Pixel Placement and Opt-in/Opt-out for Customers with Health and Wellness Businesses

Overview

US Data Privacy laws enacted in several states may impact how your company can lawfully collect health-related data defined as "sensitive personal information" or "consumer health data." This can include cookie identifier and IP address collection in combination with a particular page view on your sites if you have information, products, or services on your site that are related to health and meet the different definitions of "sensitive personal information" or "consumer health data" under US Data Privacy laws. In addition, because the collection of this data for use in targeted advertising is considered a "sale" of the data under some US Data Privacy laws, written express consent may be required before the data can be collected and used for targeted advertising. 

Does your company need to comply?

You know your business the best! 

RollWorks cannot provide legal advice, but you should be aware that using RollWorks’ technology for marketing and data insights could require compliance with US Data Privacy and Health Data laws.

Specifically, the RollWorks technology drops a cookieID and collects the IP address and website URL page view information to help provide relevant marketing to your site visitors and prospective customers. This data collection may trigger US Data Privacy laws if the pages on your sites contain information that concerns a site visitor’s health, reveals a mental or physical health diagnosis or condition, or reveals the sexual orientation of a site visitor.

Examples of Data Collection that may trigger US Data Privacy Laws

By way of example, if your business helps physicians connect with prospective patients to book elective surgeries, the pages where a customer requests a medical appointment or purchases a medical device or medication could be considered data that is either collected and analyzed concerning a consumer’s health or is data that reveals a physical or mental condition or diagnosis. 

Let’s say Sandra-Site-Visitor visits your business site, orthopedicsurgerynow.com, and navigates to a page to book a surgery for a torn meniscus. If RollWorks technology is located on the booking page, a cookie will be dropped and the IP address and URL of the page visited will be collected. This could constitute either the collection and analysis of Sandra’s health data or it could be data collected that reveals a physical condition or diagnosis (i.e., a torn meniscus). Alternatively, it could constitute the collection of a consumer’s health data under US Data Privacy Laws.

Defining Sensitive Personal Information as Health Data

The following states restrict the collection of “sensitive personal information” and define that data as data that includes health information: 

California

Under the CCPA/CPRA, sensitive personal information includes “personal information collected and analyzed concerning a consumer's health.”

Colorado

Sensitive personal information includes: “personal data revealing a . . . mental or physical health diagnosis or sexual orientation.”

Connecticut

Sensitive personal information and consumer health data includes, “data revealing [or used to identify] . . . a [consumer’s] mental or physical health condition or diagnosis, sex life, sexual orientation.”

Delaware:

Sensitive data means personal data that includes, “data revealing . . . mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, national origin, citizenship status, or immigration status. Genetic or biometric data.” [Effective Jan. 1, 2025]

Iowa: 

Sensitive data means a category of personal data that includes, . . . “mental or physical health diagnosis, sexual orientation. . . Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person.” [Effective Jan. 1, 2025]

Montana

Sensitive data means personal data that includes, “data revealing . . . a mental or physical health condition or diagnosis or the processing of genetic or biometric data for the purpose of uniquely identifying an individual.” [Effective Oct. 1, 2024]

Nebraska:

Sensitive data means a category of personal data that includes, “data revealing. . . mental or physical health diagnosis, sexual orientation . . . Genetic or biometric data that is processed for the purpose of uniquely identifying an individual.” [Effective Jan. 1, 2025]

Nevada

Consumer health data means personally identifiable information used to identify the past, present, or future health status of the consumer and includes any health condition, status, disease, or diagnosis. There is a carve-out for consumer health data that may identify the shopping habits or interests of a consumer so long as the information is not used to identify the specific past, present, or future health status of the consumer.

New Hampshire:

Sensitive data means personal data that includes, “data revealing . . .  mental or physical health condition or diagnosis, sex life, sexual orientation . . . the processing of genetic or biometric data for the purpose of uniquely identifying an individual.” [Effective Jan.1, 2025]

New Jersey:

Sensitive data means, “personal data revealing . . .  mental or physical health condition, treatment, or diagnosis; . . . sex life or sexual orientation; . . .  status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual.” [Effective Jan. 15, 2025]

Oregon

Sensitive data means personal data that "reveals . . . a mental or physical condition or diagnosis or is genetic or biometric data." [Effective July 1, 2024]

Texas

Sensitive data includes "personal data revealing a mental or physical health diagnosis or genetic or biometric data that is processed for the purpose of uniquely identifying an individual." [Effective July 1, 2024]

Utah

Sensitive personal information is defined as, "personal data that reveals . . . information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional . . . or sexual orientation."

Virginia

Sensitive personal information is defined as, "personal data revealing . . .  mental or physical health diagnosis, sexual orientation."

Washington

Consumer Health Data is defined as "a consumer’s past, present, or future physical or mental health status” and includes information regarding health conditions, treatment, diagnosis, reproductive or sexual health, gender-affirming care, genetic data, and location data that could reasonably indicate a consumer’s attempt to acquire health services or supplies". The Act aims to protect the privacy of consumer health data that falls outside the scope of the Health Insurance Portability and Accountability Act ("HIPAA"). [Effective March 31, 2024]

Obtaining written consent for the "sale" of Consumer Health Data

Some US States require explicit or written consent to "sell" consumer health data. For example, in 2024 this will include the states of Washington, Nevada, and Connecticut. RollWorks cannot provide legal advice, but we can help configure the technology to accommodate written-consent opt-in banners your company may choose to use for compliance. Contact support@rollworks.com.

Federal law issues

In 2023, the Federal Trade Commission (FTC) levied fines against BetterHealth and GoodRx over the handling of consumer health data related to providing advertising services. in the GoodRX matter the FTC imposed a $1.5 Million civil penalty for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies for advertising purposes. In the case of BetterHelp, the FTC fined BetterHelp $7.8 Million for sharing consumers’ health data, including sensitive information about mental health challenges, with third parties such as Facebook and Snap for advertising purposes. 

RollWorks encourages its customers to consult with legal or privacy professionals to confirm appropriate marketing activities in instances where personal information may be considered health-related data.

RollWorks Compliance with Health Data Collection Restrictions

How can I use RollWorks and comply with laws that restrict the collection of Consumer Health Data or Sensitive Personal Information?

1. Check where the Pixel is placed throughout pages on your site(s) to ensure that it is not present in locations that contain information that may reveal a mental or physical condition or diagnosis of a site visitor or is otherwise health-related. Contact support@rollworks.com if you need assistance with Pixel placement.
2. To address compliance with California’s CCPA RollWorks’ technology honors Global Privacy Controls (“GPC”) and will not collect personal information from site visitors with a browser configured to send the Global Privacy Control signals. For this reason, NextRoll’s data collection will limit the collection of sensitive information under CCPA. Please consult with a legal or privacy professional if you believe there are other data collection activities on your site(s) that NextRoll’s GPC will not cover.

3. Geo-blocking RollWorks will block data collection for website visitors from Washington and Nevada based on the IP address of the website visitor for existing and new customers in the healthcare industry effective March 28, 2024. Effective January 1, 2025, RollWorks will block data collection for website visitors from Colorado and Connecticut based on the IP address of the website visitor for existing and new customers in the healthcare industry.

4. States that require opt-in consent to collect Sensitive Personal Information, such as Colorado, Connecticut, Delaware, Nebraska, New Hampshire, and New Jersey, or written consent for the sale of personal health data, may be able to use an opt-in banner. Please consult with a legal or privacy professional to understand your business compliance options and contact support@rollworks.com to determine options for syncing opt-in or written consent with RollWorks technology.

How to restrict the Pixel from firing and collecting data using GTM

To enhance your control over pixel tracking and exclude specific pages, modifying the triggering rules for your SmartPixel Google Tag Manager (GTM) tag is essential. Follow these steps to tailor your tracking preferences:

1. Edit Triggering Rules: Locate the triggering rules at the bottom of your tag in Google Tag Manager. Click the pencil icon to access and modify these rules.
2. Add an Exception: Introduce an exception to your tracking by selecting "Add Exception." This action will guide you to the "Choose trigger" module.                                                                           
3. Create a New Trigger: Enhance your tracking customization by clicking the "+" icon to add a new trigger.
4. Configure Page View Trigger: Tailor your tracking to exclude specific pages by setting up a page view trigger. Specify the URL condition as "/[desired_path_to_block]".
5. Save Your Changes: Once the new trigger is configured, save it. Confirm that it's added as an exception on the tag and proceed to save the tag itself.
6. Publish Updates: Finalize the process by publishing these changes within Google Tag Manager. This ensures that your refined tracking settings take effect seamlessly.

Read this Tag Manager Help Center article to learn more about firing triggers and trigger exceptions.