Do you monitor your health with an app? Bills in Springfield could help guard your privacy
The privacy of personal health information is important to many people, but in Illinois, companies can quietly gather that data and resell it.
Two proposals in the Legislature would better protect our health information, and legislators need to take action on both.
Health data has become a potential gold mine for advertisers, data brokers and others who traffic in such things. Millions of people across the country use devices to track their heartbeats, how many calories they consume, how well they sleep and where they travel.
But the makers of apps, devices and websites that collect that information are not obligated under state or federal law to say who gets their hands on it. Even if someone asks a company to delete it, the company is not required to do so. And the more data that is collected, the greater the risk of data breaches that make that personal information available to nefarious users on the dark web.
It’s easy to imagine an attorney general in one state or another trying to get health care records for children who might have undergone gender-affirming treatment or to get data on women traveling to get abortions. Some companies would like to track and send ads to people who have researched health issues online, so those companies can target them with online ads. Health data also can be collected by ubiquitous devices that people wear or carry with them to track their health. That ought to be private, too.
Even if companies say they strip names off the data and keep it anonymous, that provides limited protection. Once enough data points are collected about a supposedly anonymous individual, it becomes fairly easy to figure out who they are.
And even if companies promise to keep information private, they don’t necessarily do so. Last year, the Federal Trade Commission ordered the mental health platform BetterHelp to pay a $7.8 million fine for — after promising to keep it private — passing along mental health data to advertisers.
Tech companies ‘collecting way too much data’
A bill in the Illinois Legislature would make it unlawful for anyone to sell or offer to sell a consumer’s health data without permission. The bill did not pass last year, but privacy advocates have worked with big tech companies to address their concerns. Now it’s time for the Legislature to pass it.
Washington state already has passed such a bill.
“I can’t believe how bad it is right now,” said state Rep. Ann Williams, D-Chicago, who introduced the bill. “The enthusiasm and fervor with which your data is pulled from you is just stunning.”
Meanwhile, as David Struett reported in Thursday’s Sun-Times, a related and broader bill in the Legislature introduced last year by state Rep. Abdelnasser Rashid, D-Berwyn, would bar tech companies from collecting, processing or transferring a wide range of personal data unless doing so is reasonably necessary and proportionate. That bill needs to get out of the Rules Committee and be thoroughly discussed by lawmakers.
“I think the lack of people’s control over their own data has become a bigger and bigger problem,” Rashid said. “The stakes are very high on the impact on people’s lives.”
However, across the nation, pushback from tech companies has continued to grow more intense as lawmakers try to corral the collecting and sharing of private information. The companies particularly are resisting a “right of action,” which allows for lawsuits to enforce compliance.
“It is kind of hard to conceptualize how much money can be made for companies because [data] gets mixed and matched in so many ways,” said R.J. Cross, consumer policy director for Illinois PIRG, who wrote a report on how industry lobbying has weakened privacy laws. “It’s hard to put a dollar sign on it, but it is obviously worth a lot.”
Illinois PIRG (Public Interest Research Group) wrote the bill introduced by Rashid.
“We feel companies are collecting way too much data that has nothing to do with the services they are providing and are keeping it for too long and are keeping it in insecure ways,” said Abe Scarr, director of Illinois PIRG.
Convenient devices, apps and websites that alert users to medical issues or help them follow beneficial regimens can ward off serious medical consequences. But the knowledge that their data is being tracked might discourage people from putting their privacy at risk, causing them to miss out on technology that could help them. HIPAA (The Health Insurance Portability and Accountability Act), which protects the privacy of some medical records, does not apply to most health apps.
The ability to gather health information in the moment and to compare readings over time can benefit people. But it should not come at the cost of a loss of privacy that can lead to devastating outcomes.