Health-related websites may be sharing details of users' illnesses or conditions with advertisers "without a lawful basis" the Data Protection Commission has found.
Popular Irish websites, including health-related sites are using third-party trackers or “cookies” without obtaining the proper consent of users, according to a report by the commission published on Tuesday.
An analysis of 40 websites operated by what the commission said are some of the “most well-known” organisations in insurance, sport and leisure, the public sector, media and publishing, the retail sector, and restaurants and food ordering services, found a lack of compliance with privacy and data protection regulations.
Third-party tracking on a number of health-related websites was a “particular cause for concern” the commission said, especially where “explicit profiles of known users/customers (such as in a health insurance context)” may have been built by the data controllers of the website.
“For example, health insurance websites were found to be using advertising and targeting cookies, including cookies set by the Google-owned DoubleClick.”
The lack of clarity from a public sector organisation providing health-related information about its use of cookies was also “concerning” the commission said.
Across health related sites the commission was concerned that "special category data", such as details of illnesses or conditions a user may search for on such sites, was being shared with parties such as Google and Facebook through the use of either explicit profiles of logged-in customers, or through "predictive profiles based on unique identifiers".
In these cases, the data controller of the sites “may potentially be processing special category data and sharing it with third-parties, including advertisers, without a lawful basis”.
However, the commission found “the worst sector” in terms of poor practices and, in particular, poor understanding of the “ePrivacy Regulations” and their purpose, appeared to be the restaurants and food-ordering sector, where particular deficits with the setting of cookies and the retention of customers’ personal data were detected.
While the report was published on Tuesday of this week, the analysis of the sites was conducted between August and December of last year, before the Coronavirus pandemic hit. However, the commission has only this week issued new guidance to the website controllers and will allow a six-month time period for compliance “after which action up to and including enforcement action will be considered”.
Of the controllers of the 40 websites assessed, one was subsequently given a deferral on the basis that an entirely new website was under development, while another controller did not respond to any of the commission’s correspondence and the commission “may consider further action in that regard”.
One third of the controllers were given a “red grading” by the commission, based not only on the “very poor quality of their responses” but also on bad practices with cookie banners, the setting of multiple cookies without consent, badly designed cookies policies or privacy policies, and a lack of clarity about whether they understood the purposes of the ePrivacy legislation.
Just two controllers were given a “green” rating indicating they were substantially compliant, while 20 graded “amber”, indicating at least one “serious concern” with three having a borderline amber to red grade.