Whose data is it, anyway? A look at site visitors, regulators, site owners...and the privacy policy

Medical Marketing and Media, Feb 2001 by Cavallini, Mario

As Internet users become increasingly wary about giving up personal information, and federal commissioners increasingly impatient with self-regulation, pharmaceutical web sites need to clarify what data they collect and what they do with it. The privacy policies of major U.S. pharmaceutical sites show a mix of good and bad practices, but generally lag behind the assurances that today's users and tomorrow's regulators demand.

People don't like being stared at, snooped on, or talked about. They don't like being stereotyped, pigeonholed, or profiled. They really hate the feeling that somebody knows something about them that they don't know And they aren't any different when they go on the Web. Site visitors are wary about violation of their privacy by web site owners and this concern is even more pronounced at sites where personal healthcare data is being collected. The clearest way that web site owners can address these concerns is the privacy policy and the actions that they take to support their policies, A good privacy policy spells out the practices of the site owner, assuring visitors that their sensitive healthcare information is handled responsibly. The privacy policy also happens to be one of the few standards by which a pharmaceutical company can be held accountable for privacy violations.

This article considers the privacy policy from two perspectives - as the focus for the concerns of site visitors and as the instrument of government regulators - and reviews the current privacy practices of ten major U.S. pharmaceutical corporations.

What healthcare visitors fear

Site visitors leave all sorts of footprints behind when they visit healthcare Web whenever they fill out a form, accept a cookie, or simply dick to another page. These data get stored in cookies on their computers, in site traffic logs on the site's web server, and in databases, e-mails, routine reports, and any printouts that get filed away, left on desks, or tacked on bulletin boards in corporate offices.

These data can have different values for members of the Internet marketing team. For the webmaster, they provide the ebb and flow of usage patterns. For the project manager, they are the evidence of how effectively the key messages are delivered. For the marketing director, they are the makings of a well-qualified prospect list.

But for site visitors, these data are personal secrets, controlled by faceless corporate minions. Visitors don't know the people who possess or have access to this information. They don't know what those secrets say about them, how true they are, or how embarrassing or harmful they may be. They don't know how careful companies will be with their information, what the companies will do with them, or with whom they will be shared. Health seekers are not just concerned about one particular misuse, but worry about a range of privacy violations. For instance, Cyber Dialogue researchers found that health seekers are concerned about a health site sharing collected data with third parties (75 percent), unauthorized people reading messages (65 percent), and hackers raiding the data (59 percent).'

These concerns are not a minority view. In the most recent major study on the dynamics of people who surf the Web for health information, Pew Charitable Trust researchers found that 89 percent of Internet users who seek health information are "concerned that a health web site might sell or give away information about what they did online."1 Health seekers are more wary than web users in general. When asked about visitor profiling practices, 75 percent of health seekers said that companies should not be allowed to track visitor activities; in a previous Pew study of privacy concerns, 62 percent of users at large shared that view. Health seekers are more guarded about volunteering information: 21 percent have given their e-mail address at a health web site, compared to 54 percent of all web users.

Health seekers are especially protective of data about their conditions. The Internet Healthcare Coalition found that while 92 percent of visitors to health sites have provided their names and 65 percent have submitted phone numbers, only 49 percent have given personal health information.2a

Even the ways in which visitors' data are collected are mysterious. A sophisticated visitor may recognize when a site leaves a cookie on their computer, but the contents of a cookie are generally illegible to anyone but the programmer who created it. Visitors have no access to server logs, and sites rarely publicize their traffic analyses. The visitor knows what information they put into online forms, but has no idea what happens after they click the submit button. That is, they have no idea unless the site owners remove the mystery by explaining their practices in a privacy policy.

Of course, visitors do not accept blindly the assurances in a privacy policy. Researchers at AT&T Labs2 found that 28 percent of web users are more likely to volunteer information if the site has a privacy policy, rising to 58 percent if the site has both a privacy policy and a third-party certification seal, such as Better Business Bureau or TRUSTe. What visitors may not understand, and in fact what has taken hold only recently, is that the privacy policy - with or without a seal - is key to enforcement of law and regulation.