How are health apps sharing my data with Facebook?
Did you miss our first blog post? Click through to read the 8 key questions to taking back control of how your data is used.
Last week we published Your Privacy Checklist with 8 key questions to help you be in the driver’s seat for your health data. The third question covers third party partners, which include online advertisers like Facebook. The entire health care industry has stayed quiet on this complex topic, so we felt it deserved a dedicated blog post.
Here are some things that we learned when we started online advertising, and the first two steps to taking control over how your health data is used.
But the responsibility of safeguarding your health data shouldn’t lie entirely on your shoulders. We’re challenging all digital health companies to step up.
Off-Facebook Activity
Facebook is constantly collecting information about you from non-Facebook websites and apps through the Facebook pixel and Software Development Kit (SDK).
The Facebook pixel is a snippet of code that organizations (retailers, media outlets, political campaigns, non-profits, pharma companies...you name it) put on their websites. The pixel notifies Facebook when you visit the organization’s website and when you take certain actions called “Events.” Examples of Events include visiting specific pages, clicking on specific buttons, scheduling appointments, adding items to your cart, or purchasing items. The Facebook SDK is code that accomplishes this for mobile apps.
As you navigate the web on the same device that you use to access Facebook, Facebook collects your web activity via the pixel and SDK. Facebook then matches that data to your Facebook account, creating an incredibly detailed digital dossier of your interests, attitudes, values, personality, purchase histories, political leanings, etc.
It’s estimated that the Facebook and Google pixels are on millions of websites, and probably most of the websites you visit. The pixel and SDK function even if you access the site/app directly (rather than clicking through a Facebook ad), and even if you are logged out of Facebook.
The power of your off-Facebook activity
We’re laying it all out there! Here is how data travels between Folia and Facebook. We developed a new standard for protecting health data because we believe we can still grow without sharing data from within your Folia accounts. You deserve to be in the drivers seat for how that data is used.
The reason why organizations use the Facebook pixel and SDK is because it gives them the most effective way to advertise online, both in speed and cost.
As people perform the organization’s desired Event - whether it’s registering for an account, logging in with a certain frequency, making a purchase, or using a specific feature in an app - Facebook quickly determines the attributes of people who are likely to perform the Event. Facebook then adjusts the targeting of the organization’s ad to people who match those attributes.
An organization can install the pixel or SDK at any time - even if they are not yet advertising on Facebook - because it allows Facebook to start gathering data on people who visit their sites and perform the Events.
Mailing lists can also be shared with Facebook
Organizations advertising on Facebook can also upload customer/user lists for the purpose of targeted advertising. They can advertise specifically to people on their mailing list, or they can use them to create Lookalike Audiences to reach new people. For Lookalike Audiences, Facebook matches the names, emails, etc. from the customer/user list to its own database, identifies common themes, and then creates an audience of millions of people who share those attributes.
While Facebook hashes the data and doesn’t store the lists, most people don’t realize that when companies collect your email “for marketing and advertising purposes,” this type of activity is included.
Headlines from the last 6 months
What’s at stake?
While sometimes this level of targeting is really helpful - like when you get a perfectly curated carousel of funky socks in advance of Father’s Day with your dad’s exact flavor of dad humor - there are many reasons why you probably don’t want your health apps to be passing all of your personal data to ad partners. Here are some real examples of organizations sharing more data than what users probably intend:
Smart home security systems like Ring can share every time you open the app, indicating that you’re probably not home.
Online mental health services can share each time you book an appointment or if you’ve attempted suicide. That is very sensitive information and could potentially be used to target ads based on your mental state.
Apps that help you save money on prescriptions can share your entire search history.
Period trackers can share your cycle data or reproductive health practices.
Where do we start?
It’s overwhelming to try to understand all the privacy controls and update all your settings in one sitting, which is probably why people put it off altogether. We recommend taking two steps to help you get started.
(1) Understand how Facebook advertising works
In January 2020, Facebook developed some very good resources to help the public understand how advertising works on their platform.
(2) Review your off-Facebook activity
Following the Cambridge Analytica scandal, Facebook built an Off-Facebook Activity tracker, which allows you to see the last 180 days’ worth of data, clear your history, and adjust their ability to use (but not necessarily collect) your off-Facebook activity for targeted advertising.
We recommend these two steps first because this is a manageable place for anyone to start, and because how you choose to adjust your settings is a personal choice.
(3) Once you’re ready to go deeper, read this excellent guide to help you decide how to adjust your settings
Once you’ve had some time to digest the information from #1 and #2, you can spend time adjusting your internet settings based on your personal goals.
Members of the Folia team span the complete range of internet users - some of us are members of patient communities who value Facebook groups as an invaluable source of information and community. And some of us have shut down our accounts altogether.
The important thing is to define your personal goals, and arm yourself with knowledge so you can align your technology use with your goals.
But Digital Health companies need to step up
It shouldn’t be entirely up to patients and caregivers to ensure their health data is being protected.
For one thing, companies should stop hiding behind the statements “Your data is never sold” or “Your identifiable data is never shared,” which give a false perception of privacy. The first statement is not meaningful because companies share data with Facebook via the pixel and SDK for free. And the second statement is not meaningful because Facebook can match your individual data with your Facebook profile.
At Folia, we’ve made the following decisions to help protect the privacy of our community as we grow. We invite other companies to join us in setting a new standard for the entire industry:
We install the Facebook pixel and SDK to help us reach Facebook users who believe their knowledge can make a difference in their care.
We limit the use of the pixel and SDK and only collect information on traffic to our public website (www.foliahealth.com) and traffic that clicks the Register button...but not traffic beyond that.
We do not create any Events within the Folia application. Information within your private Folia account about what medications you search, what medications you use, what symptoms you experience and their severity, how often you log in, when you schedule doctor appointments, etc. is never sent to Facebook or used to target our advertising.
We don’t upload our mailing lists to Facebook. When we create lookalike audiences, that is done using overall traffic to our public website.
A couple last notes
This article focuses on Facebook because of the volume of data they have, and because they have a unique role in patient communities. But these considerations apply to other advertising platforms and analytics companies as well.
Also, this article is by no means a comprehensive overview of every online privacy consideration, and data use practices are constantly evolving. Please continue to do your own research, and comment below with resources you’ve found helpful or with other considerations that we may not have explored. There is no handbook on how digital health companies can advertise on Facebook ethically, but we are hoping we have created the start.