CDD

CDD Filings Digital Health

  • News

    CDD tells FTC to apply strong data privacy and security rules for health data

    Filing also focuses on role commercial surveillance marketers play targeting physicians and patients

     Washington, August 8, 2023  The Center for Digital Democracy (CDD) endorses the Federal Trade Commission’s (FTC) proposal to better protect health consumer and patient information in the digital era. CDD warned the commission in 2010, as well as in its 2022 commercial surveillance comments, that health data—including information regarding serious medical conditions—are routinely (and cynically) gathered and used for online marketing. This has placed Americans at risk—for loss of their privacy, health-decision autonomy, and personal financial security. The commercial surveillance health data digital marketing system also triggers major strains on the fiscal well-being of federal and private health insurance systems, creating demand for products and services that can be unnecessary and costly. The commission should “turn off the tap” of data flooding the commercial surveillance marketplace, including both direct and inferred health information. The commission can systemically address the multiple data flows—including those on Electronic Health Record (EHR) systems—that require a series of controls. EHR, or personal health record systems, have served as a digital “Achilles heel” of patient privacy, with numerous commercial entities seizing that system to influence physicians and other prescribers as well as to gain insights used for ongoing tracking. The commercialization of health-connected data is ubiquitous, harvested from mobile “apps,” online accounts, loyalty programs, social media posts, data brokers, marketing clouds and elsewhere. Given the contemporary commercial data analytic affordances to generate insights and actions operational today, information gathered for other purposes can be used to generate health-related data. Health information can be combined with numerous other datasets that can reveal ethnicity, location, media use, etc., to create a robust target marketing profile. As programmatic advertising trade publication “AdExchanger” recently noted, “sensitive health data can be collected or revealed through dozens of noncovered entities, from location data providers to retail media companies. And these companies aren’t prevented from sharing data, unless the data was sourced from a covered entity.” The FTC’s Health Breach Notification Rule (HBNR) proposal comes at an especially crucial time for health privacy in the U.S. A recent report on “The State of Patient Privacy,” as noted by Insider Intelligence/eMarketer in July 2023, shows that a majority of Americans “distrust” the role that “Big Tech Companies” play with their health data. A majority of patients surveyed explained that “they are worried about security and privacy protections offered by vendors that handle their health data.” Ninety-five percent of the patients in the survey “expressed concern about the possibility of data breaches affecting their medical records.” These concerns, we suggest, reflect consumer unease regarding their reliance on the online media to obtain health information. For example, “half of US consumers use at least one health monitoring tool,” and “healthcare journeys often start online,” according to the “Digital Healthcare Consumer 2023” report. There is also a generational shift in the U.S. underway, where at least half of young adults (so-called Generation Z) now “turn to social media platforms for health-related purposes either all the time or often…via searches, hashtags QR codes…[and] have the highest rate of mobile health app usage.” The Covid-19 pandemic triggered greater use of health-related apps by consumers. So-called “telehealth” services generate additional data as well, including for online “lead generation.” The growing use of “digital pharmacies” is being attributed to the rising costs of medications—another point where consumer health data is gathered. The FTC should ensure the health data privacy of Americans who may be especially vulnerable—such as those confronting financial constraints, pre-existing or at-risk conditions, or have long been subjected to predatory and discriminatory marketing practices—and who are especially in need of stronger protections. These should include addressing the health-data-related operations from the growing phalanx of retail, grocery, “dollar,” and drug store chains that are expanding their commercial surveillance marketing operations (so-called “retail media”), while providing direct-to-consumer delivered health services. Electronic Health Record systems are a key part of the health and commercial surveillance infrastructure: EHRs have long served as “prime real estate for marketers…[via] data collection, which makes advanced targeting a built-in benefit of EHR marketing.” EHRs are used to influence doctors and other prescribers relying on what’s euphemistically called point-of-care marketing. Marketing services for pharmaceutical and other life science companies can be “contextually integrated into the EHR workflow [delivered] to the right provider at the right time within their EHR [using] awareness messaging targeted on de-identified real-time data specific to the patient encounter.” Such applications are claimed to operate as “ONC-certified and HIPPA-compliant (ONC stands for “Office of the National Coordinator for Health Information,” HHS). The various, largely unaccountable, methods used to target and influence how physicians treat their patients by utilizing EHRs raise numerous privacy and consumer protection issues. For example, “EHR ads can appear in several places at all the stages along the point-of-care journey,” one company explained. Through an “E-Prescribing Screen,” pharma companies are able to offer “co-pay coupons, patient savings offers and relevant condition brand messaging.” Data used to target physicians, including prescription information derived from a consumer, using EHR systems, help trigger more information from and about a health consumer (think about the subsequent role of drug stores, search engines and social media use, gathering of data for coupons, etc.). This “non-virtuous” circle of health surveillance should be subjected to meaningful health data breach and security safeguards. Patient records on EHRs must be safeguarded and the methods used to influence healthcare professionals require major privacy reforms. Contemporary health data systems reflect the structures that comprise the overall commercial surveillance apparatus, including databrokers, marketing clouds, AI: The use of digital marketing to target U.S. health consumers has long been a key “vertical” for advertisers. For example, there are numerous health-focused subsidiaries run by the leading global advertising agencies, all of which have extensive data-gathering and targeting capabilities. These include Publicis Health: “Our proprietary data and analytics community, paired with the unsurpassed strengths of Sapient and Epsilon allow us to deliver unmatched deterministic, behavioral, and transactional data, powered by AI.” IPG Health uses “a proprietary…media, tech and data engine [to] deliver personalized omnichannel experiences across touchpoints.” Its “comprehensive data stack [is] powered by Acxiom.” Ogilvy Health recently identified some of the key social media strategies used by pharmaceutical firms to generate consumer engagement with their brands—helping generate invaluable data. They include, for example, a “mobile-first creative and design approach,” including the use of “stickers, reels, filters, and subtitles” on Instagram and well as “A/B testing” on Facebook and the use of “influencers.” A broad range of consumer-data-collecting partners also operates in this market, providing information and marketing facilitation. Google, Meta, Salesforce, IQVIA, and Adobe are just a few of the companies integrated into health marketing services designed to “activate customer journeys (healthcare professionals and patients) across physical and digital channels [using] real-time, unified data.” Machine learning and AI are increasingly embedded in the health data surveillance market, helping to “transform sales and marketing outcomes,” for example. The use of social media, AI and machine learning, including for personalization, raises concerns that consent is insufficient alone for the release of patient and consumer health information. The commission should adopt its proposed rule, but also address the system-wide affordances of commercial surveillance to ensure health data is truly protected in terms of privacy and security. The commission should endorse a patient health record information definition that reflects both the range and type of data collected, but also the processes used to gather or generate it. The prompting and inducement of physicians, for example, to prescribe specific medications or treatments to a patient, based on the real-time “point-of-care” information transmitted through EHRs, ultimately generate identifiable information. So any interaction and iterative process used to do so should be covered under the rule, reflecting all the elements involved in that decision-making and treatment determinative process. By ensuring that all the entities involved in this system—including health care services or suppliers—must comply with data privacy and security rules, the commission will critically advance data protection in the health marketplace. This should include health apps, which increasingly play a key role in the commercial data-driven marketing complex. All partnering organizations involved in the sharing, delivering, creating and facilitation of health record information should also be held accountable. We applaud the FTC’s work in the health data privacy area, including its important GoodRx case and its highlighting the role that “dark patterns” play in “manipulating or deceiving consumers.” Far too much of the U.S. health data landscape operates as such a “dark pattern.” The commission’s proposed HBNR rules will illuminate this sector, and, in the process, help secure greater privacy and protection for Americans.
  • FTC Commercial Surveillance Filing from CDD focuses on how pharma & other health marketers target consumers, patients, prescribers “Acute Myeloid Lymphoma,” “ADHD,” “Brain Cancer,” “High Cholesterol,” “Lung Cancer,” “Overweight,” “Pregnancy,” “Rheumatoid Arthritis,” “Stroke,” and “Thyroid Cancer.” These are just a handful of the digitally targetable medical condition “audience segments” available to surveillance advertisers  While health and medical condition marketers—including pharmaceutical companies and drug store chains—may claim that such commercial data-driven marketing is “privacy-compliant,” in truth it reveals how vulnerable U.S. consumers are to having some of their most personal and sensitive data gathered, analyzed, and used for targeted digital advertising. It also represents how the latest tactics leveraging data to track and target the public—including “identity graphs,” artificial intelligence, surveilling-connected or smart TV devices, and a focus on so-called permission-based “first-party data”—are now broadly deployed by advertisers—including pharma and medical marketers. Behind the use of these serious medical condition “segments” is a far-reaching commercial surveillance complex including giant platforms, retailers, “Adtech” firms, data brokers, marketing and “experience” clouds, device manufacturers (e.g., streaming), neuromarketing and consumer research testing entities, “identity” curation specialists and advertisers...We submit as representative of today’s commercial surveillance complex the treatment of medical condition and health data. It incorporates many of the features that can answer the questions the commission seeks. There is widespread data gathering on individuals and communities, across their devices and applications; techniques to solicit information are intrusive, non-transparent, and out of meaningful scope for consumer control; these methods come at a cost to a person’s privacy and pocketbook, and potentially has significant consequences to their welfare. There are also societal impacts here, for the country’s public health infrastructure as well as with the expenditures the government must make to cover the costs for prescription drugs and other medical services...Health and pharma marketers have adopted the latest data-driven surveillance-marketing tactics—including targeting on all of a consumer’s devices (which today also includes streaming video delivered by Smart TVs); the integration of actual consumer purchase data for more robust targeting profiles; leveraging programmatic ad platforms; working with a myriad of data marketing partners; using machine learning to generate insights for granular consumer targeting; conducting robust measurement to help refine subsequent re-targeting; and taking advantage of new ways to identify and reach individuals—such as “Identity Graphs”— across devices. [complete filing for the FTC's Commercial Surveillance rulemaking attached]cddsurveillancehealthftc112122.pdf
    Jeff Chester
  • WASHINGTON, DC – October 18, 2017—A number of brands of “smartwatches” intended to help parents monitor and protect young children have major security and privacy flaws which could endanger the children wearing them. A coalition of leading U.S. child advocacy, consumer, and privacy groups sent a letter to the Federal Trade Commission (FTC) today, asking the agency to investigate the threat these watches pose to children. Smartwatches for children essentially work as a wearable smartphone. Parents can communicate with their child through the mobile phone function and track the child’s location via an app. Some product listings recommend them for children as young as three years old. Groups sending the letter to the FTC are the Electronic Privacy Information Center (EPIC), the Center for Digital Democracy (CDD), the Campaign for a Commercial-Free Childhood (CCFC), the Consumer Federation of America, Consumers Union, Public Citizen, and U.S. PIRG. The advocacy groups are working with the Norwegian Consumer Council (NCC), which conducted research (link is external) showing that watches sold in the U.S. under the brands Caref and SeTracker have significant security flaws, unreliable safety features, and policies which lack consumer privacy protections. In the EU, groups are filing complaints in Belgium, Denmark, the Netherlands, Sweden, Germany, the UK, and with other European regulators. “By preying upon parents’ desire to keep children safe and, these smart watches are actually putting kids in danger,” said CCFC’s Executive Director Josh Golin. “Once again, we see Internet of Things products for kids being rushed to market with no regard for how they will protect children’s sensitive information. Parents should avoid these watches and all internetconnected devices designed for kids.” The NCC’s research showed that with two of the watches, a stranger can take control of the watch with a few simple steps, allowing them to eavesdrop on conversations the child is having with others, track and communicate with the child, and access stored data about the child’s location. The data is transmitted and stored without encryption. The watches are also unreliable: a geo-fencing feature meant to notify parents when a child leaves a specified area, as well as an “SOS” function alerting parents when a child is in distress, simply do not work. The manufacturers’ data practices also put children at risk. Some devices have no privacy policies at all, and the policies that do exist lack basic consumer protections, including seeking consent for data collection, notifying users of changes in terms, and allowing users to delete stored data. "The Trump Administration and the Congress must bring America’s consumer product safety rules into the 21st century,” said Jeff Chester of the Center for Digital Democracy. “In the rush to make money off of kids’ connected digital devices, manufacturers and retailers are failing to ensure these products are truly safe. In today’s connected world that means protecting the privacy and security of the consumer—especially of children. Both the FTC and the Consumer Product Safety Commission must be given the power to regulate the rapidly growing Internet of Things marketplace.” The Caref (branded Gator in Europe) and SeTracker smartwatches are available online through Amazon. The groups have asked the FTC to act quickly to investigate these products, and they advise parents to refrain from buying the products because of the danger they could pose to children. The NCC, which conducted the testing of the watches, advises consumers who have already purchased the watches to stop using them and uninstall the app. “The Federal Trade Commission must be proactive in protecting consumers—especially vulnerable young children—from harmful products that abuse technology for the sake of profit,” said Kristen Strader, Campaign Coordinator for Public Citizen. “Smartwatches and similar devices must be absolutely safe and secure before they are released to the public for sale.” Ed Mierzwinski, Consumer Program Director at U.S. PIRG, said, "Companies making any internet-connected devices, but especially for children, need to ensure that privacy and security are more than breakable — or worse, hackable — promises." Katie McInnis, technology policy counsel for Consumers Union, said, “When a company sells a smartwatch aimed at children, it must ensure the product is safe and secure. The FTC should launch an investigation into the privacy and security concerns surrounding these products to make sure families are safe.” The same trans-Atlantic coalition persuaded government authorities and retailers last December (link is external) that the internet-connected dolls Cayla and i-Que Robot were spying on children and threatening their welfare, and retailers removed the toys from store shelves. The FBI subsequently issued a warning to consumers (link is external) that internet-connected toys could put the privacy and safety of children at risk. --- For more information, please see the following: Letter to FTC by coalition of leading U.S. child advocacy, consumer, and privacy groups (link below) Press Release by US coalition of leading U.S. child advocacy, consumer and privacy groups (link below) #WatchOut Report by Norwegian Consumer Council (link below) Press Release by Norwegian Consumer Council (link below) #WatchOut English - YouTube (http://bit.ly/2ghNoD1 (link is external)) #WatchOut - longer video explainer on security flaws 4:30 mins - YouTube (http://bit.ly/2xLYSVv (link is external))
    Jeff Chester
  • Project

    FTC Complaint on Digital Pharma & Health Marketing

    Complaint, Request for Investigation, Public Disclosure, Injunction, and Other Relief: Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, Everyday Health, and Others Named Below

    November 23, 2010 - Washington, DC: In a complaint filed today with the Federal Trade Commission, the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog, and the World Privacy Forum called on the commission to investigate unfair and deceptive advertising practices that consumers face as they seek health information and services online. Consumers now confront a sophisticated and largely stealth interactive medical marketing apparatus that has unleashed an arsenal of techniques designed to promote the use of specific brand drugs and influence consumers about treatments for health conditions. Much of the online health marketing system has been deliberately structured to collect personal information and other data on consumers, including through the use of free e-newsletters on specific medical concerns; discounts for prescription drugs and services; and via the growing number of other online data profiling techniques. Nearly $1 billion dollars will be spent this year by online health and medical marketers targeting the growing number of U.S. consumers who increasingly rely on the Internet for information about medical problems, treatments, and prescription drugs. The online marketing health industry has presented to the FDA and the public a fairytale version of digital marketing, where all consumers become empowered “e- patients,” able to form powerful helping communities. But while the online medium provides medical information to those seeking access to resources and support, it has been structured to engage in aggressive tactics that threaten privacy, raise questions about the fair presentation of independent information, and advance the sales of prescription drugs and over-the-counter products. Pharma and other health online marketers are pressing the FDA for new rules that would allow them to expand digital and social media advertising. Before the FDA acts, it should await an investigation and a report by the FTC. The complaint to the Federal Trade Commission is attached.
  • Project

    CDD Asks FDA to Revise Its Proposed Research on the Digital Marketing of Drugs and Health Products

    CDD Asks Food and Drug Administration to Revise Its Proposed Research on the Digital Marketing of Drugs and Health Products Urges FDA to Gain Better Understanding of Impact of Digital Marketing on Patients and Health Consumers in order to Protect Public Health

    Washington, DC: The Center for Digital Democracy, in comments filed today with the Food and Drug Administration (FDA), urged the agency to significantly revise its proposed studies on the “Examination of Online Direct-to-Consumer Prescription Drug Promotion.” Citing the wide variety of techniques that pharmaceutical and health marketers use to target consumers online, CDD called for a more informed analysis that reflects how U.S. health consumers are actually marketed to on social networks, mobile phones, and via the Web. Among the marketing techniques that CDD cited that must be part of any FDA research are “the tracking and managing of the ‘patient journey’ online”; data collection; the use of social media analytics and related viral marketing; the role of eye tracking, multivariate testing and other Web page optimization techniques to influence perception and behavior; and the impact of immersive multimedia content and neuromarketing designed to stealthily foster consumer decision-making through non-conscious means. Today is the deadline for comments in FDA’s proposed new research “designed to test different ways of presenting prescription drug risk and benefit information on branded drug Web sites” (Docket No. 2011-N-0230). “While the FDA is to be commended for undertaking additional research before it issues further rules on digital and social media pharmaceutical marketing, we are concerned that the agency—responsible for protecting our health—still has a naïve view of how pharmaceutical digital marketing actually influences consumers,” explained CDD’s Executive Director Jeff Chester. “Online marketing is already an extensive, 360-degree juggernaut that features a wide range of techniques far beyond the scrolling text and banner ads the FDA seems to regard as state of the art. The agency should be in the forefront of ensuring U.S. health consumers have the safeguards they require as they increasingly rely on the Internet and social networks to make decisions about medications and medical treatments.” In its detailed 45-page filing, CDD called on the FDA “to re-conceptualize and update its understanding of digital DTC pharmaceutical marketing,” and pledged its support to assist the agency in expanding its inquiry. CDD urged the FDA to consult with leading independent academic experts and consumer organizations knowledgeable of digital marketing in order to revise its research efforts. CDD’s filing asked the FDA to investigate and develop consumer safeguards for practices used by pharmaceutical and health marketers, including data mining technologies; personalized and behavioral advertising; social media marketing; search engine optimization; rich media and online video applications; mobile and location marketing; unbranded websites; minority and youth marketing; and the use of neuromarketing and other immersive tactics designed to deliberately bypass the rational decision-making process of consumers.