Why they are a game changer, and ways to a adapt to a new era of state privacy regulations.
New laws aimed at safeguarding personal information are reshaping how companies interact with consumers and healthcare professionals (HCPs). In this article, we’ll explore the challenges and opportunities presented by this new era of consumer privacy, providing a roadmap for navigating compliance complexities while connecting consumers to vital healthcare information.
Overview of consumer privacy legislation and changes
State-level privacy laws, such as the California Consumer Privacy Act (CCPA), require transparency from data controllers and grant consumers the right to access, correct, and delete their data, promoting more responsible handling of personal information.
As more states adopt similar laws, advertisers will have to adjust their practices. However, substantial differences in privacy laws across states make this a complex task for healthcare businesses.
Different state laws may also confuse consumers, especially when companies do business across multiple jurisdictions. New regulations also increase costs, which may be passed on to consumers.
Impact on the healthcare industry and advertising data
New state privacy laws apply differently to health information. Many states require an opt-out (or even opt-in) process for “sensitive data,” which includes healthcare information. Advertisers need systems in place to handle such requests efficiently.
Data sharing and third parties
Healthcare advertisers must ensure that data management platforms (DMPs), audience providers, identity resolution companies, and third-party analytics firms comply with state privacy laws. Different states have varying enforcement mechanisms and penalties. Therefore, advertisers’ legal and compliance teams must perform due diligence and routinely review data use procedures and agreements in order to avoid fines and other legal consequences.
Marketing strategies
Since some states impose an opt-in requirement or provide the right to opt-out of the use of sensitive personal information and behavioral advertising, delivering personalized ads is not as simple as it once was. Use of consumer data for advertising purposes is still permitted if advertisers comply with the applicable rules for transparency, opt-ins, opt-outs, and other consumer rights requests, but if a consumer makes an opt-out request, or never opts in at all, marketing strategies and audience development need a layered, back-up approach that permits some level of personalization.
All state laws have some form of carve-out for data that is regulated by HIPAA—which may include information that has been de-identified according to the HIPAA Privacy Rule, provided HIPAA-compliant de-identification techniques are used and there is no attempt to link the data to a specific person or re-identify the person. With this approach, pharmaceutical advertisers can shift their strategies from 1:1 targeting to a broader layer of advertising.
Balancing scale and precision
All state privacy laws focus on identifiable individuals and devices. One way to comply is to reduce waste rather than trying to eliminate it altogether. Advertisers can zoom out from targeting an individual to targeting a designated market area (DMA), a city, or even a ZIP code. Data sets containing aggregated consumer information prevent the identification of individuals through strategic waste while still reaching the qualified target group.
Proper data handling is also critical for compliant advertising and campaign analytics, with key steps including:
Successful healthcare advertising requires navigating increasingly rigorous privacy approval processes, like detailed questionnaires and documentation reviews from partners and clients. For instance, a TV publisher required a comprehensive re-approval process for all data providers after Washington's My Health My Data Act (MHMDA) was introduced. This process involved completing a detailed questionnaire, providing information about data sources, data content and processes, and meeting with legal teams for a thorough review. By utilizing aggregated data and identity resolution partners to link information, the TV publisher was reassured that the audience-building process minimized re-identification risks.
Engaging with legal and compliance teams assuages stakeholder concerns. For example, measuring the effectiveness of a campaign aimed at increasing awareness and patient adherence to a diabetes treatment involved preparing and moving files through de-identification and tokenization processes. Collaboration with legal and compliance teams was essential to communicate the project scope, describe the data to be analyzed, and demonstrate a secure data flow. This clarified how the statistically de-identified data could be used to successfully measure campaign outcomes.
As a result, state privacy laws significantly impact direct-to-consumer (DTC) and certain HCP advertising campaigns. Pharmaceutical companies, advertising agencies, and their data and analytics providers must work together closely to understand consumer data rights, collaborate with legal teams, and fall back on de-identification.
Balancing privacy and precision is crucial for effective healthcare advertising in this evolving legislative landscape. By focusing on responsible data usage and maintaining compliance with legal and industry standards, healthcare marketers can continue to connect consumers to essential health information while protecting consumer privacy.
About the Author
Lauren McQuiston is a solutions engineer at OptimizeRx with expertise in data integration, identity resolution, and statistical analysis. In her role, she provides leadership on technical processes related to media execution and data integration approaches.