Bupa says it does not activate targeted health-related advertising based on user behaviour
Last week we reported that Financial Times had named Bupa, among a number of other leading health websites, as part of an investigation into the sharing of sensitive data with advertising giants such as Google, Amazon and Facebook.
The FT analysed 100 health websites, including WebMD, Healthline, Babycenter and Bupa, to find that 79% of sites dropped ‘cookies' which allowed third-party companies to track individuals around the internet without consent - a legal requirement in the UK.
The investigation found that keywords such as ‘heart disease' and ‘considering abortion' were shared from sites such as British Heart Foundation, Bupa and Healthline to companies including Scorecard Research and Blue Kai (owned by Oracle).
We take the privacy of our customer data extremely seriously
Bupa told COVER that its cookies policy outlines that cookies are used to collect information about users' browsing habits in order to deliver relevant adverts, as well as to limit the number of times they see an advert and to help measure the effectiveness of advertising.
It confirmed, however, that it does not activate any advertising or targeting-based user behaviour on the sections of the site which provides health information to users.
Bupa said it has never passed data to brokers or those selling health products and that it is not possible for an advertiser to buy an audience who have previously visited Bupa.co.uk.
When profiling customers, Bupa said it tailors advertising to audiences who reflect the users of our website, however this is based on general demographics (such as location, age and device usage) and never upon health information. If someone visits the website, it may choose to tailor advertising towards them in future but this is not based on any visits to health information pages, it said.
"Unique IDs of visitors to the website are shared with selected third parties in order to measure website performance and engagement. Again though, we don't share visitors' health information with any third parties."
Referring to a comment in the original FT article which suggested that online privacy and advertising are incompatible, Contact State's Alain Desmier said: "I see this level of co-dependency the whole time, where everyone assumes that GDPR and data compliance is someone else's responsibility."
"There general attitude of the industry is that the customer journey starts when the first phone call happens, my argument is that it starts when the first click happens and that needs to be completely tracked and logged," he said.
Desmier suggested he sees "serious fraudulent advertising breaches" currently happening a lot.
3% cashback each month
'You can tell it's general election season'
Part of ‘Vitality Pink’
£570 a month benefit