The Federal Trade Commission (FTC) continues to prioritize the protection of consumers’ digital health information. The agency has demonstrated this commitment through enforcement actions against GoodRx and BetterHelp for sharing consumer health information for advertising purposes (see our blog posts on each respective action here and here), and in a post published by the FTC Office of Technology on March 16, 2023, titled “Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking.” The FTC post provides a deep dive on the technical aspects of the GoodRx and BetterHelp enforcement actions, including a primer on pixel tracking technology and how it works to collect data and personal information of website visitors and users of mobile apps. The post also confirms that the GoodRx and BetterHelp enforcement actions arose from the companies’ sharing of consumers’ health information with tracking technology vendors. In light of these recent developments, digital healthcare platforms must understand how they collect, use, and share consumer health information.
FTC’s Pixel Primer
Consumers use the internet every day but may be completely unaware that tracking pixels exist and are collecting detailed information on how the consumer utilizes a web page. Tracking pixels are pieces of code invisibly embedded into websites to track personal data on how a consumer interacts with a web page, including viewing the page, clicking on items on the page (including advertisements), purchasing products, or even typing within a form on the page. Companies often use third-party pixel tracking vendors to assist with collecting, tracking, and refining information on consumer interactions with a web page. The FTC post explains how digital health platforms and their third-party tracking technology vendors may try to monetize the information collected by tracking pixels.
FTC’s Concerns with Pixel Technology
In the recent post, the FTC outlines three concerns with the use of pixel tracking:
- Consumers cannot easily avoid their interaction with widespread, invisible pixels, as current control technology does not always prevent pixels from collecting and sharing information, and consumers often do not know tracking pixels exist.
- Companies that use tracking technology often do not fully understand how the data is collected, stored, and used (and that it may include health information), potentially resulting in the improper exposure of personal information. Further, digital health platforms may not have visibility into how the technology tracking companies use the data they collect.
- Pixel tracking may attempt to remove personally identifiable information, such as names or email addresses, but removal is often not guaranteed.
The FTC warns that the use of pixel tracking to disclose consumers’ personal information to third parties may violate federal and state privacy laws and regulations, including for example, the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, and state or other federal privacy rules. The GoodRx and BetterHelp enforcement actions show that the FTC is willing to back up its warning by pursuing those companies offering digital health platforms that inappropriately collect, use, and share consumers’ personal health information.
FTC’s Research Questions
In the post, the FTC also identifies topics regarding online tracking for which continued research could be useful. These subjects include:
- industry conditions and competitive dynamics;
- consumer harms;
- business rationales;
- data processing, use, and monetization; and
- data retention and management.
The GoodRx and BetterHelp enforcement actions demonstrate that digital healthcare platforms must be careful when using pixel tracking technologies because of the risk of collecting and sharing consumers’ personal information without appropriate notice and consent. Digital healthcare platforms should:
- ensure they understand what data is collected by the tracking technologies they use and how that data is shared with third-parties, including tracking technology vendors;
- review their existing agreements with tracking technology vendors to understand how those vendors may use data provided by the platform and to confirm that use comports with applicable federal and state privacy laws;
- ensure their actual business practices regarding collecting, sharing, and using personal information align with their privacy notices;
- monitor future FTC guidance and enforcement actions related to use of online tracking; and
- work closely with counsel to implement proper privacy practices to ensure collected health information is not improperly exposed or shared through the use of tracking pixel technology.
Those wishing to follow these developments should visit Tech@FTC, where the agency’s technologists released their analysis. We will also continue to report on these developments as they arise on this Health Law Rx blog.