Privacy Please
Tune into "Privacy Please," where hosts Cam and Gabe engage with privacy and security professionals around the planet. They bring expert insights to the table and break down complicated tech stuff everyone can understand.
Privacy Please
Unpacking Healthline's Historic CCPA Settlement: What It Means for Data Privacy
Cameron and Gabe dive into Healthline Media's record-breaking $1.55 million settlement for CCPA violations, examining whether such penalties are sufficient deterrents against improper sharing of sensitive health data.
• Healthline violated CCPA by sharing sensitive user health data with advertisers without proper consent
• First U.S. regulatory action against a company for disclosing "inferred sensitive data"
• Violation included failing to provide mechanisms to opt out of sensitive data sharing
• Discussion of whether fines proportional to company revenue would be more effective
• Comparison of data brokers to other harmful entities in society
• Brief preview of upcoming episode about a major data breach potentially larger than Equifax
Stay safe this holiday weekend and don't put fireworks where they don't belong! Tune in next time for our breakdown of a massive data breach of "epic proportions."
Alrighty then. Ladies and gentlemen, welcome back to another episode of Privacy, Please. Cameron Ivey, here hanging out with Mr Gabe Gumbs Gabe, how you doing.
Speaker 2:I'm doing well, sir. How are you, Mr Ivey?
Speaker 1:Doing well, had a little storm roll through. You probably had some effects from that. When it rains, it pours, it does indeed and it also lightenings.
Speaker 2:When you live in the lightning capital of the world. That's a thing, that is a real thing. Is that why they're called the tampa bay lightning?
Speaker 1:I think it might be it might have a tiny bit to do with it. Yes, sir, yes sir that makes sense yeah, yeah, a world champion tampa bay lightning.
Speaker 2:Is that what's right?
Speaker 1:that's true it seems to be that even florida panthers, I mean we've, we've had some, uh, the nhL has been owned by Florida teams, which is funny yeah.
Speaker 2:I mean we get a lot of Canucks that visit down this way, but Lord knows, you couldn't freeze an ice cube on the coldest days of the year down there.
Speaker 1:No, I bet it makes so many Canadians mad. But hey, it's the tax stuff.
Speaker 2:I think at the moment they're far angry about other things.
Speaker 1:That's true yeah, that's, very true.
Speaker 2:We should let the line there Shout out to our Canadian brethren north of the border.
Speaker 1:Shout out Canadians, we still love you and your geese, we love you, pal, it's true. Canadian bacon.
Speaker 2:I like that Is't even know is that american you just called canadian bacon probably like french fries. It's probably on the list. Oh yeah, sorry about that. Yeah, freedom there's.
Speaker 1:there's a couple things that have been going on in the security and privacy space that we'll just kind of touch on First we'll talk about. We'll just throw it out there. So one of the biggest settlements for the CCPA right now is the Healthline $1.55 million settlement under the CCPA Gabe. I don't know if you heard of this. It's kind of recent, it just came out.
Speaker 2:You may not know. I've heard of it but I hadn't had a chance to really dig into it. Was that a percentage of revenue of some sort, or just a fine based on number of records? I'm curious because, to be honest, 1.5 doesn't really sound like a deterrence for doing better.
Speaker 1:Yeah, that's a good question because it says Healthline Media agreed to a record 1.55 million dollar settlement with the CCPA for violating the. Let's see what they say. Specifically Resolves claims that Healthline shared sensitive user data with advertisers and data brokers without proper consent and opt-out mechanisms.
Speaker 2:Classic, classic. I was going to say it's par for the course. I mean, we know lots of folks continue to still engage in those type of noncompliance behaviors, usually not intentionally. A lack of guardrails internally tends to be behind this. More often than not, you know, the average business isn't intentionally trying to be non-compliant or, for that matter, even unethical. Say what you might about capitalism or, for that matter, even unethical Say what you might about capitalism. But yeah, 1.5 still just doesn't seem like the guardrail I would want it to be.
Speaker 1:Yeah, I mean it's a lot of money, but it's really not that much, You're right. So here are three things that this will kind of shed light on some more specifics. So they're paying this fine due to a couple of reasons.
Speaker 1:So one main line health, health line media, so prohibiting the sale or sharing of personal information linked to specific medical diagnosis, providing notice and the right to limit the use and disclosure of sensitive personal information before sharing it for advertising, and implementing a program to assess the functionality of opt-out mechanisms and ensure third-party contracts meet ccpa requirements. Those are the three things that they did not do, that's right, which are pretty big. I mean, that's it's pretty big. Yeah, you know it's pretty important.
Speaker 2:That's quite a bit. That's quite a bit, you know, back of the napkin. Search suggests that Healthline is a wildly profitable business with, you know, revenues in the high double digit millions and profits that aren't that far off of that. So you know, that again goes right back to that. I'm never really a fan of compliance being the first guardrail for these kinds of challenges, and I'm not certain that imposing record-breaking or otherwise 1.5 million is really a deterrence to others yeah, I I'm trying to see if there's more information on what I mean.
Speaker 1:I wish they would kind of break down why that number, why only that and they settle on that.
Speaker 2:Like gdpr, for example, their fines are, if I'm not mistaken, they're based on a percentage of revenue, right, right?
Speaker 1:because this I mean the last one before this was what? 1.2 million, which was the sephora one that we were talking about earlier. Right, right, right right, that was back in 22, but what's funny is this was also oh wait, okay, yeah, they were mentioning it. So some of the I'm trying to see if there's any more like specific details. So this is the first US regulatory privacy enforcement action where a company has been fined for disclosing inferred sensitive data.
Speaker 2:What's inferred. So not direct, but it means that they may have been able to de-anonymize individuals based on it. I mean, inference and de-anonymization are kiss and cousin, so I'm I'm drawing a straight line there. But but it means that they were able to infer who cameron ivy was without direct reference to who cam Ivory was.
Speaker 1:Right.
Speaker 2:That's extra naughty yeah.
Speaker 1:Inferred based on articles. Read is what.
Speaker 2:Interesting.
Speaker 1:I don't know. This is interesting. So and obviously you know we're dealing with health related data. I don't know the company that I've never really honestly heard of them before.
Speaker 2:There are about a billion healthcare companies None of us have heard of, and they're all making ungodly amounts of money.
Speaker 1:Oh what. We can sell you all of these personal health information for a lot of money and yeah, that's it.
Speaker 2:Payout claims.
Speaker 1:Yeah, all right.
Speaker 2:That sounds like a good idea. Let's do it, let's go.
Speaker 1:What do we do? My other question is are the people that made that decision still there or are they gone already?
Speaker 2:Come on, they're still there and they're not going to be For what it's worth. Again, I'm not even sure I'm inclined to levy blame upon those individuals. Right? Like I said, it's hard to prove malice and I don't usually wake up in the morning and assign malice to these types of things. Just, most people wake up and they just want to do their jobs, they want to do it well, they want to be compensated fairly and they want to go home. That's not everyone, of course, but I don't necessarily subscribe to the. You know, all of these folks are evil, even when they're dealing with data brokers, although all data brokers, on the other hand, I might not have the same appreciation for, yeah, but you know I also don't have a strong appreciation for people that you know like sell drugs or whatever. Yes, I'm equating the two.
Speaker 2:Yes they're both damaging to the community for freak's sake.
Speaker 1:Hey, you know, I mean you got to put food on the table somehow.
Speaker 2:Well, yeah, I understand, I understand, I understand. Even scumbags have to eat, right Like yeah, no, that's interesting.
Speaker 1:Let them eat cake.
Speaker 2:So, yeah, I don't know that those individuals should be held personally accountable. We obviously don't know enough about it, right? Yeah, I certainly don't know what the future for CCPA is. If this is the signals we're going to send to businesses to protect our data, I don't know that this signal is the right signal to send. It seems, quite in my personal and professional opinion, it might be the exact wrong signal to send, and I'm not suggesting you find them into oblivion such that they go out of business. But I don't know, maybe we need more DOJ-style actions where you know what? Now we are going to embed a data privacy officer from the government into your business for the next 18 months to make sure that you know what to do. Well, not to babysitit, but to help you to that point.
Speaker 1:I was just thinking well, maybe they got this number because based on how much information they had sold. Maybe you know what I mean. Like, maybe because it's based off of, isn't it like a percentage per word or per letter or something?
Speaker 2:like that. I don't think it's per word.
Speaker 1:Yeah, um, listeners, or you know anybody out there that knows I mean, shoot us a message or you can always come on and talk further about it. That's more knowledgeable about that kind of stuff. But I think that's. I think that makes sense, I would make sense to, but you know they should tack on to whatever else. I don't know. I think you're you're on to something there because it's like, well, if it's just a slap on the risk, you know, and we made, how much did they make on some?
Speaker 2:data anytime the cost of doing business exceeds the cost of the fine substantially. Right, that's, that's just, uh, that's just a luxury tax really right.
Speaker 1:And the other thing is like it's not going to affect them and like, oh well, these consumers aren't going to trust this company. Now it's like it doesn't matter, they already have your information that. Yeah, that cat's so far out of the box yeah, I don't like it, but I'm glad that there's, you know.
Speaker 2:I'm glad CCPA exists in some form at least now. You are correct. Prior to the enactment of that regulation there'd be zero repercussions and recourse. There'd just be a little salacious article and maybe we don't even mention it on the show and others aren't informed. Then everyone keeps it moving right.
Speaker 1:Yeah, agreed then. Uh, everyone keeps it moving right. Yeah, yeah, agreed. Um, I know that there was like, uh, well, we can touch on this. We'll do a couple other special episodes. This is a little bit shorter, of course, but we just wanted to kind of dive into that and um on this episode, but we'll have another one coming out. Uh, gabe will talk about. Um, we'll both talk about, but there's, there was like a. There was a recent hack. It was one of the largest ones in history. There were a few.
Speaker 2:Yeah, we're gonna dive into the details and peel back the curtain on one of the larger hacks, uh, of modern times, certainly, uh, maybe ever Of epic proportions. Quite frankly, yeah, I've got some information and I've been having some conversations with some folks, both near and far to the scenario and, yeah, we'll lay that out for our listeners.
Speaker 1:Yeah, because this is going to surpass Equifax, right. This is going to surpass Equifax, right. I think it was actually Google, apple, I don't know. We'll get into it on the next episode, but let's just say it was pretty massive. Indeed Gabe, always a pleasure A pleasure indeed.
Speaker 2:Happy 4th of July to everyone out there. Happy uh 249th to the, to the union.
Speaker 1:Hope everybody has a safe weekend and, uh, we'll see you guys on the next one don't put any fireworks in your buttocks or between your fingertips and uh, yeah, do that. Don't, don't do that don't do that, don't do that, don't do that. Nobody wants nubs.
Speaker 2:Nobody wants nubs in either location.
Speaker 1:We out Be safe.
