Health Advertising on Facebook: Privacy & Policy Considerations

In this study we analyzed content and marketing tactics of digital medicine companies to evaluate various types of cross site tracking middleware used to extract health information from users without permission. More specifically we examine how browsing data can be exchanged between digital medicine companies and Facebook for advertising and lead generation purposes. The analysis was focused on a small ecosystem of companies offering services to patients within the cancer community that frequently engage on social media. Some companies in our content analysis may fit the legal definition of a personal health record vendor covered by the Federal Trade Commission, others are HIPAA covered entities. The findings of our analysis raise policy questions about what constitutes a breach under the Federal trade Commission's Health Breach Notification Rule. Several examples demonstrate serious problems with inconsistent privacy practices and reveal how digital medicine dark patterns may elicit unauthorized data from patients and companies serving ads. Further we discuss how these common marketing practices enable surveillance and targeting of medical ads to vulnerable patient populations, which may not be apparent to the companies targeting ads.