If you are dealing with sensitive information of any kind (yes, this includes precise geolocation, ethnicity, sexual orientation, etc), but especially health information (and yes, reproductive health information too), do yourself a favor:
- Scan your website for third party trackers like Meta Pixel.
- Talk to your tech folks to understand better what is going on and whether this is going on behind a log-in.
- If you are a HIPAA covered entity, make sure your business associates do 1 and 2.
- Get a good privacy lawyer to make sure all is in order and that you are doing what needs done.
A new complaint has alleged that Quest Diagnostics is sharing information with Facebook. Per the complaint, the sharing pertains both to the general website and the patient protected website (post log-in).
The cited cause of action is under the California Invasion of Privacy Act which is under the California penal code. It prohibits: “Willfully and without the consent of all parties to the communication, or in any unauthorized manner….read(ing) or attempt(ing) to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or (using), or attempt(ing) to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or (aiding agreeing with, employing or conspiring) any person or persons to unlawfully do, or permit, or cause to be done any of the acts.”
This is also the cause of action in the Otonomo class action that involves the sharing of geolocation data.
This is important because:
- Recent study by The Markup showed that many hospitals are doing this too.
- There is a class action against Meta for same.
- The MA Cookie settlement was $18M for sharing health information (appointment details) with third parties without consent.
This is especially sensitive now because:
- The CPRA regs flag sensitive information.
- The FTC has flagged sensitive information
- VA CDPA required an opt in for sensitive information.
- The Federal bill is serious about sensitive information.
- You already KNOW GDPR is serious about sensitive information.