In the age of WhatsApp’s text messages, Apple Watches, Google searches, and TikTok videos, consumer digital health information is widely circulated. Data is collected by digital startups and large companies, clinics, and health care systems for multiple purposes from tracking COVID-19 infections to evaluating cardiovascular risk. While there are exciting opportunities for innovation and improving individual patient care and population health, consumers’ health information is routinely bought and used for marketing by a disturbing number of companies. Currently there are not any U.S. laws that govern this activity. The risk of data leaks and increased surveillance in a world after the Supreme Court’s Dobbs decision have made it all the more challenging to instill consumer trust. So what can be done to make the internet safer and increase consumers’ willingness to share digital health data?  

In a new JAMA Network Open study, former LDI Associate Fellow Ravi Gupta (now at Johns Hopkins University), LDI Senior Fellows Carolyn C. Cannuscio, Raina M. Merchant, David A. Asch, Nandita Mitra, and David Grande, and colleagues tested whether consumers were more willing to share data if certain protections were implemented such as  consent, data deletion, regulatory oversight, and transparency. In a cohort of 3,539 patients, the authors found that among these four protections, consent was seen as the most important to consumers. The most important variable in increasing consumers’ digital trust was the data’s purpose of use. Yet when “considered collectively, the four privacy protections together were the most important” in the study.

“Additional protections … may strengthen consumer trust and support socially beneficial uses of digital health data,” said the authors. 

We asked Grande and Gupta to elaborate on their findings. 

Could you describe the digital health landscape? What are the biggest gaps in consumer protection?

Grande: Americans have a strong desire to keep health information private. Medical ethics and federal laws also make sure health care providers keep information private and that what patients say to their doctors is never shared. What we are seeing now is that the protections consumers have had in the past are routinely compromised by digital technology. Digital tracking and data science are a powerful combination and allow marketers to make all sorts of connections between everyday consumer data and personal health. Marketers can now learn about mood, habits, and intentions–things consumers see as even more sensitive than their traditional health care records. Right now, there are no laws to stop marketers from gathering data about consumer health and using it for marketing.

Gupta: Shortcomings with digital privacy protection in the U.S. extend to digital health technologies, which gather and employ particularly sensitive information. The rapid growth of digital health is shining a light on the absence of adequate regulation to protect digital privacy and security. Recent events–lack of security of data from reproductive health apps in a post-Dobbs world, health data leakages from GoodRx and Facebook, and selling of data to third-party trackers that allows for targeted advertising of pharmaceuticals–highlight the growing problem of digital privacy and the need for greater protections. The growing attention to the need for greater protections is a positive development. The U.S., compared to Europe, for example, is far behind in enacting digital privacy protections.

Why do consumers want more privacy protections beyond consent? 

Grande: Asking permission is the most basic protection. People expect to be asked as a matter of principle, so it is not surprising that it is the most valued protection. However, what we find is that consent is not enough for many consumers. There are additional protections that make consumers more likely to say they would feel comfortable sharing their data, particularly for socially beneficial uses like research. However, many remain skeptical even when we presented consumers with scenarios that provided them additional protections, like having the ability to delete or withdraw their data at any time, ensuring there is an oversight process over use, and creating real transparency around how data is being used. Our goal was to determine how these additional protections move consumers in their willingness to share their data. These three other protections combined were as important as consent.

There are virtually no regulatory structures in the U.S. to protect health privacy in the context of the digital health footprint. For more on this topic, see Who Do Consumers Trust with Their Digital Health Data by Kaday Kamara and Abortion Clinic Websites May Unwittingly Aid Patient Prosecutions by Karl Stark.

Why is consent not providing enough digital health privacy protections for consumers?

Grande: I think nearly everyone would agree that some form of consent is critically important when we’re talking about using consumer information. However, in the marketing world, consent has really been a failure. We all know what consent looks like online. Consumers are routinely presented with extremely long user agreements with a lot of fine print that are completely incomprehensible.There is no actual informed consent happening in these situations. Consumers are merely relenting to a process they can’t control to access technology that is increasingly necessary to use. 

Gupta: Simple acquisition of consent while collecting data in what is often a cumbersome, lengthy document places an impossible burden on individuals to consider possible ramifications of using their data. In our work, we’ve found that individuals are not opposed to their data being used for research and development of new treatments and betterment of clinical practices, but that they seek some sense of control over their own data that extends beyond simply consenting at the point of data collection. Moreover, without an understanding of how their data will be used, or without an alternative, individuals ultimately assent to their data being used for unforeseen future purposes. 

What can clinicians and policymakers do to foster more consumer trust in digital health?

Grande: This is a tough question because there is a lot of technology that can be really beneficial for consumers. However, clinicians don’t have much control over the privacy protections. I think that as health systems and insurers begin to adopt or pay for more consumer digital technology, they will need to ask a lot of questions of the technology companies to understand what protections are in place and what is lacking. However, at the end of the day, this really falls to federal policymakers. Many of these technologies have become almost essential in everyday life. I think policymakers know it is an issue but haven’t been able to agree on a solution. However, I think there is urgency to create protections if we hope to harness some of the potential health benefits of digital technology. 

Gupta: The U.S. is way behind other countries in creating a framework of laws and regulations that would protect consumer digital privacy. These are issues that can’t be left to the market. Europe, for example, recently passed the Digital Markets Act, the most comprehensive digital privacy legislation to date. In the U.S., while a few individual states have enacted digital privacy legislation, federal legislation has stalled. It is impossible for consumers to keep up with understanding the downstream implications of saying yes to using certain technologies. A baseline set of regulatory protections is essential.

Where is your research heading next? 

Grande: We have been doing more work to understand consumer views about a broader set of privacy protections that we hope can inform future privacy policies. 

Gupta: We are particularly interested in how the COVID-19 pandemic, during which we have seen an explosion of digital health technologies, may have impacted consumer views about digital privacy and specific protections.

The study, “Consumer Views on Privacy Protections and Sharing of Personal Digital Health Information” was published on January 13, 2023 in JAMA Network Open. Authors include Ravi Gupta, Raghuram Iyengar, Meghana Sharma, Carolyn C. Cannuscio, Raina M. Merchant, David A. Asch, Nandita Mitra, and David Grande 


Samuel Schotland

Sam Schotland, MA

Policy Analyst

More From LDI