By Ian Cohen, CEO, LOKKER
LinkedIn: Ian Cohen
LinkedIn: LOKKER
Healthcare organizations in particular are responsible for managing privacy risks resulting from third-party website functionality. Third parties can be introduced in various ways for many purposes, such as simplifying website development, adding “share” buttons like the Facebook button, or sending user data to third-party advertising services. Too often, these technologies provide functionality for your site at the expense of privacy risk. And every third party creates some risk. Understanding the technology used to share data helps you understand and manage these risks. This article explains how specific components – pixels, cookies, and scripts – collect and share data and how they often work together. Let’s dive in.
PIXELS for Sharing Data
Let’s imagine a website called Sleepgear.com, which sells sleep-related goods. A user named Bob Smith comes to the site and puts a sleep monitor in his shopping cart. Simultaneously, Sleepgear sends an invisible message to inform YouTube of this action, using a component called a pixel. When YouTube gets the message, it records this shopping action in Bob’s browser. Instead of using Bob’s name, YouTube uses an anonymous ID like 1234 to record these activities in Bob’s browser. Quality sleep is an essential component of good healthcare, which qualifies this transaction under the governance of healthcare privacy regulations.
COOKIES for Recording Rata
Every website you visit gets a private section in your browser to record information about your visit to that site. The technology used to record this information in the browser are called cookies. Each time a pixel shares data from Sleepgear.com to YouTube, the site receiving the message (YouTube) can write that data into the YouTube cookies in Bob’s browser.
Unlike the pixel that shares Bob’s add-to-cart action to YouTube, recording this action in a YouTube cookie in Bob’s browser is what leaves a record that anonymous ID 1234 has visited Sleepgear.com and put a sleep monitor in his cart. This is why if Bob deletes his cookies, YouTube loses its record of Bob’s interest in sleep monitors.
Each cookie is linked to a website, meaning only the website owner can read its cookies in Bob’s browser. Only YouTube can read what it has recorded, and only Sleepgear can read what it has recorded.
JAVASCRIPT for Powerful Capabilities
The pixel messages on web pages are relatively simple – e.g., ID 1234 visited this page. Javascript allows for the recording of complex automated transactions. Every time you click something or scroll down a page, JavaScript can record what happened. Javascript is a complete, powerful programming language that enables recording a huge variety of actions and data, which can later be shared with third parties:
- JavaScript can record your actions on Sleepgear.com; what you viewed, how long you viewed it, even grab names or other sensitive data from forms, and record any information/action you are doing or have provided to a website.
- JavaScript can initiate and transmit data to multiple pixels, enabling communication to one or more third parties. Third parties like YouTube can use this data to display the right ads, suggest videos on topics like better sleep, or even share this information with other Google services.
Tag is another term you may hear to identify either Javascript or Pixels on a page.
USING the Shared Data
Let’s assume Sleepgear.com has purchased advertising on YouTube – specifically, it is requesting YouTube to show ads for all people who put something in their cart. Since healthcare advertising is subject to unique consumer privacy protections, Sleepgear.com must ensure proper consent has been collected for showing these ads.
When Bob goes to YouTube the next time, YouTube can read what it previously recorded because of the cookie it created in Bob’s browser from his Sleepgear.com visit. YouTube sees that Bob put a sleep monitor in his cart. This signals to YouTube that they should show an ad to Bob:
BUY A SLEEP MONITOR FROM SLEEPGEAR.COM.
Keeping Data Privacy Safe
Let’s revisit the point about Bob’s name not being recorded or even known by Sleepgear.com. Instead of storing Bob’s name, an anonymous ID 1234 is created and stored in a cookie, which acts as an identifier for Bob’s browser. This allows Sleepgear.com to recognize Bob’s visits, specifically his browser, without needing to know his identity. The connection is made to Bob because he used the same browser to access both Sleepgear.com and Youtube.com. These elements ensure that no one learns personal, sensitive info about Bob. You can get personalized ads based on your interests, but your identity remains anonymous. It’s just websites working together to make sure you’re seeing relevant content. Plus, it’s like the internet leaving helpful sticky notes around to ensure you’re not bombarded with ads for things you’ll never want—like ads for reverse mortgages when all you care about is sleeping well!
Wrapping It Up
Your website privacy risk is clear when you know exactly what data is being shared. For example, privacy risk exists if Bob’s sensitive data is shared along with his sleep issue to Youtube. Since sleep issues are health issues requiring complex healthcare regulatory compliance, it’s even more crucial to expose and understand this sharing.
Ultimately, cookies, pixels, and JavaScript allow websites to share useful information without exchanging a user’s actual personal information. That doesn’t mean the sharing is always appropriate, just that the codes exchanged to retarget ads often don’t include personally identifiable information.
A recent survey found the weakest link in healthcare organizations cybersecurity is third-party vendor risk. Having the tools to inform you which third parties are on your site and the data collected in each element can reduce your privacy risk and help keep your company safe.