This is not legal advice, but rather information and guidelines on new US State Data Privacy and Consumer Health laws and RollWorks’ services. The guidelines may change over time to reflect updated best practices. You should consult with your own counsel, privacy professionals, and/or internal resources to determine a comprehensive and appropriate solution for your business and marketing activities.
US Data Privacy laws enacted in several states may impact how your company can lawfully collect health-related data defined as "sensitive personal information" or "consumer health data." This can include cookie identifier and IP address collection in combination with a particular page view on your sites if you have information, products, or services on your site that are related to health and meet the different definitions of "sensitive personal information" or "consumer health data" under US Data Privacy laws. In addition, because the collection of this data for use in targeted advertising is considered a "sale" of the data under some US Data Privacy laws, written express consent may be required before the data can be collected and used for targeted advertising.
Does your company need to comply?
You know your business the best!
RollWorks cannot provide legal advice, but you should be aware that using RollWorks’ technology for marketing and data insights could require compliance with US Data Privacy and Health Data laws.
Specifically, the RollWorks technology drops a cookieID and collects the IP address and website URL page view information to help provide relevant marketing to your site visitors and prospective customers. This data collection may trigger US Data Privacy laws if the pages on your sites contain information that concerns a site visitor’s health, reveals a mental or physical health diagnosis or condition, or reveals the sexual orientation of a site visitor.
Examples of Data Collection that may trigger US Data Privacy Laws
By way of example, if your business helps physicians connect with prospective patients to book elective surgeries, the pages where a customer requests a medical appointment or purchases a medical device or medication could be considered data that is either collected and analyzed concerning a consumer’s health or is data that reveals a physical or mental condition or diagnosis.
Let’s say Sandra-Site-Visitor visits your business site, orthopedicsurgerynow.com, and navigates to a page to book a surgery for a torn meniscus. If RollWorks technology is located on the booking page, a cookie will be dropped and the IP address and URL of the page visited will be collected. This could constitute either the collection and analysis of Sandra’s health data or it could be data collected that reveals a physical condition or diagnosis (i.e., a torn meniscus). Alternatively, it could constitute the collection of a consumer’s health data under state laws in at least Washington, Nevada, and Connecticut.
Defining Sensitive Personal Information as Health Data
The following states restrict the collection of “sensitive personal information” and define that data as data that includes health information:
Under the CCPA/CPRA, sensitive personal information includes “personal information collected and analyzed concerning a consumer's health.”
Sensitive personal information includes: “personal data revealing a . . . mental or physical health diagnosis or sexual orientation.”
Sensitive personal information and consumer health data includes, “data revealing [or used to identify] . . . a [consumer’s] mental or physical health condition or diagnosis, sex life, sexual orientation.”
Sensitive data means personal data that includes, “data revealing . . . a mental or physical health condition or diagnosis or the processing of genetic or biometric data for the purpose of uniquely identifying an individual.” [Effective Oct. 1, 2024]
Consumer health data means personally identifiable information used to identify the past, present, or future health status of the consumer and includes any health condition, status, disease, or diagnosis. There is a carve-out for consumer health data that may identify the shopping habits or interests of a consumer so long as the information is not used to identify the specific past, present, or future health status of the consumer.
Sensitive data means personal data that "reveals . . . a mental or physical condition or diagnosis or is genetic or biometric data." [Effective July 1, 2024]
Sensitive data includes "personal data revealing a mental or physical health diagnosis or genetic or biometric data that is processed for the purpose of uniquely identifying an individual." [Effective July 1, 2024]
Sensitive personal information is defined as, "personal data that reveals . . . information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional . . . or sexual orientation."
Sensitive personal information is defined as, "personal data revealing . . . mental or physical health diagnosis, sexual orientation."
Consumer Health Data is defined as "a consumer’s past, present, or future physical or mental health status” and includes information regarding health conditions, treatment, diagnosis, reproductive or sexual health, gender-affirming care, genetic data, and location data that could reasonably indicate a consumer’s attempt to acquire health services or supplies". The Act aims to protect the privacy of consumer health data that falls outside the scope of the Health Insurance Portability and Accountability Act ("HIPAA"). [Effective March 31, 2024]
Obtaining written consent for the "sale" of Consumer Health Data
Some US States require explicit or written consent to "sell" consumer health data. For example, in 2024 this will include the states of Washington, Nevada, and Connecticut. RollWorks cannot provide legal advice, but we can help configure the technology to accommodate written-consent opt-in banners your company may choose to use for compliance. Contact firstname.lastname@example.org.
Federal law issues
In 2023, the Federal Trade Commission (FTC) levied fines against BetterHealth and GoodRx over the handling of consumer health data related to providing advertising services. in the GoodRX matter the FTC imposed a $1.5 Million civil penalty for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies for advertising purposes. In the case of BetterHelp, the FTC fined BetterHelp $7.8 Million for sharing consumers’ health data, including sensitive information about mental health challenges, with third parties such as Facebook and Snap for advertising purposes.
RollWorks encourages its customers to consult with legal or privacy professionals to confirm appropriate marketing activities in instances where personal information may be considered health-related data.
RollWorks Compliance with Health Data Collection Restrictions
How can I use RollWorks and comply with laws that restrict the collection of Consumer Health Data or Sensitive Personal Information?
- Check where the Pixel is placed throughout pages on your site(s) to ensure that it is not present in locations that contain information that may reveal a mental or physical condition or diagnosis of a site visitor or is otherwise health-related. Contact email@example.com if you need assistance with Pixel placement.
- To address compliance with California’s CCPA RollWorks’ technology honors Global Privacy Controls (“GPC”) and will not collect personal information from site visitors with a browser configured to send the Global Privacy Control signals. For this reason, NextRoll’s data collection will limit the collection of sensitive information under CCPA. Please consult with a legal or privacy professional if you believe there are other data collection activities on your site(s) that NextRoll’s GPC will not cover.
States that require opt-in consent to collect Sensitive Personal Information, such as Connecticut, Colorado, and Washington, or written consent for the sale of personal health data, may be able to use an opt-in banner. Please consult with a legal or privacy professional to understand your business compliance options and contact firstname.lastname@example.org to determine options for syncing opt-in or written consent with RollWorks technology.
How to restrict the Pixel from firing and collecting data using GTM
To enhance your control over pixel tracking and exclude specific pages, modifying the triggering rules for your SmartPixel Google Tag Manager (GTM) tag is essential. Follow these steps to tailor your tracking preferences:
- Edit Triggering Rules: Locate the triggering rules at the bottom of your tag in Google Tag Manager. Click the pencil icon to access and modify these rules.
- Add an Exception: Introduce an exception to your tracking by selecting "Add Exception." This action will guide you to the "Choose trigger" module.
- Create a New Trigger: Enhance your tracking customization by clicking the "+" icon to add a new trigger.
- Configure Page View Trigger: Tailor your tracking to exclude specific pages by setting up a page view trigger. Specify the URL condition as "/[desired_path_to_block]".
- Save Your Changes: Once the new trigger is configured, save it. Confirm that it's added as an exception on the tag and proceed to save the tag itself.
- Publish Updates: Finalize the process by publishing these changes within Google Tag Manager. This ensures that your refined tracking settings take effect seamlessly.
Read this Tag Manager Help Center article to learn more about firing triggers and trigger exceptions.