If your health tech business processes or collects personal data, could you be at risk of incurring behemoth fines like Meta? In January 2023, Meta (parent company to Facebook and Instagram) was fined $414 million dollars for violating an EU data privacy and security law known as GDPR (General Data Protection Regulation). This blog explains what happened to Meta and offers three best practices you should employ in order to avoid similar non-compliance fines.
What did Meta do?
Like many other tech companies, Meta pulls in the majority of its revenue from running ads on its social media platforms, allowing people to use the apps for free. Meta is able to attract so many advertisers by offering them the ability to target specific users based on things like what those individuals are searching for online, purchasing online, what websites they’re visiting, where they’re located, and what online content they’re interacting with.
This is not a secret, but what got Meta into so much trouble is that they required users to consent to online behavior tracking in the non-negotiable terms and conditions of using their social media apps. Likewise, the terms of use also state that Meta can sell or utilize this information for their own profit.
In other words, if you want to use Facebook or Instagram, you must agree to have your online activities tracked, analyzed, and sold for profit. This type of forced invasion of privacy directly conflicts with the GDPR, which aims to give people more control over their own online data—who can collect it, how long they can store it, and what they can use it for.
How can your company avoid a similar fine?
These three takeaways can help keep your health tech company out of hot water:
- Think globally. It doesn’t matter if your business is entirely based in America—if even ONE single user of your product is a resident of or visitor to another country, your company may be subject to laws, regulations, rules, and consequences that you’ve probably never even heard of.
- Give users more opt-out opportunities. As we learned from Meta’s mistake, users should be able to opt out of cookie tracking and targeted advertising, at a minimum. But data privacy laws around the world are increasingly requiring more and more express user consent, so proactively infusing this expectation into your business model will set your company up for long-term success and competitiveness.
- Seek expert advice. Consulting companies like Elevation specialize in staying at the forefront of the health data privacy conversation so you don’t have to. Let us tell you what’s coming down the pike so you can pivot more efficiently.
The remaining blogs in this series will break down the complex data privacy landscape, explain how data privacy laws and noncompliance consequences affect health tech companies and patient care in the U.S., and end with best practices and takeaways for health tech companies here to maximize profit and regulatory compliance.
