On July 12, 2013, Illinois Attorney General Lisa Madigan announced that she sent letters to operators of eight popular health-related websites requesting information about the websites’ online data collection practices. The Attorney General’s press release underscored how individuals’ health-related information shared online, which would be protected if disclosed in a traditional medical setting, “can be captured, shared and sold when users enter their information into a website.” The Attorney General also stated that “website disclosure about the extent to which information is captured or share is buried in privacy policies not found on the websites’ main pages.”

In a letter to one of the websites, the Attorney General wrote that when consumers use such websites, “they inevitably leave behind a digital footprint that contains sensitive information about them or their family members. This digital footprint can include the health topics and symptoms they research, the drugs they read about, or the links they click.” In addition to requesting copies of supporting documentation (including privacy policies), the Attorney General’s letter requested details regarding:

  • the types of information collected on the website or mobile application;
  • whether the website administrator captures, collects, stores, aggregates, sells, shares or transmits the information, and if so, how is the information stored and protected;
  • the forms of consumer tracking used on the website;
  • if individuals can opt out of any data collection or tracking;
  • whether third parties have access to the collected information, and if so, does the website operator benefit financially by allowing the third parties to access that information; and
  • the percentage of users who have accessed the company’s privacy policy (based on website or mobile app analytics).

The companies that received letters have until August 2, 2013, to submit their responses. We anticipate the possibility of other attorneys general following AG Madigan’s lead, including by requesting information from other types of websites that collect different kinds of sensitive data.