Facebook knows every time I work out. It knows that I’ve considered a health savings account, bought prescription skincare, and done way too much research about psychedelics and mental health. And for a while, it also knew every time I opened Planned Parenthood’s Spot On app, which I only did to log my period.
That’s according to my “off Facebook activity,” a lengthy list of all the companies that allow Facebook to track my interactions on their websites and apps in order to send targeted advertising. When I downloaded it a few weeks ago, it included some 65 health-related apps and websites that let Facebook know when I’m interacting with their products and services.
Some of this data was innocuous, such as that I visited the websites for American Cancer Society or Stanford Medical Center. But companies using Facebook’s advertising tools also share much more personal information, sometimes unknowingly. For instance, Facebook knows that I registered and looked at products on Hers.com, a site that sells remedies ranging from vitamins to libido enhancers. I was especially shocked to find that Facebook was being alerted when I opened the Spot On Period Tracker, a digital product from Planned Parenthood. I am consistent about only opening the app to log my period. Similarly, Sweat, the fitness app I use, lets Facebook know every time I open the app, providing Facebook with the time and date of my every workout.
None of this information is covered by HIPAA, the U.S. law that bars healthcare providers from sharing health record data.
“HIPAA’s categorical approach to privacy is outdated,” says Efthimios Parasidis, a professor at Ohio State University’s law school and school of public health who’s written about the need to regulate health information. “For example, health information, such as your heart rate, would be covered if monitored in a doctor’s office, but not covered if it’s monitored by an app on your watch.”
Many companies that appeared on my list told me they don’t share health data with Facebook. They also all said that their apps and websites are HIPAA compliant in the kind of legalese that only corporations can muster.
“Everlywell is HIPAA compliant at levels required to support partnerships with the largest health providers in the United States, which is verified by an independent third party via regular audits. At no point is personal health information shared with Facebook,” says Christina Song, director of communications for Everlywell, a health company that sells home test kits for vitamin D deficiency, metabolism, and food allergies.
As Parasidis points out, that is true. These apps don’t share data like age, blood pressure, or X-rays from a health record. Facebook doesn’t want that kind of data anyway—when reached for comment, the company says it restricts health tech companies from sharing such information.
Song then went on to defend the use of Facebook’s advertising platform: “This is common advertising practice used by health and wellness brands, including online providers of mental health, sexual health, and telehealth services; prescription medicine delivery services, and some major insurance companies.”
Song is correct that lots of health companies use Facebook to advertise. As my “off Facebook activity” download showed, much of what gets shared with Facebook is indirect information, such as dates and times I visited a website or app, products, or prescriptions I have looked at or purchased, and products I put in a digital shopping cart.
But glued together, these scraps of information create a collage of my overall health, which Facebook can then sell advertisements against. In collecting data about my health behavior and interests, Facebook probably knows more about my health than my doctor.
Rethinking Spot On’s privacy
Some health organizations have recognized the flaw in claiming their apps are private while allowing Facebook to collect revealing information, even if it is outside the bounds of HIPAA. At the end of last year, Planned Parenthood decided to stop using Facebook’s mobile software development kit to make ads for its period tracking app Spot On. When I downloaded my off-Facebook data in January, an outdated version of the Spot On app on my phone had recently pinged Facebook’s servers (this stopped once I updated the app).
Planned Parenthood says that when it was using the software developer kit, Facebook was only alerted when a user installed Spot On and when they opened it. No other in-app data, such as menstrual cycle information, is shared with Facebook. The organization also says its in-house information security team has evolved since it launched Spot On nearly five years ago. It now conducts third-party audits on its digital products and regularly tests them to make sure they’re secure. Planned Parenthood says it requires vendors, including analytics companies, to sign detailed contracts regarding data privacy, and it has been quick to fire those that violate its terms. In the last year, the team became increasingly uncomfortable with what kind of data Facebook could access through its mobile software developer kit.
One reason that health tech companies can truthfully say that they don’t share an individual’s data is because they often don’t know who is using their app or website. In Spot On’s latest version, however, there is an option to create an account. If it had continued to use Facebook’s software developer kit to advertise, Facebook would have be able to capture a person’s identity at the point of registration. The organization decided that it was worth losing access to some of Facebook’s targeting capabilities in exchange for better user privacy in this instance.
“We are constantly evaluating the available analytics tools and platforms that could help us learn about the effectiveness of our digital products,” says Katie Skibinski, the vice president of digital products at Planned Parenthood Federation of America. “With the Spot On app—and all of Planned Parenthood’s digital tools, including web, mobile, and chat products—our goal is to ensure that data-driven learning is always thoughtfully executed with respect for patient and user privacy.”
However, Planned Parenthood does still use Facebook to advertise.
An ethical bind
While Planned Parenthood was aware of Facebook’s reach, companies are sometimes in the dark about what information they are sharing with the social media giant.
This kind of tracking via health-related companies is coming under scrutiny. Last month, Consumer Reports revealed that popular prescription discounter GoodRx has been sharing customer data, including the names of prescription drugs people are researching, with advertising companies including Facebook and Google. In November 2019, The Financial Times revealed that major health websites and marketplaces like WebMD, Healthline, and Drugs.com were sharing detailed health information with third parties largely for advertising purposes. Some of the information shared included drug names searched for, symptoms searched for, and menstrual cycle information that had been uploaded to the site BabyCenter.
The report argued that all of this data sharing was in violation of the General Data Protection Regulation, a European law that require companies to get consent from consumers before tracking them around the web. In the U.S. we do not have broad protections like GDPR, though California’s recent consumer privacy act shows that states are increasingly thinking about regulating how companies collect information so that there’s more transparency. The current legal environment is not only bad for consumers, it puts companies in an ethical bind as well: It is a difficult choice not to use Facebook’s extremely effective targeted advertising tools, which can limit healthcare companies’ ability to reach new patients.
Should the decision to use Facebook’s ad tools even rest on a company’s shoulders? In an article for The New England Journal of Medicine last year, Ohio State University professor Parasidis suggested that institutional review boards could be charged with auditing companies when their handling of this sort of health adjacent data becomes ethically dubious.
He also thinks that as health technology advances, it will become increasingly difficult to assess whether or not data in consumer apps should be covered by HIPAA. “For example, let’s say you have a heart condition and your doctor says, ‘I need to monitor your heart rate’, and she links you to an app that can be accessed via your electronic medical records,” he says. “We’re not far off from that.”
Parasidis anticipates the Food and Drug Administration may have to take a more active role in regulating information shared through platforms like Facebook and Google. But he also thinks regulators could be taking steps now, to prepare for an imminent future where apps have much greater access to health data than ever before.
Update: This story has been updated to clarify how Planned Parenthood’s Spot On Period Tracker’s technology works.