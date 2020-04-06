Irish healthcare companies may be sharing details of people’s illnesses with Google, Facebook and a host of advertising companies, the Data Protection Commissioner has found.

In a damning report published today, Helen Dixon’s office says that Irish organisations are letting ‘cookies’ run riot across their websites and, in some instances, may be allowing them to capture sensitive medical queries for the purpose of passing them on to advertising firms.

The report concluded that the situation is “particular cause for concern”.

“We are concerned that special category data, such as details of illnesses or conditions a user may search for on such sites, is being shared with parties such as Google and Facebook through the use of either explicit profiles of logged-in customers, or through predictive profiles based on unique identifiers,” said the Data Protection Commission (DPC) report.

“In these cases, the controller may potentially be processing special category data and sharing it with third-parties, including advertisers, without a lawful basis.”

While not naming the companies implicated, the report highlighted one health insurer that allows trackers on its website to follow users around and cash in.

“Given that a Facebook cookie to deliver real-time bidding for ads from third party advertisers was also set on this website, it appears likely users are being targeted based on what they search for, including health information,” said the report. “The likelihood that the websites and third parties are processing special category data on foot of a user’s searches or other interactions with health websites on which trackers are embedded is high.”

This may even go as far as tracking what users type into search fields within the website, the DPC concluded.

“It is notable that at least one of the health insurance websites examined in this sweep uses third party cookies from Hotjar to track user behaviour on the site… Hotjar may capture video footage of precisely how a user navigates the site, including details of the text entered into boxes and search fields.”

Last year, a Financial Times investigation exposed how some of the UK’s most popular websites were sharing highly sensitive medical information to Google, Amazon and Facebook, as well as a number of ‘data brokers’ and online advertising firms.

The sensitive data included medical symptoms, diagnoses, drug names and menstrual and fertility information.

The findings come in an overall investigation by the DPC into whether Irish companies and public sector organisations are adhering to ‘cookie’ laws that are supposed to curb the worst of the internet’s online tracking and privacy incursions.

A ‘cookie’ is a small piece of code that follows a web user around the internet. It is a common reason why people see the same ads on different websites or social media, or why they may see an ad for something they have just searched for online.

The DPC investigated 38 organisations, ranking most of them poorly. It concluded that few Irish websites give users the true power to opt out of cookies, labelling most cookies notices as misleading or misunderstood.

“It is our view that almost all of the sites continue to have compliance issues, ranging from minor to serious,” the report says.

Other than health firms, the report described non-compliance from banking, insurance, media and restaurant companies, described as “the worst offenders”.

One bank “combined information entered into loan calculation forms with information derived from cookies”, potentially revealing sensitive personal financial information.

One unnamed media company “used a third-party GPS tracking cookie to register a unique ID on a mobile device to enable tracking based on GPS location. Any cookies or tracking technologies that involve the processing of data on the precise location of a user or a device require consent”.

Of the 38 organisations investigated, 32 were given an ‘amber’ or ‘red’ rating, signifying partial or total non-compliance with cookie laws.

A ‘red’ mark, the report says, means “bad practices with cookie banners, the setting of multiple cookies without consent, badly designed cookies policies or privacy policies, and a lack of clarity about whether they understood the purposes of the ePrivacy legislation”.

The DPC found that websites force users into accepting cookies with little choice to decline.

“Most websites with cookie banners had an interface that favoured an ‘accept’ option, without an option to ‘reject’ cookies,” it said. “Even where they did have an option to learn more about cookies, in many cases this did not include a layered option to accept or reject cookies by function. A so-called nudging approach to the web design is therefore common, with users effectively forced into accepting all cookies.”

