Episode 22 Jessica Lee on navigating the health targeting rules - The Monopoly Report

Summary5 min read

The Monopoly Report: Episode 22 Summary

Title: Episode 22 Jessica Lee on Navigating the Health Targeting Rules
Host: Alan Chappelle
Guest: Jessica Lee, Chair of the Privacy, Security, and Data Innovations Practice at Loeb & Loeb
Release Date: March 19, 2025

Introduction

In Episode 22 of The Monopoly Report, host Alan Chappelle engages in a deep conversation with Jessica Lee, an expert in privacy, security, and data innovations. The discussion centers on the complexities of health targeting in digital advertising, the evolving regulatory landscape in the United States, and comparisons with European regulations. Lee provides valuable insights into how companies can navigate these challenges and turn compliance obligations into actionable business strategies.

Understanding Health Targeting

The episode begins with Alan Chappelle setting the stage for the discussion on health targeting within the advertising ecosystem.

Definition and Types of Health Targeting
- Alan (02:10): "How should the audience be thinking about sensitivity when it comes to health targeting?"
- Jessica Lee (02:38): Explains that health targeting involves using demographic data, de-identified HIPAA data, and online activity to reach individuals who may benefit from specific medical treatments or drugs.
Sensitivity in Health Data
- Jessica Lee (03:21): Discusses the sliding scale of sensitivity in health data, from benign information like gym memberships to more sensitive conditions like cancer.
- Alan (03:47): Highlights the challenge of defining sensitivity, citing the FTC's stance that even vitamin D segments can be considered sensitive.

Regulatory Landscape in the United States

Federal vs. State Regulations
- Jessica Lee (05:27): Contrasts the Khan administration's approach to advertising with the more recent FTC actions under the Ferguson administration, noting a shift towards focusing on tangible harms.
- Alan (08:04): Emphasizes the role of state laws in the absence of stringent federal regulations, with states like Washington, Connecticut, Nevada, and California enacting their own privacy laws.
Impact of the Dobbs Decision
- Jessica Lee (09:08): Explains how the Dobbs decision catalyzed states to enhance protections around reproductive health data, leading to more restrictive privacy laws.
- Alan (10:50): Observes that the overturning of Roe v. Wade created a tangible harm argument, compelling states to act more decisively.
State-Specific Laws
- Washington State's My Health, My Data Act (11:16):
  - Jessica Lee: Describes it as the first health care-focused privacy law with a broad definition of consumer health data and a private right of action, heightening business concerns about potential lawsuits.
- New York's Proposed Law (14:59):
  - Jessica Lee: Details New York's stringent approach, including consent requirements and an outright prohibition on the sale of health data, making operational compliance challenging for businesses.

Comparing U.S. and European Regulations

European Union's GDPR and E Privacy Directive
- Jessica Lee (20:25): Notes that the EU has long-standing regulations like GDPR that categorize health data as special category data, requiring a lawful basis for processing. Unlike the U.S., Europe employs a more principles-based approach, providing clearer guidelines for health targeting.
Reactive vs. Principle-Based Approaches
- Jessica Lee (20:25): Contrasts the EU’s proactive, principles-based regulations with the U.S.’s reactive, prescriptive laws that evolve in response to specific events or rulings.

HIPAA Compliance and Data Identification

Understanding HIPAA and De-Identification
- Jessica Lee (23:02): Clarifies HIPAA's role in protecting health data, distinguishing between covered data and de-identified data. Discusses the two standards for de-identification: stripping 18 identifiers or obtaining expert statistical determination.
Challenges with HIPAA and State Laws
- Jessica Lee (25:13): Warns against assuming HIPAA de-identification exempts data from state privacy regulations. Emphasizes that de-identified data must still adhere to state laws regarding inferences and re-identification risks.
Inference and Segment Naming
- Alan (27:27): Questions whether assigning a targeting category to a pseudonymous UID constitutes an inference.
- Jessica Lee (27:27): Agrees it does, highlighting the difficulty in labeling segments to avoid regulatory scrutiny, especially when segments are based on health conditions like diabetes.

Risks and Potential Harms

Tangible Harms from Data Use
- Jessica Lee (31:01): Identifies risks such as discrimination in insurance or government access leading to adverse outcomes for individuals based on their health data.
Regulatory Focus on Harm Prevention
- Jessica Lee (28:30): Emphasizes understanding the specific harms regulators aim to prevent, allowing companies to implement controls to mitigate these risks.

Business Implications and Best Practices

Adapting to a Shifting Landscape
- Jessica Lee (30:23): Advises businesses to view compliance as an ongoing process, continually adapting to new regulations and rulemakings.
Leveraging Privacy-Enhancing Technologies
- Jessica Lee (28:30): Recommends using privacy-enhancing technologies and maintaining robust data governance to protect against potential inferences and re-identification.
Developing a Defensible Strategy
- Jessica Lee (28:30): Suggests companies should prepare to articulate their compliance strategies effectively, demonstrating the controls in place to prevent harm from health data usage.

Conclusion and Key Takeaways

Holistic Data Lifecycle Management
- Jessica Lee (28:30): "Look at the whole data life cycle. Ensure that inferences aren't being generated on the back end and that appropriate controls are in place."
Stay Informed and Adaptive
- Jessica Lee (28:30): "Track the space because it is a moving goalpost and make sure you're kind of marching with the crowd, not getting too far ahead of it."
Focus on Harm Prevention
- Jessica Lee (28:30): "Understand what the harms are that the regulators are trying to get at and then zoom into what you're doing specifically and see how you can defend against those harms."

Final Thoughts

Alan Chappelle wraps up the episode by highlighting the importance of understanding the complexities of health targeting and the evolving regulatory environment. He encourages listeners to stay informed and proactive in adapting their strategies to ensure compliance and protect against potential harms.

Notable Quotes:

Jessica Lee (02:38): "Health data can come from a number of different sources, but it's all tied to trying to reach someone who needs a specific treatment or drug."
Alan Chappelle (06:41): "I think there's a mistake in not talking enough about the scale of a data set and the amount of data being collected."
Jessica Lee (25:18): "I would caution companies from thinking that there's some like, magic button and now the privacy rules don't apply."

About the Host and Guest

Alan Chappelle: Host of The Monopoly Report, focusing on antitrust issues in big tech and their impact on the global advertising economy.
Jessica Lee: Chair of the Privacy, Security, and Data Innovations Practice at Loeb & Loeb, with extensive experience in guiding companies through complex regulatory landscapes in media and advertising.

Subscribe to The Monopoly Report:
Stay updated with the latest discussions on antitrust and regulatory issues affecting the advertising industry. Subscribe here or find the podcast on Spotify, Apple Podcasts, YouTube, or your preferred platform.

Loading summary

Transcript55 lines

[00:00]
Innovid Host
This podcast is brought to you by Innovid. Folks, we have our answer. There's been a lot of speculation about what the combination of Flash talking and Innovid would be called. Flashovid Innoflash. We've got our answer at Architecture Live. And it's Innovid. But not just any Innovid. It's a new Innovid innovation. Intelligence independence. The eyes have it. Check out new.innovid.com to learn more about how they're merging their ad tech stacks and shaking up the industry. That's new.innovid.com and as ever, this ad could have been an email.
[00:45]
Alan Chappelle
Welcome to the Monopoly Report. The Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. Last week's newsletter focused on measurement in the ad space, and I called for a new rule for any new ad platform. If I can't independently measure and rate the efficacy of my spend, then your platform should go back to the drawing board. Until I can do those things, I'm encouraging our trade associations and all of you to speak up and demand this as table stakes for any new ad platform. If you are new to the Monopoly Report, you can subscribe to this weekly newsletter@monopoly-report.com and you can check out all the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappelle. This week my guest is Jessica Lee, chair of the Privacy, Security, and Data Innovations Practice at Loeb and Loeb. Jessica works with companies across the media and advertising industries to navigate the complex regulatory environment and turn their compliance obligations into actionable business strategies. I'm excited to get Jessica's thoughts on the way the health privacy rules are being shaped in the US and elsewhere. So let's get to it. Hey, Jessica, thanks for coming on the pod. How are you?
[01:59]
Jessica Lee
Good, how are you? Thanks for having me.
[02:01]
Alan Chappelle
Oh, my pleasure. How are you feeling? See what I did there?
[02:05]
Jessica Lee
That's a whole other question. How much time do you have?
[02:10]
Alan Chappelle
Well, that's for a separate podcast. Chappelle goes deep on the the psychological insights from the, the law profession. Yeah, it'll be a hit, I'm sure. So today we're talking about health targeting. And first I want to align on what we mean by health targeting, you know, in the context of the ad space. You know, I, I, you know, like, there's demographic targeting, there's use of HIPAA Phi. So, you know, walk me through, like, what are the various, you know, the most popular types of targeting In a health context.
[02:39]
Jessica Lee
Sure. And I mean, I think all of those apply. Right. Cause at its foundation, it's really, you know, targeting based on characteristics that are presumed or inferred to tie to a medical condition or to reveal a medical condition. So that can happen through demographic data, that can happen through, you know, hopefully de identified HIPAA data. That can happen through data collected because you visited a certain website or attributes are collected about you over time based on your online activities. So health data can come from a number of different sources, but it's all tied to, you know, trying to reach someone. I have a drug or a treatment, I'm trying to reach my target audience. There's no point in serving that ad to someone, you know, who doesn't need that treatment or drug.
[03:22]
Alan Chappelle
Okay, so that makes sense. And the next thing I want to align on is sensitivity because you had said, you know, health treatment, health condition, you know, there's sort of a sliding scale in my view when it comes to health data. You know, on the lower end of the scale you'd say, you know, visits the gym or, you know, uses vitamin D. But you know, then there's things up to flu sufferer and even cancer. And so how should the audience be thinking about sensitivity when it comes to health targeting?
[03:47]
Jessica Lee
Sure. And you know, this one is complicated. I think that the thing to keep in mind in this space generally is that the goalposts are moving frequently. Right. So this is something you have to stay on top of. You know, historically, I think we would have looked at, you know, the NAI code of conduct, which tried to draw a line for sensitivity with things like, you know, cancer or sexually transmitted diseases or drugs that can't be treated with an over the counter medication. But in the new wave of state privacy laws, some of those definitions have broadened. So, you know, in theory, your medical status, your medical condition could include the fact that you have the cold or a flu, for example. And I think kind of where you fit on that scale, you know, kind of depends on where you sit, what your risk tolerance is and, you know, what your audience is. Because the laws, I think, are somewhat intentionally vague. And it gives companies an opportunity to make their own distinctions and draw their own lines, but be able to defend those.
[04:45]
Alan Chappelle
Yeah. You know, I found myself having to almost entirely rethink how I thought of sensitivity under the Khan ftc. Because when, when you have the head of the FTC basically saying that, you know, a vitamin D segment could be considered sensitive in some context, you start to go, oh my goodness. Well, that Begs the question is like, where do they draw the line and what isn't sensitive in that type of context? And so that's always a bit of a challenge. And speaking of the ftc, you know, we have a new administration in and I'm just curious to get your sense of, you know, Kahn was using terms like surveillance capitalism. The Ferguson FTC seems less engaged on health or at least that's my initial impression, but I'd love to hear yours.
[05:27]
Jessica Lee
Sure. And, but before I do that, if you don't mind, I'll go back just one more point. On the last topic, I just wanted to note, you know, there's a theory that basically anything could be sensitive because, you know, if you collect enough data over time, you can generate inferences that could eventually lead to something that's sensitive. So just knowing, you know, like you said, someone goes to the gym or has a gym membership should seem fairly innocuous. But over time that, you know, adding additional data points to that data, you could lead to additional inferences. So I think that's where you're starting to see things go with things like vitamin D. I think that's also why it's really hard to draw the line and why my answer was it kind of depends on what you're doing internally and how your data is structured internally. So can you make an argument that you're not, you know, making those additional inferences that could lead to health information?
[06:15]
Alan Chappelle
That's a fantastic point. And you know, one of my pet peeves around how privacy is talked about is that I don't think there's enough energy focused on the scale of a data set, the amount of data being collected. I mean, it's sort of implicit in there, but I don't know that it's really, really stated clearly. I know Europe is trying to get there with DMA and dsa, but I just think in general it's not something that's talked about enough. And I think that's a mistake.
[06:41]
Jessica Lee
I agree. But you know, to your next question on the ftc, you know, that's going to be interesting. I definitely think the Khan administration was very much anti advertising. I don't think that's controversial to say. I think they were highly skeptical of advertising and the impacts of advertising. So, you know, terms like surveillance advertising, you know, really took off and they, they dug into that. I don't think that this administration has that same lens on advertising. But that doesn't mean it's completely sort of, it's a, a free for all. Right. Because we did see the new FTC commissioner weigh in on things like precise location information. So in the mobile wall action at the end of last year, you know, he said precise location information, precise geolocation information is sensitive information that would require opt in consent. And if that precise location is tied to, you know, a health related location, I think he would, my expectation is that he would still find that to be sensitive. So we haven't really seen him weigh in as heavily. It's also, it feels like it's been three years, but it's only been three months. So we've got to give them a chance. But I think we also have to think about the layer of politics that will come on top of it. And to the extent that health information could impact any of the administration's initiatives, some of how they interpret health information or the sensitivity of that information might also be looked at through that lens.
[08:05]
Alan Chappelle
That's a great point. And I think that the Ferguson FTC is probably going to focus a little bit more on harms and for better or worse, health and precise location or boy, the combination of the two. Much easier to draw a straight line between the use of those type of segments and a tangible harm.
[08:22]
Jessica Lee
Yeah, I agree, I agree. But I do think to your point, it's going to be that tangible harm, like is there a concrete harm, not a philosophical harm or a possible harm or you know, something that's a little bit down the line, but we just want to put as many guardrails in place. I don't think you're going to see that approach from, you know, Ferguson administration.
[08:39]
Alan Chappelle
I would agree. Okay, so the FTC is only one of the cooks in the kitchen when it comes to health. And I think you alluded to this a moment ago. You know, the US States have really stepped in to enact privacy laws which implicate health. And so walk us briefly through that. You know, starting with, you know, Washington, Connecticut, Nevada, California is sort of interesting because they seem to very hyper focus on the concept of inference, which is sort of interesting in a health context. But walk us through, you know, what are the states up to?
[09:08]
Jessica Lee
Yeah, the states have been very busy and I think it's important to think about the timeline on this as well, because when CCPA was passed in 2018, there actually wasn't a sensitive information definition. It was just personal information that was added later with the cpra. And then we saw the states after that all had some definition of sensitive information. Most of them required opt in consent for that. But if you look at the timeline so you have 2021, you have Virginia and Colorado, they have sensitive information definitions. And then in 2022, Dobbs, we have the Dobbs decision. Right. And I think when the Dobbs decision comes into play, that's where you really start to see states shift. So Connecticut passed their privacy law, and then after Dobbs, they passed an amendment to that privacy law that strengthened the language around health information, specifically calling out gender affirming care and reproductive rights in the definition of what is sensitive under a health condition. So you can see that somewhat in a direct response almost to the Dobbs decision kind of putting in additional protections. And I think that informed some of the Khan administration's viewpoints on this as well. Right. So you have, you know, Colorado passes their law, but then they also have the right to pass regulations. And so their regulations is really where they went deep into what is sensitive information. And then an inference, sensitive inferences as well. And then you see California following suit. So you see this kind of like snowball effect that comes after 2022, which is after the Dobbs decision, where states are looking at their privacy laws to see are there additional protections we can put in place for health information. And in many cases specifically calling out reproductive health to try to counter the effects of Dobbs.
[10:51]
Alan Chappelle
So it's a really interesting point, Jessica. So the overturning of Roe v. Wade created a vacuum that the stepped into. And they, they boy stepped into it, one might argue, with the fury. And then the second thing that wrote the overturning of Roe v. Wade did, with respect to the Dobbs decision, was that that you now created a scenario where there's a harm argument to be made and it's significantly more tangible.
[11:17]
Jessica Lee
Exactly right. And then so Washington State, which for years in the kind of state privacy law world had been a state everyone had looked at, and each year they got really close to this broad, comprehensive privacy law, and then it failed. But what they were able to pass was My Health, My Data act, which was kind of the first health care focused, very restrictive privacy law focused in that space, taking a very broad approach to what can be consumer health data, data that's linked to a consumer's health status or treatment, anything that could be reasonably associated with the consumer's health, anything that can be used to infer health conditions. This definition is very broad. It has examples in it. But behind the scenes, as companies are looking to interpret what that means, it goes back to what we're talking about at the top of the call. Is it flu treatment? Is it headache medication? All of that arguably falls under that law. And what's distinctive about my health, my data, outside of that broad consumer health definition, is the fact that there's a private right of action. So now we have the first state where it's not just regulators, where you might be able to go and say, well, here is what our process was and let us try to have a conversation or there's limited resources. Now you have a private right of action. And I think that really, you know, scared companies about what this law can mean or what it could do.
[12:33]
Alan Chappelle
Sure. I mean, and just from the business folks listening here, you know, the private right of action allows class action litigants to allege violations of the law and to sue based on those violations. And so, and the funny thing about the class action bar, bless their hearts, is that they are really creative and they're really persistent. And so there's a scenario where, you know, almost anything could be deemed health data shooting, shoe purchaser, running enthusiast, those types of things could be health related. And I know that there's a harm requirement that they need to pass over, which makes it a little bit more comfortable for the world. But boy, you know, I always give the example of a class action suits where, you know, they were able to convince judges consistently that a video, you know, website is a videotape manufacturer pursuant to a 1980s law. So if you think that they can't, you know, find a crowbar to find a loophole within a law, you might want to think again.
[13:30]
Jessica Lee
Exactly. And I mean, honestly. And half the battle with these, you know, I was asked once to come speak to a business audience about, you know, what keeps their lawyers up at night or why their lawyers ask them the questions that they ask them. And what you're talking about is exactly it. It's, you know, a videotape law that could lead to, you know, these lawsuits of private harm. It's a law like this where you just get a little nugget and a lot of these cases don't go to court, but they settle. Right. And they could settle for tens of thousands of dollars, sometimes more. And the cost of litigating is so high. So that's really where you see businesses getting concerned. And I should have mentioned for Washington, one of the distinctions was, you know, this is a consent driven law that required almost HIPAA like authorization to get consent. So it's not a kind of cookie banner. It's not a checkbox where you could get consent for this data. It was a authorization with enough detail that I don't know, any company that thought, oh, I'm going to go to get consent to get health information for advertising purposes, one, because it's too hard and two, because we don't think we're going to get it.
[14:30]
Alan Chappelle
That's a great point. There's. And kind of leads me to my next question. There's a. There's a New York law that has made its way through the legislature and is awaiting the governor's signature. And what's kind of interesting about this one is that it sort of moves beyond the consent requirement and into an outright prohibition around almost any type of sale. So, you know, ad targeting, if it meets the definition, it would seem like would be prohibited under the. This law at the pass. But. But walk me through how, you know, New York is thinking about that.
[15:00]
Jessica Lee
Sure. And New York is somewhat similar in that it has a, you know, really broad range of what is considered, you know, consumer health information. But it does, to your point, go beyond. And it's basically, it's just consent or necessity. So you can use health information if you needed to provide the service. So you're a fitness app. Right. You're a healthcare app. You might need that information, but you can only use it for that purpose. You could not further monetize it without getting consent. And that consent, there are a couple of hiccups around that. Right. So in addition to it being complicated in the way that Washington's is, you have to wait 24 hours before you can ask someone for consent. That consent would need to be renewed once a year. You know, that's just operational hurdles that makes it nearly impossible to do that and then additional consent required for certain disclosures and prohibitions on sale. Right. So this is a law that is much more restrictive and it's also broad in the sense that Washington's law applies to Washington residents. So you'll see, you know, businesses reaction to Washington was to exclude Washington residents from their data sets. Right. That might be doable for New York. It applies to anyone who is a New York resident or in New York State when that information is collected. So trying to track that from, you know, operational perspective is. Is going to be very challenging.
[16:16]
Alan Chappelle
And just to close the loop on the New York law, because I'm sure somebody listening to this is probably thinking, well, but if you can use it pursuant to the service being offered, ad targeting is part of the service. And so, you know, what's your thinking on that? What is the likelihood that that's going to fly given how this law is constructed?
[16:35]
Jessica Lee
Yeah, that's not going to fly. You know, I think, I mean, if you say our service is to monetize your data in exchange for something, and that's very clear, maybe it's hard for to think of a scenario where that that's really going to fly with the Attorney General. It's really to provide the service that the consumer has requested. Right. And there's unlikely that the consumer has requested targeted advertising. I know there'll be attempts to make that argument, but that's not likely to happen, I should say. That bill also sits, it has not gone to the governor's desk yet. And there is a flurry of activity looking to get some chapter amendments, which means that the governor could amend that bill and make some of the provisions a little bit easier to navigate. So anyone listening to this should be talking to their internal teams about what they're doing to try to push this bill a little bit away from where it is right now to a place that might be more manageable.
[17:30]
Alan Chappelle
There's one other component to this law that I think is really interesting and it's quickly becoming a trend in the states and it's rulemaking. And so walk the audience through that because even once the law is done, it sort of isn't done.
[17:44]
Jessica Lee
Right, right, right. And you know, there's pluses and minuses to this. So some laws are just laws. So you just have whatever's in the four corners of the paper of the text and that's all you have to work from. But other states, like California for example, I mentioned Colorado earlier, and then New York in this, in this healthcare bill, they have the right to pass additional rules. Right. So that gives additional color to what the law requires. And on the one hand that's helpful. On the other hand, we've seen like Colorado and California add new or additional requirements into their law through the regulation process. Right. So gpc. Right. The requirement to respond to a browser based opt out signal came through rulemaking in California. You don't see GPC in the original text of the California bill. So you could see additional obligations or requirements or details that could add, you know, more obligations on top of this law. It would give clarity, clarity, which is helpful. But it could add more obligations on top of this law as well.
[18:45]
Alan Chappelle
Yeah, and, and one thing that occurs to me is that if you have more and more states that have rulemaking authority within their privacy laws and if those states become as active as say California, boy, does that add potentially a whole bunch of additional complexity to fix.
[19:00]
Jessica Lee
Exactly. Well, I mean, that's why I Said the. The goal posts are always shifting. Right. And, you know, some of it's good and some of it's bad. You know, we want a law to be flexible. We talked about the video privacy law from the. The challenge with that is you're trying to take a law that was passed at a time where current technology doesn't exist and apply it to new technology, and it just doesn't work. And there's no rulemaking there. You know, what California has said is what they intend to do is to, you have this law, but they plan to look across the market and see what's going on and then issue additional rulemaking to address those changes. So as technology advances, as business advances, they can adapt their law to the current circumstances. And so there is value in doing that. I think the challenge for business is that you kind of build a program and then you have new rulemaking, and that might go against how you originally interpreted the law or how you originally set yourself up. And now there's something new to do. So this is a journey. This is an ongoing activity. This is not sort of deal with this law, find your solution and then move on, because it's something that's going to be continually evolving.
[20:07]
Alan Chappelle
So we've mostly talked about the US And I want to shift a little bit and at least get your thoughts of how things have emerged in Europe who are arguably, you know, health data falls under special category data, at least in some contexts. But. But walk us through, you know, how you think about the EU when it comes to health targeting.
[20:25]
Jessica Lee
Sure. I mean, it's interesting because I haven't spent as much time recently focused on that because like you said, we have GDPR from 2018. Health information was considered as a special category data because of the combination of GDPR and the E Privacy Directive and the need to have a lawful basis for processing. There's already a restricted market for advertising in Europe. Things like race and ethnicity, even beyond health information aren't used as widely. Health information and health targeting isn't used as widely. And that law has been on the books. Whereas in the US you have this evolving landscape. And the US tends to approach things, you know, in a very reactive fashion. Right. The video law came from confirmation of a Supreme Court judge in a reaction to what happened to when his video information was exposed. We tend to see things happen like you have can spam, you have to have the unsubscribe link because email was invented and marketers were using it. We have Dobbs. So you have these health laws that are in reaction to it. So they tend to be very prescriptive and then ever changing where, you know, because the EU is more broad and principles based, we kind of know what the landscape is there. And obviously there's, you know, the DMA and dsa and we're looking at things that. What it looks like to have these large data sets and how that affects the market. But on the grounds and nuts and bolts of health targeting, at least for me, the focus has really been on the US because all of that shifted and what was possible before has become much harder to do.
[21:55]
Alan Chappelle
Yeah, I think that makes sense. And there's some of that, when you get into this is a little off topic, but when you get into things like race and ethnicity, there is sort of a long history of using those types of segments in a very benign way in the US and it's been a huge adjustment for the business community. And one would argue that there's certainly at best a mixed bag around identifying those as sensitive.
[22:19]
Jessica Lee
I agree. Yeah, we could have a whole other conversation on that. I mean, the challenge with all of this is there are nefarious uses for a lot, even innocuous data. Nefarious uses. Right. And so you're trying to protect people by, you know, creating these categories of sensitive information and putting race and ethnicity and putting health in there, but they're also good uses for those categories of data as well. And that's, I think, the tension that the US is grappling with right now.
[22:44]
Alan Chappelle
Yeah, I would, I would agree. So one of the claims that I often hear from health targeting vendors is that their data set is HIPAA compliant, or they're using HIPAA de identified data sets. And, you know, walk us through. You know, obviously you're not in there inside anybody's brain, but what's your sense of what they mean when they say those things?
[23:03]
Jessica Lee
Sure. So you know, hipaa. So you know, you have two types of data. You have HIPAA covered data. And if data is covered by hipaa, it's because it was created or generated in the healthcare context by a covered entity like a hospital or physician or an insurance company. Right. And all that data kind of flows down from there. And so what could be valuable is getting, you know, health claims data, for example, or other sorts of definitive or determinative healthcare information. That data is phi covered under HIPAA unless you de identify it. And HIPAA has two standards. So you can either de identify it by stripping out up to 18 identifiers that you need to strip out in order to call that data DE identified. Or you can get a HIPAA expert determination, which basically means you get a statistician to come in and look at your data set and say there's a hip, you know, a very low probability that you would be able to re identify anyone in this data set, that you would be able to tie any one individual to a specific condition in that data set. And so what you see a lot of companies doing is not looking at this at the safe harbor which strips the identifiers out, because you would have to take out identifiers that would be helpful for targeting purposes, but looking at expert determination, having experts come in and say, you know, based on the size of this data set and how it's composed, we can call it DE identified.
[24:20]
Alan Chappelle
Okay, so that's a fantastic explanation and I appreciate that. But one of the things, you know, so we say that HIPAA brings this concept of DE identification to the table and the idea you remove identifiability from the data set, it takes shape so that it remains in that state and it becomes, you know, more privacy safe and, and allows one to remove the data set effectively from the privacy rule set, which is all great. You know, we've got 30 years of precedent or history on DE identification. And then, you know, the US States come along with very broad definitions of personal data and then broad interpretations of what an inference means. And then some I would characterize as rather odd definitions of what DE identified data in that means in that context. And so, you know, what does that do to the, the ad targeting community's ability to really pull a data set out of the privacy rules?
[25:13]
Jessica Lee
Yeah, and I mean, I would say you can't pull the data set out of the privacy rules.
[25:18]
Alan Chappelle
Right.
[25:18]
Jessica Lee
I would caution companies from thinking that there's some like, magic button and, you know, now it's HIPAA expert determination has been applied and so now the privacy rules don't apply. And because I think these two things have to work together. So if you look at the state definitions for what's DE identified data, it's data that's been, you know, DE identified, meaning it's been stripped of any, you know, direct identifiers in a way that'd be hard to tie that person back to a, you, a specific person back to a piece of data. But it doesn't stop there. You also have to make public statements that you will not re identify that data. You have to also not actually try to re identify that data and pass those obligations down to your partners. I think that becomes complicated because you take a DE identified HIPAA data set on the front end, you use that to create an audience. But at the end of the day, in order to reach that audience, you have to attach identifiers to that data. And that's, I think, where the rub comes in. I think the argument is even when you attach those identifiers, it's still DE identified because you don't know who in that data set has a condition. There's either enough, you know, there's enough noise or the size of the data set so big that you know, yes, there's some probability that someone in this data set has a condition, but you don't know who that is even once you attach those identifiers. But then the last step is you have to look in the back end. So once someone engages with that ad, you make an inference about that. So maybe you didn't know who's in the data set in the front end, but once you collect all of that, all the click through data, all the data that you collect from measuring the effectiveness of that ad, if you're generating inferences from that. So now I'm being added to an audience again, that's potentially where you see health information being created under the state laws because of the broad definitions of health information that do extend to inferences. So you kind of have to look at the full life cycle of how that audience is created and what information is taken from that audience to try to make an argument that, you know, you don't have health information somewhere in that journey.
[27:15]
Alan Chappelle
Right, but let me put you a little bit on the spot here. Once you have a targeting category assigned to a pseudonymous uid, isn't at the very least that some form of an inference?
[27:28]
Jessica Lee
Oh yeah, definitely. I mean, I think that's where you have to, you know, companies will look at things like, okay, can we, is it demographic data, for example? Because then you make an argument, even if you are trying to target a specific drug or targeting based on demographics, if you're using actual health information, how are we labeling that segment? Can we label that segment in a way that strips out the, you know, health related information? That's hard to do because you need to know who you're reaching. So it has to be descriptive. But yes, I think, I think this is where the balancing act comes in and it becomes, you know, I think a risk based decision. You can put governance controls in place with things like labeling and, you know, segment naming and that kind of thing, but if you're in a segment of diabetes patients, you Know, I think you can, you know, there are inferences to be made there and regulators aren't going to look at that as anything but health information, depending on what state you're in and how they would define those terms.
[28:20]
Alan Chappelle
No, that makes sense. What two or three insights would you want the audience here to take away when it comes to health targeting in a way that, that is defensible and we'll just say privacy safe.
[28:31]
Jessica Lee
Sure. Well, I'll go back to what I said before. I would say look at the whole data life cycle. I do believe it's possible to create, you know, audience segments that do either use, you know, demographic data, use, you know, HIPAA expert determination, use a combination of factors to say, or privacy enhancing technologies. We've created this segment of consumers where there's some probability, but no determinant of data that someone has a particular condition. But I think you need to also kind of go, like I said, through the rest of the life cycle and make sure that inferences aren't being generated on the back end, that there are appropriate controls in place that you have the right segment naming conventions in place. Again, the big picture for this is that regulators are concerned about the harm, the harm of being placed in a segment that reveals your health condition, what that could potentially do for you. So what controls can you put in place to try to get ahead of that harm? And then could that information then be used for other nefarious purposes? Do you get denied, you know, insurance, for example? Do insurance to certain decisions get made based on that data? So I think it's important to first take a step back and understand what the harms are that the regulators are trying to get at and then zoom into what you're doing specifically and see how you can make an argument about how you've tried to defend or protect against those harms. That way no one's going to be perfect. But I think it's important to be able to tell a good story about the controls that you put in place. And then, you know, I will say leverage privacy enhancing technologies. I do think there's an argument there that can be made. Again, going back to how have you created this segment? Have you introduced enough noise? I don't think it's enough to just say you've hashed IDs and then we're protected. You have to go a layer deeper than that. So I would say again, lean into privacy enhancing technologies and then track the space because it is a moving goalpost and make sure you're kind of marching with the Crowd not getting too far ahead of it.
[30:24]
Alan Chappelle
It's funny, I remember when Commissioner Leibowitz, so I'm going back a bit here, made a huge deal around the use of interest based advertising data for things like insurance underwriting. And most of the business community, and even a lot of the privacy community said, come on, that's not happening. And it was true. At the time, I think that was very rare. But we now see even, you know, in the case of connected cars, and that's a little different, but not that far from far afield. Here you're starting to see that type of information, that it does make its way into the, the insurance game. And that's, I think, where the, the huge tangible harm comes from.
[31:02]
Jessica Lee
Yeah, insurance, government access to that data, and what could happen if the government gets access to that data. Again, depending on what state you're in and what those interests are. So I think it used to be, oh, we're just selling, you know, we're selling shoes or selling purses, but you know what, we're talking about health information. I think there are some significant harms that need to be addressed.
[31:19]
Alan Chappelle
Yeah, I would agree. This has been a fantastic conversation. Jessica, I really appreciate you coming on. And I just have one more question for you. Share what your hobby or passion is. I always like to humanize a lot of really smart people coming on this show, and I like to just give the audience something like just what's the Jessica behind the Jessica?
[31:39]
Jessica Lee
I feel like I need a new answer because I talk about this a lot, but I do run. I run a lot. I run marathons. So I ran the Tokyo Marathon marathon last year, which was an amazing experience. And I have a couple of marathons, including the Berlin Marathon coming up this year. So travel and running, I think would be two passions I could put on that list.
[32:00]
Alan Chappelle
Those are great ones. So I did one marathon. I did the 2001 New York City Marathon, and it was one of the most fantastic experiences my entire life. And there is no chance in the world that I'm ever going to do another one. So kudos to you. You've done a bunch of them.
[32:17]
Jessica Lee
It sounds like I've done eight. At the end of this year, hopefully it'll be 10. I did New York three times, and after the first New York, I said, I'm never doing this again. That was a lot of fun. And then I signed up for the one the next year, so it got me. I don't know how, but it did.
[32:34]
Alan Chappelle
But we've talked a bit on this podcast that running is a fantastic way of grounding yourself in the same way that yoga is. And so that's a gift that you're able to give to yourself. And so just, just fantastic. I still run, but it's, it's in the three or four mile at most variety. But even that boy is just wonderful.
[32:54]
Jessica Lee
Yeah, a much more humane distance, I would say.
[32:58]
Alan Chappelle
Jessica Lee, thank you so much for coming on.
[33:01]
Jessica Lee
Thanks for having me.
[33:03]
Alan Chappelle
That was fun. I'm glad to have had the chance to chat with Jessica. We've got a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts.
[33:25]
Innovid Host
Thank you for listening to the marketecture podcast. New episodes come out every Friday and an insightful vendor interview is published each Monday. You can subscribe to our library of hundreds of executive interviews at Marketing. You can also sign up for free for our weekly newsletter with my original strategic insights on the week's news at News Market tv. And if you're feeling social, we operate a vibrant Slack community that you can apply to join@adtechgod.com.