What the New Privacy Legislation Means for Healthcare Marketers

That's evidenced by the $1.2 million fine imposed on Sephora in 2022, the first of its kind under the California Consumer Privacy Act (CCPA), which went into effect in June 2020. The court decision clarified a broad definition of "sale of data" to mean any exchange of data, not explicitly one of monetary value.

California followed the European Union in creating the CCPA. The EU introduced the General Data Protection Regulation (GDPR) in 2018. Now, three other state-based regulations have emerged. The California Privacy Rights Act (CPRA), which amends and adds to the CCPA, went into effect January 1, 2023, as did the Virginia Consumer Data Protection Act (VCDPA). Three other states have comprehensive privacy legislation going into effect later this year: Colorado and Connecticut on July 1, and Utah on December 31.

In addition, a patchwork quilt of states have either introduced bills or have bills currently stalled in their legislatures that all share the same end goal: to protect user privacy.

This poses big challenges for marketers. Those that use data to target and reach the consumer with personalized messages need to navigate new legislation as it unfolds so they remain compliant.

Yashina Burns has some ideas on the best ways to do that. She's Vice President of Legal and Privacy at DeepIntent, an advertising platform specifically focused on the healthcare advertising vertical. Burns explains that to some degree all the new legislation is modeled on the GDPR; however, there are differences. "GDPR is built on a foundation of consent in order to use people's data," she says, "but the state laws focus on an opt-out model."

However, the differences do not end there. Colorado and Virginia apply a consent model to data that is considered sensitive, such as biometric or health information. However, if that data is necessary for the business to provide the service that the consumer signed up for, the opt-out is not guaranteed. The laws provide for a balance of business and consumer interest.

Burns points out another distinction: The GDPR applies to anyone in the EU, including non-citizens. In contrast, the U.S. laws are based on state residency. "From a business-impact standpoint, that makes it more difficult for businesses to comply," Burns notes. "Especially in the digital space, there's no way to tell that someone is a resident of Colorado, California or Virginia."

In order for marketers to make sure they aren't breaking the rules, "you have to have internal documentation for all the state laws," she adds. "And in a state like Virginia, you have to submit an assessment that you've performed internally upon request."

Pharmaceutical marketers have additional and unique concerns. They have been beholden to Health Insurance Portability and Accountability Act (HIPAA) federal regulations since 1996. Because of that, the state privacy laws have a carve out for HIPAA de-identifed information and HIPAA protected information.

However, while HIPAA regulates the collection of personal health information in regard to diagnostics and prescriptions, it does not account for a user visiting a site and purchasing a medication. In that case, data collected can come under the umbrella of the state laws, as it now involves a sale. There is also the risk of re-identification of the user. While it is a small risk, it is possible if data sets are crossed improperly. Statistical standards and measurements are needed to prevent that, something that DeepIntent already has in place.

Burns says that the basic principle of all the privacy laws is transparency. "The AdTech industry understands they need to provide transparency to consumers to make sure we're acting in accordance with people's expectations," she says.

While these laws affect all marketers, Burns' advice to pharma marketers, in particular, is to make sure you know what data sits in your systems and that it is accurately categorized. Also, map out the flow of data so you know who you are receiving data from and that they are also compliant.

This should be reflected in contracts with the vendors. Be sure to ask them the right questions. For example, find out if the vendor has proper transparency, how they process user requests, and how they vet their vendors. It's also important to make sure your website is updated with proper disclosures and user's rights.

The Internet Advertising Bureau (IAB) along with the IAB Tech Lab are trying to help companies comply with these new privacy laws with the creation of the Multi-State Privacy Agreement. It includes a technology toolkit to help publishers and advertisers work with vendors and manage these new regulations. However, this only works with everyone in the industry complies with the terms.

DeepIntent has signed on. After all, it only makes sense "to follow industry standards and support anything that creates some level of uniformity," Burns concludes.

Click the social buttons to share this story with colleagues and friends.
The opinions expressed here are the author's views and do not necessarily represent the views of MediaVillage.com/MyersBizNet.