Privacy & Cybersecurity Law Blog

On November 8, 2023, the Network Advertising Initiative (“NAI”) issued its best practices guidance (“Guidance”), which advocates for the use of demographic data for health advertising, rather than sensitive health information.

The Guidance comes after the FTC’s $1.5 million fine imposed on GoodRx for unauthorized disclosures of personal health information to third-party advertisers, and the recent enactment of laws such as Washington’s My Health My Data Act, which impose new restrictions on processing of health data.

The Guidance distinguishes between processing of “sensitive” health information (e.g., information about a consumer’s health condition, treatment, or diagnosis), which the Guidance acknowledges requires consumer consent under new privacy laws, and processing of broader demographic data such as age and gender, which does not require consumer consent.

The Guidance also indicates that population-level demographic insights may be obtained through analyzing de-identified health information, such as insurance claims or pharmaceutical prescriptions. For example, de-identified insurance claims may provide insight into which geographic regions may have increased prevalence of certain conditions over several years, which may assist pharmaceutical companies or healthcare providers to market medications and treatments to consumers in those regions. The Guidance recognizes that individual behavioral data, with enough specificity and precision, may inadvertently reveal a consumer’s health status and, that information may therefore need to be treated as sensitive health information.

The Guidance includes sections on: Demographic Audience Segment Attributes, Data Stewardship, Modeled Audience Segment Size, Data Provenance and Transparency.