To help identify trends in privacy representations, BCLP reviewed the websites and privacy notices of those Fortune 500 companies identified as primarily engaged in the healthcare and medical industries.
The data shows that there is no one strategy for disclosing privacy practices to consumers, or for complying with federal and state laws – including the CCPA – that govern data privacy. The following summarizes current industry trends:
- Privacy notices are, on average, much older than those of the overall Fortune 500. This skew is caused in part by a minority of companies with significantly older privacy policies.
- While the majority of companies have updated their privacy notices for the CCPA, about a third of the industry has not addressed the statute.
- Healthcare and medical companies are complying with some, but not all, of the enumerated category disclosures required by the CCPA.
- Although there is no dominant approach to disclosing enumerated category information, the healthcare and medical industries utilize proportionally more lists (instead of tables or charts) to convey information than the Fortune 500 generally.
- Only 23.81% of companies disclose that they do sell information. The remaining companies are evenly split between those that state they do not sell, and those that are silent or unclear about their practices.
- The vast majority of websites and privacy notices do not include a “Do Not Sell” option.
- Those companies that are disclosing the sale of information are attempting to comply with the CCPA’s requirement to provide a “Do Not Sell” option.
- Most healthcare and medical companies offer access and deletion rights.
- The healthcare and medical industries are, on average, utilizing a smaller number of advertising cookies and tracking pixels than the Fortune 500 generally.
- The average quantity of behavioral advertising cookies on a corporate homepage is 9.23.
- Significantly fewer healthcare and medical companies are deploying a cookie notice or banner than are general Fortune 500 companies. The majority of those that do are attempting to obtain opt-in consent.