, including dark patterns that purposely employ language or visuals that push consumers to opt into something they normally wouldn’t.
In the US, however, privacy standards are still a work in progress. What could have been the first national data privacy law hit a brick wall, partly due to concerns over the preemption of existing state laws.
The patchwork of individual state laws we have now will cause policy fragmentation that “isn’t going to get better for some time,” Garcia said.
Meanwhile, media companies still have a responsibility to keep their own data practices in check – especially if they don’t want to get sued.
‘Check your pixels’
But what can companies do to protect themselves?
“Check your pixels,” Garcia advised.
Third-party tracking pixels are all over the internet, but that doesn’t mean advertisers can’t take steps to make sure they don’t get into legal trouble.
The biggest misconception about pixels is the idea that settings can’t be changed, Wei said.
Marketers don’t have to all-out drop pixels from their sites, she added, but to use them properly, advertisers should minimize the amount of data they collect, be clear about why they’re collecting it and who they’re sharing it with and be especially careful not to transmit data that’s sensitive and/or personally identifiable.
As an industry, “we need to focus on fairness,” Garcia said. “Otherwise, we aren’t addressing the actual harms that data abuse has on society and on democracy.”
