Health websites are sharing people’s personal search data with online giants including Google, Amazon and Facebook, an investigation has revealed.
The arrangements are accused of taking sensitive information without people’s consent and therefore breaching British data protection laws.
A total of 79 out of 100 websites were implicated in the Financial Times investigation include WebMD, Healthline, BUPA and the British Heart Foundation.
Search terms such as ‘drug overdose’, ‘heart disease’ and ‘considering abortion’ were shared through advert-targeting schemes, as well as symptoms and drug names.
One critic suggested that companies could use the cookies to build profiles of people who were likely to spend so much on medical expenses that they wouldn’t be able to afford luxury goods, and then choose not to advertise to them (stock image)
The process of sharing the data happens through websites implanting cookies into users’ internet browsers.
Cookies which record people’s search terms and browsing history are then used to help build an online profile for them which third party advertisers can target.
In principle this means people who search for headache symptoms might begin to see adverts for painkillers when they’re online.
‘There is a whole system that will seek to take advantage of you because you’re in a compromised state,’ Tim Libert, a computer scientist at Carnegie Mellon University in Pittsburgh, told the Financial Times.
‘The internet has turned into a privacy wasteland. But there’s a suspension of disbelief in the [ad] industry.
‘Companies say they are GDPR-compliant, there’s a codependency where everybody pretends everything is OK, but the deep technical architecture is fundamentally incompatible with the right to privacy.’
The site which absorbed the most information was Google’s advertising section, DoubleClick, which was in action on 78 per cent of websites tested.
While Amazon was receiving cookies from 48 per cent of sites, and Facebook and Microsoft were among the major targets.
Google told the FT any information considered sensitive is quarantined internally and not used in its algorithms used to personalise the adverts people see.
But critics are concerned accumulating data relating to people’s medical conditions could lead to a database of ‘undesirable’ people to whom companies won’t advertise.
Mr Libert added: ‘As medical expenses leave many with less to spend on luxuries, these users may be segregated into “data silos” of undesirables who are then excluded from favourable offers and prices.
‘This forms a subtle, but real, form of discrimination against those perceived to be ill.’
In the UK, GDPR regulations mean it is illegal for companies to share people’s personal information without explicit consent.
This is why most websites now have buttons you have to press to accept the terms and conditions before you can enter.
And cookies – the small pieces of stored information which are responsible – cannot be got rid of because they’re so useful.
Cookies, for example, are what remembers passwords on website logins and are how sites like YouTube can predict what people will want to watch next.
Other companies named in the FT investigation were Made for Mums, Self.com and Babycentre – the newspaper did not release the full list.
BUPA told the FT: ‘Advertising cookies are used on our site but we have set them so that no personal data about visitors to our websites, including our health information pages, is passed on to third parties.’
The British Heart Foundation said: ‘The trust of our supporters is extremely important to us. We’re committed to using their data in appropriate ways.
‘Like nearly all major charities and organisations, we use cookies for numerous reasons including to provide more personalised experiences for the people who visit our website, to tailor our advertising, and to give us data to improve our website’s performance.
‘Optimising our work in this way means we can ensure our health information and advice is as accessible as possible to people who need it, and means we spend our charitable funds wisely.
‘The data captured by the cookies on our website is protected so it doesn’t directly identify individuals. We don’t sell data and we don’t share sensitive personal data on areas such as health that could directly identify people.’
MailOnline has contacted all the companies named in this article for comment.