.png)
Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
This podcast is part of The Problem Lounge network — conversations about the problems shaping our world, from digital privacy to everyday life.
Privacy Please
S6, E246 - Unpacking Healthline's Historic CCPA Settlement: What It Means for Data Privacy
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Cameron and Gabe dive into Healthline Media's record-breaking $1.55 million settlement for CCPA violations, examining whether such penalties are sufficient deterrents against improper sharing of sensitive health data.
• Healthline violated CCPA by sharing sensitive user health data with advertisers without proper consent
• First U.S. regulatory action against a company for disclosing "inferred sensitive data"
• Violation included failing to provide mechanisms to opt out of sensitive data sharing
• Discussion of whether fines proportional to company revenue would be more effective
• Comparison of data brokers to other harmful entities in society
• Brief preview of upcoming episode about a major data breach potentially larger than Equifax
Stay safe this holiday weekend and don't put fireworks where they don't belong! Tune in next time for our breakdown of a massive data breach of "epic proportions."
Alrighty then . Ladies and gentlemen , welcome back to another episode of Privacy , Please . Cameron Ivey , here hanging out with Mr Gabe Gumbs Gabe , how you doing .
Speaker 2I'm doing well , sir . How are you , Mr Ivey ?
Speaker 1Doing well , had a little storm roll through . You probably had some effects from that . When it rains , it pours , it does indeed and it also lightenings .
Speaker 2When you live in the lightning capital of the world . That's a thing , that is a real thing . Is that why they're called the tampa bay lightning ?
Speaker 1I think it might be it might have a tiny bit to do with it . Yes , sir , yes sir that makes sense yeah , yeah , a world champion tampa bay lightning .
Speaker 2Is that what's right ?
Speaker 1that's true it seems to be that even florida panthers , I mean we've , we've had
Welcome and Storm Talk
Speaker 1some , uh , the nhL has been owned by Florida teams , which is funny yeah .
Speaker 2I mean we get a lot of Canucks that visit down this way , but Lord knows , you couldn't freeze an ice cube on the coldest days of the year down there .
Speaker 1No , I bet it makes so many Canadians mad . But hey , it's the tax stuff .
Speaker 2I think at the moment they're far angry about other things .
Speaker 1That's true yeah , that's , very true .
Speaker 2We should let the line there Shout out to our Canadian brethren north of the border .
Speaker 1Shout out Canadians , we still love you and your geese , we love you , pal , it's true . Canadian bacon .
Speaker 2I like that Is't even know is that american you just called canadian bacon probably like french fries . It's probably on the list . Oh yeah , sorry about that . Yeah , freedom there's .
Speaker 1there's a couple things that have been going on in the security and privacy space that we'll just kind of touch on First we'll talk about . We'll just throw it out there . So one of the biggest settlements for the CCPA right now is the Healthline $1.55 million settlement under the CCPA Gabe . I don't know if you heard of this . It's kind of recent , it just came out .
Speaker 2You may not know . I've heard of it but I hadn't had a chance to really dig into it . Was that a percentage of revenue of some sort , or just a fine
Breaking Down Healthline's CCPA Settlement
Speaker 2based on number of records ? I'm curious because , to be honest , 1.5 doesn't really sound like a deterrence for doing better .
Speaker 1Yeah , that's a good question because it says Healthline Media agreed to a record 1.55 million dollar settlement with the CCPA for violating the . Let's see what they say . Specifically Resolves claims that Healthline shared sensitive user data with advertisers and data brokers without proper consent and opt-out mechanisms .
Speaker 2Classic , classic . I was going to say it's par for the course . I mean , we know lots of folks continue to still engage in those type of noncompliance behaviors , usually not intentionally . A lack of guardrails internally tends to be behind this . More often than not , you know , the average business isn't intentionally trying to be non-compliant or , for that matter , even unethical . Say what you might about capitalism or , for that matter , even unethical Say what you might about capitalism . But yeah , 1.5 still just doesn't seem like the guardrail I would want it to be .
Speaker 1Yeah , I mean it's a lot of money , but it's really not that much , You're right . So here are three things that this will kind of shed light on some more specifics . So they're paying this fine due to a couple of reasons .
Speaker 1So one main line health , health line media , so prohibiting the sale or sharing of personal information linked to specific medical diagnosis , providing notice and the right to limit the use and disclosure of sensitive personal information before sharing it for advertising , and implementing a program to assess the functionality of opt-out mechanisms and ensure third-party contracts meet ccpa requirements . Those are the three things that they did not do , that's right , which are pretty big . I mean , that's it's pretty big . Yeah , you know it's pretty important .
Speaker 2That's quite a bit . That's quite a bit , you know , back of the napkin . Search suggests that Healthline is a wildly profitable business with , you know , revenues in the high double digit millions and profits that aren't that far off of that . So you know , that again goes right back to that . I'm never really a fan of compliance being the first guardrail for these kinds of challenges , and I'm not certain that imposing record-breaking or otherwise 1.5 million is really a deterrence to others
Questioning Fine Effectiveness as Deterrents
Speaker 2yeah , I I'm trying to see if there's more information on what I mean .
Speaker 1I wish they would kind of break down why that number , why only that and they settle on that .
Speaker 2Like gdpr , for example , their fines are , if I'm not mistaken , they're based on a percentage of revenue , right , right ?
Speaker 1because this I mean the last one before this was what ? 1.2 million , which was the sephora one that we were talking about earlier . Right , right , right right , that was back in 22 , but what's funny is this was also oh wait , okay , yeah , they were mentioning it . So some of the I'm trying to see if there's any more like specific details . So this is the first US regulatory privacy enforcement action where a company has been fined for disclosing inferred sensitive data .
Speaker 2What's inferred . So not direct , but it means that they may have been able to de-anonymize individuals based on it . I mean , inference and de-anonymization are kiss and cousin , so I'm I'm drawing a straight line there . But but it means that they were able to infer who cameron ivy was without direct reference to who cam Ivory was .
Speaker 1Right .
Speaker 2That's extra naughty yeah .
Speaker 1Inferred based on articles . Read is what .
Speaker 2Interesting .
Speaker 1I don't know . This is interesting . So and obviously you know we're dealing with health related data . I don't know the company that I've never really honestly heard of them before .
Speaker 2There are about a billion healthcare companies None of us have heard of , and they're all making ungodly amounts of money .
Speaker 1Oh what . We can sell you all of these personal health information for a lot of money and yeah , that's it .
Speaker 2Payout claims .
Speaker 1Yeah , all right .
Speaker 2That sounds like a good idea . Let's do it , let's go .
Speaker 1What do we do ? My other question is are the people that made that decision still there or are they gone already ?
Speaker 2Come on , they're still there and they're not going to be For what it's worth . Again , I'm not even sure I'm inclined to levy blame upon those individuals . Right ? Like I said , it's hard to prove malice and I don't usually wake up in the morning and assign malice to these types of things . Just , most people wake up and they just want to do their jobs , they want to do it well , they want to be compensated fairly and they want to go home . That's not everyone , of course , but I don't necessarily subscribe to the . You know , all of these folks are evil , even when they're dealing with data brokers , although all data brokers , on the other hand , I might not have the same appreciation for , yeah , but you know I also don't have a strong appreciation for people that you know like sell drugs or whatever . Yes , I'm equating the two .
Speaker 2Yes they're both damaging to the community for freak's sake .
Speaker 1Hey , you know , I mean you got to put food on the table somehow .
Speaker 2Well , yeah , I understand , I understand , I understand . Even scumbags have to eat , right Like yeah , no , that's interesting .
Speaker 1Let them eat cake .
Speaker 2So , yeah , I don't know that those individuals should be held personally accountable . We obviously don't know enough about it , right ? Yeah , I certainly don't know what the future for CCPA is . If this is the signals we're going to send to businesses to protect our data , I don't know that this signal is the right signal to send . It seems , quite in my personal and professional opinion , it might be the exact wrong signal to send , and I'm not suggesting you find them into oblivion such that they go out of business . But I don't know , maybe we need more DOJ-style actions where you know what ? Now we are going to embed a data privacy officer from the government into your business for the next 18 months to make sure that you know what to do . Well , not to babysitit , but to help you to that point .
Speaker 1I was just thinking well , maybe they got this number because based on how much information they had sold . Maybe
Inferred Sensitive Data Violations
Speaker 1you know what I mean . Like , maybe because it's based off of , isn't it like a percentage per word or per letter or something ?
Speaker 2like that . I don't think it's per word .
Speaker 1Yeah , um , listeners , or you know anybody out there that knows I mean , shoot us a message or you can always come on and talk further about it . That's more knowledgeable about that kind of stuff . But I think that's . I think that makes sense , I would make sense to , but you know they should tack on to whatever else . I don't know . I think you're you're on to something there because it's like , well , if it's just a slap on the risk , you know , and we made , how much did they make on some ?
Speaker 2data anytime the cost of doing business exceeds the cost of the fine substantially . Right , that's , that's just , uh , that's just a luxury tax really right .
Speaker 1And the other thing is like it's not going to affect them and like , oh well , these consumers aren't going to trust this company . Now it's like it doesn't matter , they already have your information that . Yeah , that cat's so far out of the box yeah , I don't like it , but I'm glad that there's , you know .
Speaker 2I'm glad CCPA exists in some form at least now . You are correct . Prior to the enactment of that regulation there'd be zero repercussions and recourse . There'd just be a little salacious article and maybe we don't even mention it on the show and others aren't informed . Then everyone keeps it moving right .
Speaker 1Yeah , agreed then . Uh , everyone keeps it moving right . Yeah , yeah , agreed . Um , I know that there was like , uh , well , we can touch on this . We'll do a couple other special episodes . This is a little bit shorter , of course , but we just wanted to kind of dive into that and um on this episode , but we'll have another one coming out . Uh , gabe will talk about . Um , we'll both talk about , but there's , there was like a . There was a recent hack . It was one of the largest ones in history . There were a few .
Speaker 2Yeah , we're gonna dive into the details and peel back the curtain on one of the larger hacks , uh , of modern times , certainly , uh , maybe ever Of epic proportions . Quite frankly , yeah , I've got some information and I've been having some conversations with some folks , both near and
Preview of Major Hack Discussion
Speaker 2far to the scenario and , yeah , we'll lay that out for our listeners .
Speaker 1Yeah , because this is going to surpass Equifax , right . This is going to surpass Equifax , right . I think it was actually Google , apple , I don't know . We'll get into it on the next episode , but let's just say it was pretty massive . Indeed Gabe , always a pleasure A pleasure indeed .
Speaker 2Happy 4th of July to everyone out there . Happy uh 249th to the , to the union .
Speaker 1Hope everybody has a safe weekend and , uh , we'll see you guys on the next one don't put any fireworks in your buttocks or between your fingertips and uh , yeah , do that . Don't , don't do that don't do that , don't do that , don't do that . Nobody wants nubs .
Speaker 2Nobody wants nubs in either location .
Speaker 1We out Be safe .
