Healthcare brands are caught in a data privacy trap

If you find yourself troubled by a mischievous monkey, there's no better way of catching it than by using a South Indian monkey trap. The trap comprises a hollowed-out coconut chained to a stake and filled with rice that can be reached through a small hole. Although the monkey's open hand fits through the hole, its clenched, rice-filled fist remains stuck. The monkey stays this way, refusing to drop its prized rice, until it is caught.

Marketers are in a similar predicament. Addicted to the reach, scale, and personalisation provided by third-party tracking cookies and surveillance-based adtech, and lacking a simple solution to replace them, they're unwilling to let go. However, privacy concerns are making these tools dangerous, and companies that refuse to move on risk being caught by the regulators. As we shall see, this is a big risk for brands operating in the healthcare sector.

What's at stake

Today, advertisers work with a wide range of intermediaries and vendors to track, profile, and target consumers with relevant and often personalised content. This model underpins a complex marketplace where hundreds of companies share personal data about millions of people in near real-time.

Unfortunately, much of the technology that makes this possible, and the corresponding collection and use of data, is in conflict with people’s expectations of privacy and in breach of data protection regulation. The digital advertising industry must adapt or accept the consequences of these compliance failures.

As regulatory scrutiny intensifies, gripping onto that rice is an increasingly risky business. Since 2018, more than €1.7 billion in GDPR fines have been handed out, with enforcement activity increasing by 40% in 2020/21. Having already levied huge fines against big tech and adtech companies, regulators are turning their sights on advertisers. This includes many companies in the healthcare sector including a biomedical technology provider (€1.5 million), a German Hospital (€105,000), and a Portuguese Hospital (€400,000).

We know that more will follow because the compliance failures that lead to these fines are not unique to those who have been punished – they are commonplace across the demand and supply sides of the marketing industry.

Don't confuse consent with compliance

Many organisations assume that obtaining consent from users to collect and process their data ensures compliance. In reality, consent does not equate to compliance. Many brands operate under an illusion of compliance, when in fact they are routinely leaking personal data across their media supply chain and tolerating the unlawful collection and sharing of data by unauthorised third parties.

New research from Compliant reveals that, for healthcare and pharma brands in Europe, one of the biggest challenges relates to "piggybacking", where unauthorised cookies and tags collect data from brand websites without the advertiser’s permission. Piggybacking results in unconsented data being shared far and wide across the adtech ecosystem. The research reveals that businesses in the health and pharmaceuticals sectors are highly vulnerable to piggybacking, with an average site containing no fewer than 13 tags.

With every additional tag, the risk of unconsented personal data being unlawfully shared with third parties increases, as does the corresponding liability of the website owner. Significantly, the European Data Protection Board has indicated that advertisers could be jointly liable for the wrongful collection and use of data by connected third parties.

Another risk stems from data resellers that collect, organise, and sell data to advertisers and publishers. Here, there is some good news to report, with the average number of data resellers within European publishers' sites having dropped considerably since GDPR was enacted. Health and pharmaceutical websites are amongst the "cleanest" in this respect, with no data resellers picked up on health or pharmaceutical sites in the EU.

However, our research also reveals that although 91% of all EU brands now employ Consent Management Platforms (CMPs) on their owned and operated sites, 88% of these have consent irregularities resulting in data being passed before consent is received. This is a serious problem, as it means that data is passing before consent is received and exposing brands to severe regulatory risk.

The risk is very real. In our audit, we came across one major pharmaceutical brand’s site where the CMP was passing data before consent was given. Upon closer inspection, the website was found to have 11 vendor tags piggybacked into the site. In this, and many other cases, unconsented data is snowballing through the adtech value chain and exposing the brands responsible to the risk of highly punitive fines.

Putting customers first

Of course, while avoiding fines and brand damage are an important consideration for healthcare firms, most will have a greater priority: protecting people from any unintended negative consequences of their digital footprint.

The more we digitise our lives, the more data we share about ourselves; the more data we share, the more it can be weaponised against us, and the more vulnerable we become to abuse. The more exposed we are, the more we depend on privacy law and data ethics to protect us from real harm – extortion, persecution, discrimination, identity theft, and so on.

So, as we consider privacy risks in digital media, we must always consider the unintended consequences of data collection, particularly in the healthcare sector, which routinely collects some of the most sensitive and personal datasets imaginable: that relating to individuals' health.

Three ways to enhance compliance

While privacy compliance in digital media is a significant challenge for advertisers in the healthcare and pharmaceuticals sectors, there are positive actions that companies can take right now:

1. Embed always-on compliance monitoring. Take advantage of automated tools that continuously monitor, measure, and benchmark risk across your media supply chain. This allows you to respond rapidly to risk and informs your ongoing strategic priorities.
2. Understand your media supply chain. Real-time risk reporting requires full transparency of your media supply chain – who has access to data, what they use it for, who they share it with, and what they do with it. Use this information to take decisive action to increase discipline and reduce compliance risk.
3. Experiment with a portfolio of privacy-safe solutions. It's time to let go of the rice in the coconut and make do with available alternatives, such as first-party data IDs, publisher provided IDs, contextual advertising, data cleanrooms, etc.

Companies that search for solutions that serve the interests and expectations of their consumers are less likely to bet on the wrong horse in the long run. And building discipline, transparency and resilience into their media ecosystem will accelerate decision-making, reduce the time taken to innovate and, paradoxically, encourage risk-taking. Companies that invest in always-on, automated privacy compliance will soon become the ones to beat.

So, are you still holding onto the rice of tracking cookies and personal data? If so, now's the time to let go. The internet is rapidly evolving into a privacy first model, and those who evolve the fastest and adapt new models will be best placed to thrive over the long term. The rest will still have their hand in the trap when the hunter returns.

About the author

Jamie Barnard is the CEO of Compliant, which develops compliance technology for the digital ad industry and publishes the Data Safety Index. Barnard joined Unilever as a marketing lawyer in 2007 after six years acting in London creative agencies and a brief affair with the music business. He is recognised internationally as an expert in privacy and public policy, and a published authority on ethics in data and AI. Before joining Compliant, Barnard was a member of Meta's Global and EMEA Policy Councils, co-chair of the World Federation of Advertisers Digital Governance Exchange, and chair of ISBA's Data & Ethics Steering Committee. He is happiest on the water or in the mountains – any sport that involves a board, lots of friends, big open spaces, and adrenaline.