How State Privacy Laws Are Shaping DTC and HCP Marketing Strategies

News
Article

Why they are a game changer, and ways to a adapt to a new era of state privacy regulations.

Lauren McQuiston

Lauren McQuiston

New laws aimed at safeguarding personal information are reshaping how companies interact with consumers and healthcare professionals (HCPs). In this article, we’ll explore the challenges and opportunities presented by this new era of consumer privacy, providing a roadmap for navigating compliance complexities while connecting consumers to vital healthcare information.

Overview of consumer privacy legislation and changes

State-level privacy laws, such as the California Consumer Privacy Act (CCPA), require transparency from data controllers and grant consumers the right to access, correct, and delete their data, promoting more responsible handling of personal information.

As more states adopt similar laws, advertisers will have to adjust their practices. However, substantial differences in privacy laws across states make this a complex task for healthcare businesses.

Different state laws may also confuse consumers, especially when companies do business across multiple jurisdictions. New regulations also increase costs, which may be passed on to consumers.

Impact on the healthcare industry and advertising data

New state privacy laws apply differently to health information. Many states require an opt-out (or even opt-in) process for “sensitive data,” which includes healthcare information. Advertisers need systems in place to handle such requests efficiently.

Data sharing and third parties

Healthcare advertisers must ensure that data management platforms (DMPs), audience providers, identity resolution companies, and third-party analytics firms comply with state privacy laws. Different states have varying enforcement mechanisms and penalties. Therefore, advertisers’ legal and compliance teams must perform due diligence and routinely review data use procedures and agreements in order to avoid fines and other legal consequences.

Marketing strategies

Since some states impose an opt-in requirement or provide the right to opt-out of the use of sensitive personal information and behavioral advertising, delivering personalized ads is not as simple as it once was. Use of consumer data for advertising purposes is still permitted if advertisers comply with the applicable rules for transparency, opt-ins, opt-outs, and other consumer rights requests, but if a consumer makes an opt-out request, or never opts in at all, marketing strategies and audience development need a layered, back-up approach that permits some level of personalization.

 All state laws have some form of carve-out for data that is regulated by HIPAA—which may include information that has been de-identified according to the HIPAA Privacy Rule, provided HIPAA-compliant de-identification techniques are used and there is no attempt to link the data to a specific person or re-identify the person. With this approach, pharmaceutical advertisers can shift their strategies from 1:1 targeting to a broader layer of advertising.

Balancing scale and precision

All state privacy laws focus on identifiable individuals and devices. One way to comply is to reduce waste rather than trying to eliminate it altogether. Advertisers can zoom out from targeting an individual to targeting a designated market area (DMA), a city, or even a ZIP code. Data sets containing aggregated consumer information prevent the identification of individuals through strategic waste while still reaching the qualified target group.

Proper data handling is also critical for compliant advertising and campaign analytics, with key steps including:

  • De-identification techniques: HIPAA provides two de-identification methods: the Safe Harbor Method or Expert Determination Method. The Safe Harbor Method involves removing 18 types of identifiers (e.g., names, geographic data smaller than a state, dates directly related to an individual, phone numbers, Social Security numbers, etc.). The Expert Determination Method involves having a privacy expert certify that, after making redactions to the data in question, the risk of re-identification is very small. Expert determination may be more challenging up front but can yield more useful data.
  • Aggregated data usage: Aggregating data for analysis minimizes privacy risks. For example, grouping by indication-relevant diagnoses and drug treatments or patient age ranges removes the processing from the scope of state privacy laws, as compared to analyses focusing on individuals.
  • Identity resolution: Identity resolution involves using third-party "clean rooms" to securely transfer sensitive campaign data from demand side platforms (DSPs), supply-side platforms (SSPs), and publishers to campaign measurement providers. This process involves exchanging tokens or de-identified placeholders that cannot be reverse-engineered, enabling effective and HIPAA-compliant campaign measurement.
  • Secure data storage and management: State laws require robust data security measures, including encryption, access controls, regular audits, and routine team training.

Successful healthcare advertising requires navigating increasingly rigorous privacy approval processes, like detailed questionnaires and documentation reviews from partners and clients. For instance, a TV publisher required a comprehensive re-approval process for all data providers after Washington's My Health My Data Act (MHMDA) was introduced. This process involved completing a detailed questionnaire, providing information about data sources, data content and processes, and meeting with legal teams for a thorough review. By utilizing aggregated data and identity resolution partners to link information, the TV publisher was reassured that the audience-building process minimized re-identification risks.

Engaging with legal and compliance teams assuages stakeholder concerns. For example, measuring the effectiveness of a campaign aimed at increasing awareness and patient adherence to a diabetes treatment involved preparing and moving files through de-identification and tokenization processes. Collaboration with legal and compliance teams was essential to communicate the project scope, describe the data to be analyzed, and demonstrate a secure data flow. This clarified how the statistically de-identified data could be used to successfully measure campaign outcomes.

As a result, state privacy laws significantly impact direct-to-consumer (DTC) and certain HCP advertising campaigns. Pharmaceutical companies, advertising agencies, and their data and analytics providers must work together closely to understand consumer data rights, collaborate with legal teams, and fall back on de-identification.

Balancing privacy and precision is crucial for effective healthcare advertising in this evolving legislative landscape. By focusing on responsible data usage and maintaining compliance with legal and industry standards, healthcare marketers can continue to connect consumers to essential health information while protecting consumer privacy.

About the Author

Lauren McQuiston is a solutions engineer at OptimizeRx with expertise in data integration, identity resolution, and statistical analysis. In her role, she provides leadership on technical processes related to media execution and data integration approaches.

Recent Videos
Related Content
© 2024 MJH Life Sciences

All rights reserved.