What to look for in Web privacy practices
by Larry Stevens, Medicine
on the Net, May 2000:12-13
Healthcare Web sites need to learn how to keep secrets better. That was
the finding of one private organization. And the FTC is also looking
into the matter.
The privacy problems with healthcare Web sites were first unearthed by
the California HealthCare Foundation (CHCF) and released in a report
entitled: "Report
on the Privacy Policies and Practices of Health Web Sites."
After the report was published, the Federal Trade Commission (FTC) decided
to determine if healthcare Web sites are sharing personal information
on their viewers with partners, advertisers, or other third-party entities.
The CHCF report studied 21 sites (see table 1). It found that while 19
of the sites have privacy policies, the policies generally "don't
provide adequate notice" about when and how information is collected
on visitors and whether the information is shared with business partners
such as advertisers, content providers, or providers of co-branded services.
According to the report, only eight of the sites provide users with access
to the personal information that they submitted voluntarily, and none
of the sites allows users to look at the data collected by third-party
organizations.
Privacy policies are also not always easy to locate. Sixteen of the 19
Web sites with privacy policies provide only a link buried at the bottom
of the home page.
"Users simply browsing a site are less likely to click on the privacy
policy,"
the report states. The report also notes that many of the health privacy
policies
"are confusing and inconsistent," are written in legal jargon,
and use inconsistent language.
There are other confusing factors. For example, iVillage has three distinct
privacy policies. One is for iVillage generally and appears on all pages.
But iVillage contracts with AllHealth, which in turn contracts with WellMed,
each of which has its own policy.
Even if the policies at the sites are adequate, the report notes that
the vast majority of the surveyed sites don't extend their privacy policies
to outside entities such as business partners. In fact, some sites lead
users off their site, in which case the privacy policy will not apply.
For example, when AltaVista users click on "Health and Fitness" they
are jumped to http://www.health.altavista.com ,
which sports the AltaVista logo. But when they click on any option, they
go to HealthCentral (http://www.healthcentral.com),
at which point the AltaVista privacy policy no longer applies.
Reason for concern
"Based on what we've seen, there's reason to be concerned that there
are a number of health companies out there that are not keeping their
promises to consumers about the way they're handling personal information," said
FTC official Richard Cleland, in a Wall Street Journal article.
This FTC action follows an inquiry of Internet advertising company DoubleClick,
Inc. (http://www.doubleclick.com/).
That probe is relevant to the health site inquiry because many health
sites use DoubleClick. Since DoubleClick has a network of sites for which
it handles banner ads, it can track users as they travel from site to
site if the users remain within the DoubleClick network. In this way,
it can profile user behavior. However, in order for DoubleClick to connect
users with their name and addresses (as opposed to simply measuring anonymous
consumer data), it must include each site's user database in its own
database. A DoubleClick company spokesperson said the company has been
slow to do this, and only has about 10 or so sites on its database. So
at present, it cannot track specific users. The company is also taking
a number of steps to ease privacy concerns, including hiring PricewaterhouseCoopers
LLP to audit its compliance with its stated privacy policies.
Still, there is certainly the potential for abuse, and consumers are
concerned. Another study by CHCF, this one based on a survey of 1,000
U.S. online adults, showed that 75% of those seeking health information
on the Web are concerned or very concerned about the sites' sharing their
personal health information without permission. "The industry has
the opportunity and responsibility to do the right thing to ensure that
consumer privacy is protected," says Mark D. Smith, MD, CHCF's CEO.