Consumers seeking information about or treatment for their health needs deserve to have their data treated with respect. In the wake of mounting evidence that many health and wellness companies collect and share consumer data with a concerningly long list of third parties, including social media companies, Consumer Reports and Boltive partnered to examine the data practices of ten health-related sites, focused on the use of that data for advertising. We created a variety of U.S.-based consumer persona bots who visited sites in spring 2023 looking for help with addiction treatment, sexual issues, disability aids, and other health needs. We collected and examined site cookies, advertising content, metadata, and privacy policies for evidence of collection and sharing to answer the central research questions: Are health websites sharing personal or sensitive data? Do consumers have the ability to control this sharing?
Nine of the 10 sites we examined raised at least one privacy concern. All collected health-related data, and some collected data that might be considered sensitive under various state laws. We found that because of varying applicability thresholds, vague definitions, and broadly defined carve-out exceptions, it is often unclear which laws apply to which businesses and data. Some of the sites that offered on-site cookie and sharing controls seemed to have technical issues that prevented our testers from limiting interest-based advertising cookies. Two sites that claimed they do not sell or share covered data appeared to allow third-party marketing cookies, which might legally constitute a sale. On the whole, it seemed that despite new health privacy protections in state laws, many health-related sites we examined shared data with third parties, often without easy-to-use controls. We end with recommendations for regulators and businesses on closing loopholes and prioritizing data minimization.