Do Not Track for Doctors vs. Do Not Track for Consumers

Last Tuesday the U.S. Supreme Court heard oral arguments in IMS Health v. Sorrell. This case centers on a Vermont law that prohibits the use of prescriber-identifiable data for marketing purposes unless the prescriber of the drug gives consent. This case is not about patient privacy or the use of patient-identifiable data which is protected under federal law. Other states, notably Maine and New Hampshire, have passed similar legislation that prohibits the commercial use of prescriber-identifiable data. Opponents have challenged the Constitutionality of the law on the basis that the law restricts speech protected under the First Amendment. Supporters argue that the law is only restricting conduct, not speech, and thus should be allowed.

Pharmaceutical companies routinely use prescriber-identifiable data to target advertising to doctors. For example, a drug company may provide information to an allergist about the benefits of a new allergy medication for patients that have fewer side effects. The previously-mentioned states passed legislation to prevent this, ostensibly to protect doctor privacy, but also with the clear intent of controlling health care costs. As Chief Justice Roberts succinctly put it when addressing Vermont’s Assistant Attorney General, “You want to lower your health care costs, not by direct regulation, but by restricting the flow of information to the doctors, by, to use a pejorative word, but by censoring what they can hear to make sure they don’t have full information, so they will do what you want them to do when it comes to prescribing drugs, because you can’t take, I gather, direct action and tell them, you must prescribe generics, right?”

The ruling in this case could have a widespread effect on the information economy. There are many similarities between these medical privacy laws and proposed “Do Not Track” legislation. For example, Vermont’s law limit the use of prescriber data for prescriber-targeted advertising much like “Do Not Track” proposals for online privacy would limit the use of consumer data for targeted online advertising.

The relationship between this case and the wider online privacy debate became evident during oral arguments last week when the Vermont statute was compared specifically to the Kerry-McCain privacy legislation. This digression came about after Justice Sotomayor made the rather radical claim that “Today with the Internet and with computers, there’s virtually no privacy.” (Except apparently in the Supreme Court which still bans video recording and web streaming.)

In response to the comparison to online privacy, Thomas Goldstein, the lawyer representing the pharmaceutical companies, argued that there are at least three important differences between proposed federal privacy legislation (which he considers constitutional) and the state privacy laws (which he considers unconstitutional).

First, he argued that true privacy legislation gives individuals the right to opt out of any unauthorized use. In contrast, the Vermont statute “says every use of the information is just fine, except this one, this one that allows one speaker who we don’t really like to go out and convey its message.” In this respect, the Vermont law does not offer doctors any additional privacy since the information is still available to others and can be given away (just not sold).

Second, he argued that there is a difference in “the public importance of the speech involved” in the IMS Health case versus data privacy legislation that might restrict consumer marketing. Mr. Goldstein noted that “this is information about lifesaving medications where the detailer goes in and talks about double blind scientific studies that are responsible for the development of drugs that have caused 40 percent of the increase in the lifespan of the American public.”

Third, he argued that there is a “fundamentally different nature of the privacy interest” in the IMS Health case. Mr. Goldstein uses the standard “would a reasonable person be outraged?” to conclude that a prescriber telling another person how many times he prescribed a certain drug would not merit any genuine outrage. In contrast, he argues, if a company were selling personally-identifiable medical information, people would be angry, and rightly so.

Like many others, I look forward to reading the Court’s decision in this case. And, of course, even if the Court rules that the law is constitutional, that does not mean it is a good idea. But to some extent, I disagree with Mr. Goldstein’s second and third arguments. In his second argument, he unjustifiably devalues the importance of consumer advertising. While health data is of paramount importance (a point I have raised often), consumer data can be of high value as well. Indeed, the $26 billion online advertising market is responsible for supporting the Internet economy which has a tremendously beneficial impact on consumer savings, jobs, and quality of life. And targeted online advertising is often a more efficient way to advertise which reduces costs for companies and generates cost savings passed on to consumers.

His third argument also ignores the fact that most online advertising does not involve companies revealing personal data about individuals. Indeed, many online advertising networks do not reveal any personally-identifiable information about users at all, but instead offer advertisers the choice to pick their target audience based on demographics. So would a reasonable person be outraged if Facebook tells Kodak, “We have 3,970,040 users in the United States between the age of 18 and 34 who indicate an interest in photography”? Of course not.

The problems above showcase some of the weaknesses of trying to regulate privacy on the basis of processes rather than outcomes. Attempting to control drug costs by limiting speech has harmful consequences on the health of patients. Similarly, attempting to protect consumers from harms based on the misuse of their private data by imposing data handling policies on organizations has harmful consequence for consumers and the economy at large. A better approach would be to directly target the harmful behaviors called into question, whether it is the state paying for unnecessary or overpriced treatments or individuals facing discrimination based on inappropriate use of their data.

This case raises many important questions worth exploring. Tomorrow (May 3, 2011), ITIF is hosting a discussion on this topic to further explore the role of information in improving health care, current practices for using prescriber-identifiable data, and the implications of this case for other industries. I hope you are able to join us. Please feel free to submit comments below if there are any questions you would like me to ask the panelists.

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.