About two years ago, the popular “health quiz” website RealAge.com was acquired by the Hearst Corporation, a media conglomerate, for an estimated $60-70 million. It’s a website that dresses up as a fun, friendly, and harmless quiz, but if you look beyond the facade, it’s a drug marketer’s wet dream. I wrote about the clear transfer of private health information to the Hearst Corporation when it happened, because I was dismayed that the mainstream media completely ignored this aspect of the acquisition.
Well, apparently the mainstream media has woken up two years later (better late than never), and has started to comment on the targeted marketing programs RealAge is offering to big pharmaceutical companies. From the NY Times article last week:
RealAge allows drug companies to send e-mail messages based on those test results. It acts as a clearinghouse for drug companies, including Pfizer, Novartis and GlaxoSmithKline, allowing them to use almost any combination of answers from the test to find people to market to, including whether someone is taking antidepressants, how sexually active they are and even if their marriage is happy.
This also got coverage on Foxnews.com and on a Healthcare IT news site, where I got the trackback that alerted me to the new stories. I’ve done a little more digging, and I’d like to offer another post summarizing what I believe to be the issues that the mainstream press needs to cover more thoroughly here.
RealAge is selling targeted marketing to specific segments of this population based on private health information that the consumer has “trusted” to RealAge by answering their online quiz and creating an account. It sells to big pharmaceutical companies, who would like to get drug advertising to consumers, especially if it matches up with their own personal health data. While the technique of targeted marketing isn’t technically selling anyone’s private information directly (as Fox News claims in its article), it does provide an extremely accurate method of reaching consumers that has tended to rile privacy advocates in the past.
The actual way that targeted marketing works is by collecting user behavior information, aggregating user profiles by their behavior, and then creating marketing channels against which advertising can be sold by the marketer. If you’re a drug company, you can sell depression drugs to people who have indicated problems with depression, without actually having their email address or personal info. You just have to find a company that is willing to sell you ad space in email or on the web to a specific set of users who have indicated such a problem.
This is the exact kind of behavior that internet giants Google, Yahoo, and Microsoft got a Congressional letter about last year, but it’s being done with one of the most sensitive topics imaginable – personal health data.
However, doesn’t this exact wording in the RealAge privacy policy today seem to go beyond targeted marketing?
Except as otherwise stated in this policy, we do not sell, trade, or rent the Personal Data collected from our services to third parties. However, we will share your Personal Data with third parties to fulfill the services that you have asked us to provide to you, including but not limited to sending you free newsletters and promotional e-mails. These third parties are required not to use your Personal Data other than to provide the services requested by RealAge. You expressly consent to the sharing of your Personal Data with our contractors and third-party service providers for the sole purpose of providing services to you.
Hmm. Let’s see how they define Personal Data, shall we?
We collect Personal Data from you, such as your name, e-mail address, country of residence, zip code or mail code, gender, and/or birth date when you register for a membership with us or when you choose to use the various services we provide on our site (e.g., Tip of the Day, Health Assessments, etc.). We also collect other types of Personal Data that you provide to us voluntarily, such as your health-related information when you respond to surveys, health assessments, and questionnaires.
Does this strike anyone else as giving them wiggle room to go beyond targeted marketing, and provide Personal Data to third parties? This section certainly seems bizarrely worded to me. Here’s the version of the Privacy Policy that archive.org grabbed in October of 2007 (immediately following the acquisition):
Except as otherwise stated in this policy, we do not sell, trade, or rent the Personal Data collected from our services to third parties. However, we will share your Personal Data with third parties to charge your credit card (if authorized by you), fill your order, and deliver promotional e-mails. These third parties are required not to use your Personal Data other than to provide the services requested by RealAge. You expressly consent to the sharing of your Personal Data with our contractors and third-party service providers for the sole purpose of providing services to you.
The change is highlighted in bold. While I wouldn’t go so far as to say that something malicious happened, I believe that the newer version does grant them more abilities in the disclosure of Personal Data to third parties, while restricting them to those that “fulfill the services that you have asked us to provide to you”. That still seems like an awfully large loophole to me, but I think the main thing that allows for scary possibilities is the lumping together of fairly generic personal info and private health information both into the moniker of Personal Data. If the data they could share were limited to address, zip code, etc., then I’d be more clear that private medical data was not being given out to third parties at all, while allowing them to perform targeted marketing. It would still be a cause for concern for people who don’t want to be targeted for health info, but it would presumably be easier to swallow than direct sharing of personal health data. Also, the user is being told that the third parties are required not to use the Personal Data for other purposes, but that seems like an awfully large leap of faith.
The second thing I think any RealAge consumer should be aware of is the network of companies that RealAge belongs to, namely, the Hearst Corporation. Hearst seems to have successfully “leveraged” its various properties and relationships to grow the user base from 8 million as of its acquisition, to a reported 27 million today. One of those marketing channels is a spokesperson by the name of Dr. Mehmet Oz.
If you haven’t heard of Dr. Oz, he’s a popular visitor to Oprah’s widely-viewed talk show, and the Times attributes a notable portion of RealAge’s growth in the past two years to his frequent endorsements as a paid RealAge spokesperson and adviser. It might raise your eyebrow further to learn that the Hearst Corporation, who owns RealAge (along with three other medical marketing companies, First DataBank, Zynx Health, and Medscape – are they considered third parties in the privacy policy?), also owns O, The Oprah Magazine. It may be an innocent relationship, but this is a giant media conglomerate, and as I wrote in my old post, when Hearst acquired this company, the Hearst Company acquired the Personal Data of all of its users along with its technology.
Altogether, these are the issues that I wish that the mainstream media would focus on now, as 27 million people and counting are almost certainly not all aware of what’s being done with the answers to their surveys that they have submitted. First of all (and perhaps most importantly), the wording of the privacy policy should be changed to separate personal information like name, email address, zip code, etc., from private health information that RealAge collects from their web quizzes. Public awareness about RealAge’s targeted marketing practices should be raised through press coverage. Finally, the relationship between the Hearst Company, O, The Oprah Magazine, RealAge, and Dr. Oz should be disclosed.