Legal Note:
This is not legal advice, but rather information and guidelines on new US State Data Privacy and Consumer Health laws and AdRolls’ services. The guidelines may change over time to reflect updated best practices. You should consult with your own counsel, privacy professionals, and/or internal resources to determine a comprehensive and appropriate solution for your business and marketing activities.
Overview
Recent US Data Privacy laws implemented across various states have introduced significant implications for the lawful collection of health-related data, specifically categorized as 'sensitive personal information' or 'consumer health data.' This encompasses the gathering of cookie identifiers and IP addresses in conjunction with specific page views on your websites, particularly if they pertain to information, products, or services related to health that fall within the broad definitions of 'sensitive personal information' or 'consumer health' as outlined in US Data Privacy laws.
Moreover, it's crucial to note that the act of collecting such data for targeted advertising is classified as a 'sale' of health or sensitive data according to the new privacy laws. Consequently, obtaining written express consent may be a prerequisite before the data can be gathered and utilized for targeted advertising purposes.
Do You Need to Comply?
Ultimately, you know your business better than anyone. It’s essential for you to determine if your business must comply with these laws. AdRoll cannot provide legal advice, but utilizing AdRoll's technology for marketing and data insights can require compliance with US Data Privacy and Health Data regulations if there are products or services offered by your business that are related to health under the various definitions of consumer health data or sensitive personal information. AdRoll's technology drops a cookie ID and collects IP addresses and website URL page view information to enable targeted marketing to your website visitors and potential customers, this data collection may trigger US Data Privacy laws when your website pages pertain to a visitor's health, reveal a mental or physical health diagnosis, or disclose a site visitor's sexual orientation.
Examples of Data Collection that May Trigger US Data Privacy Laws
For instance, if your business facilitates connections between patients and healthcare providers for elective surgeries, pages where customers request medical appointments or purchase medical devices or medications could potentially fall under data categorized as consumer health data or information revealing physical or mental conditions or diagnoses.
Imagine a scenario where Sandra, a site visitor, explores your orthopedicsurgerynow.com website to book surgery for a torn meniscus. If AdRoll technology is active on the booking page, it will drop a cookie, collect the IP address, and record the page URL visited. This data could be considered either the collection and analysis of Sandra's health data or the collection of data revealing a physical condition or diagnosis (e.g., a torn ACL), possibly subject to US Data Privacy laws.
Defining Sensitive Personal Information as Health Data
Several states have instituted restrictions on the collection of "sensitive personal information," explicitly including health-related data:
Under the CCPA/CPRA, sensitive personal information encompasses "personal information collected and analyzed concerning a consumer's health."
Sensitive personal information includes "personal data revealing a mental or physical health diagnosis or sexual orientation."
Sensitive personal information and consumer health data includes, “data revealing [or used to identify] . . . a [consumer’s] mental or physical health condition or diagnosis, sex life, sexual orientation.”
Sensitive data means personal data that includes, “data revealing . . . a mental or physical health condition or diagnosis or the processing of genetic or biometric data for the purpose of uniquely identifying an individual.” [Effective Oct. 1, 2024]
Consumer health data means personally identifiable information used to identify the past, present or future health status of the consumer and includes any health condition, status, disease, or diagnosis. There is a carve-out for consumer health data that may identify the shopping habits or interests of a consumer so long as the information is not used to identify the specific past, present or future health status of the consumer.
Sensitive data means personal data that “reveals . . . a mental or physical condition or diagnosis or is genetic or biometric data.” [Effective July 1, 2024].
Sensitive data" includes, “personal data revealing . . . a mental or physical health diagnosis or genetic or biometric data that is processed for the purpose of uniquely identifying an individual. [Effective July 1, 2024].
Sensitive personal information is defined as, “personal data that reveals . . . information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional . . . or sexual orientation.”
Sensitive personal information is defined as, “personal data revealing . . . mental or physical health diagnosis, sexual orientation.”
Consumer Health Data is defined as “a consumer’s past, present, or future physical or mental health status” and includes information regarding health conditions, treatment, diagnosis, reproductive or sexual health, gender-affirming care, genetic data and location data that could reasonably indicate a consumer’s attempt to acquire health services or supplies. The Act aims to protect the privacy of consumer health data that falls outside the scope of the Health Insurance Portability and Accountability Act (“HIPAA”).
Obtaining Written Consent for the Sale of Consumer Health Data
Certain US states, including Washington, Nevada, and Connecticut starting now mandate explicit or written consent for the sale of consumer health data. AdRoll does not provide legal advice, but we can assist in configuring technology to facilitate the use of written-consent opt-in banners for compliance within your company. For more information, please contact support@adroll.com.
Federal Legal Considerations
The Federal Trade Commission (FTC) has imposed fines on BetterHealth and GoodRx for mishandling consumer health data used for advertising services. In the case of GoodRx, the FTC imposed a $1.5 million civil penalty for failing to notify consumers and others about unauthorized disclosures of personal health information to companies like Facebook and Google for advertising purposes. BetterHelp faced a $7.8 million fine for sharing consumers' health data, including sensitive mental health information, with third parties like Facebook and Snap for advertising purposes.
AdRoll Compliance with Health Data Collection Restrictions
- To ensure compliance with laws restricting the collection of consumer health data or sensitive personal information, review the placement of the AdRoll pixel on your website to avoid collecting personal data on pages containing health-related information or information revealing mental or physical conditions or diagnoses of site visitors. For guidance, please reach out to support@adroll.com.
- To address compliance with California's CCPA, AdRoll's technology respects Global Privacy Controls (GPC) and refrains from collecting personal information from site visitors whose browsers are configured to send GPC signals. This limits the collection of sensitive information under CCPA. Consult with a professional if you suspect other data collection activities on your site that NextRoll's GPC does not cover.
- AdRoll will block data collection for website visitors from Washington and Nevada based on the IP address of the website visitor for existing and new customers in the healthcare industry effective March 28, 2024.
- States like Connecticut and Colorado that require opt-in consent for sensitive personal information collection or written consent for the sale of personal health data may utilize opt-in banners. Consult with a legal expert or privacy professional to explore your compliance options for your business, and contact support@adroll.com to discuss possible methods for syncing opt-in or written consent with AdRoll technology.
Google Tag Manager and Pixel Placement
In order to exclude specific page(s) from pixel tracking, you would have to edit the triggering for your SmartPixel GTM tag (the one with your account & pixel IDs):
- Edit Triggering Rules: Locate the triggering rules at the bottom of your tag in Google Tag Manager. Click the pencil icon to access and modify these rules.
- Add an Exception: Introduce an exception to your tracking by selecting "Add Exception." This action will guide you to the "Choose trigger" module.
- Create a New Trigger: Enhance your tracking customization by clicking the "+" icon to add a new trigger.
- Configure Page View Trigger: Tailor your tracking to exclude specific pages by setting up a page view trigger. Specify the URL condition as "/[desired_path_to_block]".
- Save Your Changes: Once the new trigger is configured, save it. Confirm that it's added as an exception on the tag and proceed to save the tag itself.
- Publish Updates: Finalize the process by publishing these changes within Google Tag Manager. This ensures that your refined tracking settings take effect seamlessly.
Read this Tag Manager Help Center article to learn more about firing triggers and trigger exceptions.