What to look for in Web privacy practices

by Larry Stevens, Medicine on the Net, May 2000:12-13

Healthcare Web sites need to learn how to keep secrets better. That was the finding of one private organization. And the FTC is also looking into the matter.

The privacy problems with healthcare Web sites were first unearthed by the California HealthCare Foundation (CHCF) and released in a report entitled: "Report on the Privacy Policies and Practices of Health Web Sites."

After the report was published, the Federal Trade Commission (FTC) decided to determine if healthcare Web sites are sharing personal information on their viewers with partners, advertisers, or other third-party entities.

The CHCF report studied 21 sites (see table 1). It found that while 19 of the sites have privacy policies, the policies generally "don't provide adequate notice" about when and how information is collected on visitors and whether the information is shared with business partners such as advertisers, content providers, or providers of co-branded services.

According to the report, only eight of the sites provide users with access to the personal information that they submitted voluntarily, and none of the sites allows users to look at the data collected by third-party organizations.

Privacy policies are also not always easy to locate. Sixteen of the 19 Web sites with privacy policies provide only a link buried at the bottom of the home page. "Users simply browsing a site are less likely to click on the privacy policy," the report states. The report also notes that many of the health privacy policies "are confusing and inconsistent," are written in legal jargon, and use inconsistent language.

There are other confusing factors. For example, iVillage has three distinct privacy policies. One is for iVillage generally and appears on all pages. But iVillage contracts with AllHealth, which in turn contracts with WellMed, each of which has its own policy.

Even if the policies at the sites are adequate, the report notes that the vast majority of the surveyed sites don't extend their privacy policies to outside entities such as business partners. In fact, some sites lead users off their site, in which case the privacy policy will not apply. For example, when AltaVista users click on "Health and Fitness" they are jumped to http://www.health.altavista.com , which sports the AltaVista logo. But when they click on any option, they go to HealthCentral (http://www.healthcentral.com), at which point the AltaVista privacy policy no longer applies.

Reason for concern

"Based on what we've seen, there's reason to be concerned that there are a number of health companies out there that are not keeping their promises to consumers about the way they're handling personal information," said FTC official Richard Cleland, in a Wall Street Journal article.

This FTC action follows an inquiry of Internet advertising company DoubleClick, Inc. (http://www.doubleclick.com/). That probe is relevant to the health site inquiry because many health sites use DoubleClick. Since DoubleClick has a network of sites for which it handles banner ads, it can track users as they travel from site to site if the users remain within the DoubleClick network. In this way, it can profile user behavior. However, in order for DoubleClick to connect users with their name and addresses (as opposed to simply measuring anonymous consumer data), it must include each site's user database in its own database. A DoubleClick company spokesperson said the company has been slow to do this, and only has about 10 or so sites on its database. So at present, it cannot track specific users. The company is also taking a number of steps to ease privacy concerns, including hiring PricewaterhouseCoopers LLP to audit its compliance with its stated privacy policies.

Still, there is certainly the potential for abuse, and consumers are concerned. Another study by CHCF, this one based on a survey of 1,000 U.S. online adults, showed that 75% of those seeking health information on the Web are concerned or very concerned about the sites' sharing their personal health information without permission. "The industry has the opportunity and responsibility to do the right thing to ensure that consumer privacy is protected," says Mark D. Smith, MD, CHCF's CEO.