The Monopoly Report: Episode 22 Summary

Title: Episode 22 Jessica Lee on Navigating the Health Targeting Rules
Host: Alan Chappelle
Guest: Jessica Lee, Chair of the Privacy, Security, and Data Innovations Practice at Loeb & Loeb
Release Date: March 19, 2025

Introduction

In Episode 22 of The Monopoly Report, host Alan Chappelle engages in a deep conversation with Jessica Lee, an expert in privacy, security, and data innovations. The discussion centers on the complexities of health targeting in digital advertising, the evolving regulatory landscape in the United States, and comparisons with European regulations. Lee provides valuable insights into how companies can navigate these challenges and turn compliance obligations into actionable business strategies.

Understanding Health Targeting

The episode begins with Alan Chappelle setting the stage for the discussion on health targeting within the advertising ecosystem.

• Definition and Types of Health Targeting

  • Alan (02:10): "How should the audience be thinking about sensitivity when it comes to health targeting?"
  • Jessica Lee (02:38): Explains that health targeting involves using demographic data, de-identified HIPAA data, and online activity to reach individuals who may benefit from specific medical treatments or drugs.

• Sensitivity in Health Data

  • Jessica Lee (03:21): Discusses the sliding scale of sensitivity in health data, from benign information like gym memberships to more sensitive conditions like cancer.
  • Alan (03:47): Highlights the challenge of defining sensitivity, citing the FTC's stance that even vitamin D segments can be considered sensitive.

Regulatory Landscape in the United States

• Federal vs. State Regulations

  • Jessica Lee (05:27): Contrasts the Khan administration's approach to advertising with the more recent FTC actions under the Ferguson administration, noting a shift towards focusing on tangible harms.
  • Alan (08:04): Emphasizes the role of state laws in the absence of stringent federal regulations, with states like Washington, Connecticut, Nevada, and California enacting their own privacy laws.

• Impact of the Dobbs Decision

  • Jessica Lee (09:08): Explains how the Dobbs decision catalyzed states to enhance protections around reproductive health data, leading to more restrictive privacy laws.
  • Alan (10:50): Observes that the overturning of Roe v. Wade created a tangible harm argument, compelling states to act more decisively.

• State-Specific Laws

  • Washington State's My Health, My Data Act (11:16):
    • Jessica Lee: Describes it as the first health care-focused privacy law with a broad definition of consumer health data and a private right of action, heightening business concerns about potential lawsuits.
  • New York's Proposed Law (14:59):
    • Jessica Lee: Details New York's stringent approach, including consent requirements and an outright prohibition on the sale of health data, making operational compliance challenging for businesses.

Comparing U.S. and European Regulations

• European Union's GDPR and E Privacy Directive

  • Jessica Lee (20:25): Notes that the EU has long-standing regulations like GDPR that categorize health data as special category data, requiring a lawful basis for processing. Unlike the U.S., Europe employs a more principles-based approach, providing clearer guidelines for health targeting.

• Reactive vs. Principle-Based Approaches

  • Jessica Lee (20:25): Contrasts the EU’s proactive, principles-based regulations with the U.S.’s reactive, prescriptive laws that evolve in response to specific events or rulings.

HIPAA Compliance and Data Identification

• Understanding HIPAA and De-Identification

  • Jessica Lee (23:02): Clarifies HIPAA's role in protecting health data, distinguishing between covered data and de-identified data. Discusses the two standards for de-identification: stripping 18 identifiers or obtaining expert statistical determination.

• Challenges with HIPAA and State Laws

  • Jessica Lee (25:13): Warns against assuming HIPAA de-identification exempts data from state privacy regulations. Emphasizes that de-identified data must still adhere to state laws regarding inferences and re-identification risks.

• Inference and Segment Naming

  • Alan (27:27): Questions whether assigning a targeting category to a pseudonymous UID constitutes an inference.
  • Jessica Lee (27:27): Agrees it does, highlighting the difficulty in labeling segments to avoid regulatory scrutiny, especially when segments are based on health conditions like diabetes.

Risks and Potential Harms

• Tangible Harms from Data Use

  • Jessica Lee (31:01): Identifies risks such as discrimination in insurance or government access leading to adverse outcomes for individuals based on their health data.

• Regulatory Focus on Harm Prevention

  • Jessica Lee (28:30): Emphasizes understanding the specific harms regulators aim to prevent, allowing companies to implement controls to mitigate these risks.

Business Implications and Best Practices

• Adapting to a Shifting Landscape

  • Jessica Lee (30:23): Advises businesses to view compliance as an ongoing process, continually adapting to new regulations and rulemakings.

• Leveraging Privacy-Enhancing Technologies

  • Jessica Lee (28:30): Recommends using privacy-enhancing technologies and maintaining robust data governance to protect against potential inferences and re-identification.

• Developing a Defensible Strategy

  • Jessica Lee (28:30): Suggests companies should prepare to articulate their compliance strategies effectively, demonstrating the controls in place to prevent harm from health data usage.

Conclusion and Key Takeaways

• Holistic Data Lifecycle Management

  • Jessica Lee (28:30): "Look at the whole data life cycle. Ensure that inferences aren't being generated on the back end and that appropriate controls are in place."

• Stay Informed and Adaptive

  • Jessica Lee (28:30): "Track the space because it is a moving goalpost and make sure you're kind of marching with the crowd, not getting too far ahead of it."

• Focus on Harm Prevention

  • Jessica Lee (28:30): "Understand what the harms are that the regulators are trying to get at and then zoom into what you're doing specifically and see how you can defend against those harms."

Final Thoughts

Alan Chappelle wraps up the episode by highlighting the importance of understanding the complexities of health targeting and the evolving regulatory environment. He encourages listeners to stay informed and proactive in adapting their strategies to ensure compliance and protect against potential harms.

Notable Quotes:

• Jessica Lee (02:38): "Health data can come from a number of different sources, but it's all tied to trying to reach someone who needs a specific treatment or drug."
• Alan Chappelle (06:41): "I think there's a mistake in not talking enough about the scale of a data set and the amount of data being collected."
• Jessica Lee (25:18): "I would caution companies from thinking that there's some like, magic button and now the privacy rules don't apply."

About the Host and Guest

• Alan Chappelle: Host of The Monopoly Report, focusing on antitrust issues in big tech and their impact on the global advertising economy.
• Jessica Lee: Chair of the Privacy, Security, and Data Innovations Practice at Loeb & Loeb, with extensive experience in guiding companies through complex regulatory landscapes in media and advertising.

Subscribe to The Monopoly Report:
Stay updated with the latest discussions on antitrust and regulatory issues affecting the advertising industry. Subscribe here or find the podcast on Spotify, Apple Podcasts, YouTube, or your preferred platform.