program areas Digital Consumer

By Jeffrey Chester The COVID-19 pandemic is a profound global public health crisis that requires our upmost attention: to stem its deadly tide and rebuild the global health system so we do not experience such a dire situation in the future. It also demands that we ensure the U.S. has a digital media system that is democratic, accountable, and one that both provides public services and protects privacy. The virus is profoundly accelerating our reliance on digital media worldwide, ushering (link is external) in “a new landscape in terms of how shoppers are buying and how they are behaving online and offline.” Leading platforms—Amazon, Facebook and Google—as well as many major ecommerce and social media sites, video streaming services, gaming apps, and the like—are witnessing a flood of people attempting to research health concerns, order groceries and supplies, view entertainment and engage in communication with friends and family. According to a marketing industry report (link is external), “nearly 90% of consumers have changed their behavior because of COVID-19.” More data (link is external) about our health concerns, kids, financial status, products we buy and more are flowing into the databases of the leading digital media companies. The pandemic will further strengthen their power as they leverage all the additional personal information they are currently capturing as a consequence of the pandemic. This also poses a further threat to the privacy of Americans who are especially dependent on online services if they are to survive. The pandemic is accelerating societal changes (link is external) in our relationship to the Internet. For example, marketers predict that we are witnessing the emergence of an experience they call the “fortress home”—as “consumer psychology shifts into an extreme form of cocooning.” The move to online buying via ecommerce—versus going to a physical store—will become an even more dominant consumer behavior. So, too, will in-home media consumption increase, especially the reliance on streaming (“OTT”) video. Marketers are closely examining all these pandemic-related developments using a global lens—since the digital behaviors of all consumers—from China to the U.S.—have so many commonalities. For example, Nielsen has identified six (link is external) “consumer behavior thresholds” that reveal virus-influenced consumer buying behaviors, such as “quarantined living preparation” and “restricted living.” A host of sites are now regularly reporting how the pandemic impacts the public, and what it means for marketing and major brands. See, for example, Ipsos (link is external), Comscore (link is external), Nielsen (link is external), Kantar (link is external), and the Advertising Research Foundation (ARF (link is external)). In addition to the expanded market power of the giants, there are also growing threats to our privacy from surveillance by both government (link is external) and the commercial sector. Marketers are touting how all the real-time geolocation data that is continuously mined from our mobile devices, wearables (link is external) and “apps” can help public health experts better respond to the virus and similar threats. At a recent (link is external) Advertising Research Foundation townhall on the virus it was noted that “the location-based data that brand stewards have found useful in recent years to deliver right-time/right-place messages has ‘gone from being useful that helps businesses sell a little bit more’ to truly being a community and public-health tool.” Marketers will claim that they have to track all our moves because it’s in the national interest in order to sanction the rapid expansion of geo-surveillance (link is external) in all areas of our lives. They are positioning themselves to be politically rewarded for their work on the pandemic, hoping it will immunize them from the growing criticism about their monopolistic and anti-consumer privacy behaviors. Amazon, Facebook, Google, Snapchat and various “Big Data” digital marketing companies announced (link is external), for example, a COVID-19 initiative with the White House and CDC. Brokered by the Ad Council, it will unleash various data-profiling technologies, influencer marketing, and powerful consumer targeting engines to ensure Americans receive information about the virus. (At the same time, brands are worried about having their content appear alongside information about the coronavirus, adopting new (link is external) “brand safety” tools that can “blacklist” news and other online sites. This means that the funding for journalism and public safety information becomes threatened (link is external) because advertisers wish to place their own interests first.) But the tactics (link is external) now sanctioned by the White House are the exact same ones that must be addressed in any legislation that effectively protects our privacy online. We believe that the leading online companies should not be permitted to excessively enrich themselves during this moment by gathering even more information on the public. They will mine this information for insights that enable them to better understand our private health needs and financial status. They will know more about the online behaviors of our children, grandparents and many others. Congress should enact protections that ensure that the data gathered during this unprecedented public health emergency are limited in how they can be used. It should also examine how the pandemic is furthering the market power of a handful of platforms and ecommerce companies, to ensure there is a fair marketplace accessible to the public. It’s also evident there must be free or inexpensively priced broadband for all. How well we address the role of the large online companies during this period will help determine our ability to respond to future crises, as well as the impact of these companies on our democracy.

Google’s (i.e., Alphabet, Inc.) proposed acquisition of Fitbit, a leading health wearable device company, is just one more piece illustrating how the company is actively engaged in shaping the future of public health. It has assembled a sweeping array of assets in the health field, positioning its advertising system to better take advantage of health information, and is playing a proactive role lobbying to promote significant public policy changes for medical data at the federal level that will have major implications (link is external)for Americans and their health.Google understands that there are tremendous revenues to be made gathering data—from patients, hospitals, medical professionals and consumers interested in “wellness”—through the various services that the company offers. It sees a lucrative future as a powerful presence in our health system able to bill Medicare and other government programs. In reviewing the proposed takeover, regulators should recognize that given today’s “connected” economy, and with Google’s capability and intention to generate monetizeable insights from individuals across product categories (health, shopping, financial services, etc.), the deal should not be examined solely within a narrow framework. While the acquisition directly bolsters Google’s growing clout in what is called the “connected-health” marketplace, the company understands that the move is also designed to maintain its dominance in search, video and other digital marketing applications. It’s also a deal that raises privacy concerns, questions about the future direction of the U.S. health system, and what kinds of safeguards—if any at all—will be in place to protect health consumers and patients. As health venture capital fund Rock Health explained in a recent report, “Google acquired Fitbit in a deal that gives the tech giant access to troves of personal health data and healthcare partnerships, in addition to health tracking software.” Fitbit reports that “28 million active users” worldwide use its wearable device products. For Google, Fitbit brings (link is external) a rich layer of personal data, expertise in fitness (link is external) tracking software, heart-rate sensors, as well as relationships with health-service and employee-benefit providers. Wearable devices can provide a stream (link is external)of ongoing data on our activities, physical condition, geolocation and more. In a presentation to investors made in 2018, Fitbit claimed to be the “number one health and fitness” app in the U.S. for both the Android and Apple app store, and considered itself the “number one “wearable brand globally,” available in 47,000 stores, and had “direct applications for health and wellness categories such as diabetes, heart health, and sleep apnea.” “Driving behavior change” is cited as one of the company’s fundamental capabilities, such as its “use of data…to provide insights and guidance.” Fitbit developed a “platform for innovative data collection” for clinical researchers, designed to help advance (link is external) “the use of wearable devices in research and clinical applications. Fitbit also has relationships with pharmacies, including those that serves people with “complex health conditions.” Fitbit has also “made a number of moves to expand its Health Services division,” such as its 2018 acquisition of Twine Health, a “chronic disease management platform.” In 2018, it also unveiled a “connected health platform that enables payers and health systems to deliver personalized coaching” to individuals. The company’s Fitbit Health Solutions division is working with more than 100 insurance companies in the U.S., and “both government sponsored and private plans” work with the company. Fitbit Premium was launched last year, which “mines consumer data to provide personalized health insights” for health care delivery. According to Business Insider Intelligence, “Fitbit plans to use the Premium service to get into the management of costly chronic conditions like diabetes, sleep apnea, and hypertension.” The company has dozens of leading “enterprises” and “Fortune 500” companies as customers. It also works with thousands of app developers and other third parties (think Google’s dominance in the app marketplace, such as its Play store). Fitbit has conducted research to understand “the relationship between activity and mood” of people, which offers an array of insights that has applications for health and numerous other “vertical” markets. Even prior to the formal takeover of Fitbit by Google, it had developed strong ties to the digital data marketing giant. It has been a Google Cloud client since 2018, using its machine learning prowess to insert Fitbit data into a person’s electronic health record (EHR). In 2018, Fitbit said that it was going to transfer its “data infrastructure” to the Google Cloud platform. It planned to “leverage Google’s healthcare API” to generate “more meaningful insights” on consumers, and “collaborate on the future of wearables.” Fitbit’s data might also assist Google in forging additional “ties with researchers who want to unlock the constant stream of data” its devices collect. When considering how regulators and others should view this—yet again—significant expansion by Google in the digital marketplace—the following issues must be addressed: Google Cloud and its use of artificial intelligence and machine learning in a new data pipeline for health services, including marketing Google’s Cloud service offers “solutions” (link is external) for the healthcare and life sciences industry, by helping to “personalize patient experiences,” “drive data interoperability,” and improve commercialization and operations”—including for “pharma insights and analytics.” Google Cloud (link is external) has developed a specific “API” (application programming interface) that enables health-related companies to process and analyze their data, by using machine learning technologies, for example. The Health Care Cloud API (link is external)also provides a range of other data functionalities (link is external) for clinical and other uses. Google is now working to help create a “new data infrastructure layer via 3 key efforts,” according to a recent report on the market. It is creating “new data pipes for health giants,” pushing the Google Cloud and building “Google’s own healthcare datasets for third parties.” (See, for example, “G Suite (link is external) for Healthcare Businesses” products as well as its “Apigee API Platform,” which works with the Cleveland Clinic, Walgreens, and others). Illustrating the direct connection between the Google Cloud and Google’s digital marketing apparatus is their case study (link is external) of the leading global ad conglomerate, WPP. “Our strong partnership with Google Cloud is key,” said WPP’s CEO, who explained that “their vast experience in advertising and marketing combined with their strength in analytics and AI helps us to deliver powerful and innovative solutions for our clients” (which include (link is external) “369 of the Fortune Global 500, all 30 of the Dow Jones 30 and 71 of the NASDAQ 100”). WPP links the insights and other resources it generates from the Google Cloud to Google’s “Marketing Platform” (link is external) so its clients can “deliver better experiences for their audiences across media and marketing.” Google has made a significant push (link is external) to incorporate the role that machine learning plays with marketing across product categories, including search and YouTube. It is using machine learning to “anticipate needs” of individuals to further its advertising (link is external) business. Fitbit will bring in a significant amount of additional data for Google to leverage in its Cloud services, which impact a number of consumer and commercial markets beyond (link is external) health care. The Fitbit deal also involves Google’s ambitions to become an important force providing healthcare providers access to patient, diagnostic and other information. Currently the market is dominated by others, but Google has plans for this market. For example, it has developed a “potential EHR tool that would empower doctors with the same kind of intuitive and snappy search functionality they've come to expect from Google.” According to Business Insider Intelligence, Google could bundle such applications along with Google Cloud and data analytics support that would help hospitals more easily navigate the move to data heavy (link is external), value-based care (VBC) reimbursement models (link is external).” Google Health already incorporates a wide range of health-related services and investments “Google is already a health company,” according (link is external) to Dr. David Feinberg, the company’s vice president at Google Health. Feinberg explains that they are making strides in organizing and making health data more useful thanks to work being done by Cloud (link is external) and AI (link is external) teams. And looking across the rest of Google’s portfolio of helpful products, we’re already addressing aspects of people’s health. Search helps people answer everyday health questions (link is external), Maps helps get people to the nearest hospital, and other tools and products are addressing issues tangential to health—for instance, literacy (link is external), safer driving (link is external), and air pollution (link is external)…. and in response, Google and Alphabet have invested in efforts that complement their strengths and put users, patients, and care providers first. Look no further than the promising AI research and mobile applications coming from Google and DeepMind Health (link is external), or Verily’s Project Baseline (link is external) that is pushing the boundaries of what we think we know about human health. Among Google Health’s initiatives are “studying the use of artificial intelligence to assist in diagnosing (link is external) cancer, predicting (link is external) patient outcomes, preventing (link is external) blindness…, exploring ways to improve patient care, including tools that are already being used by clinicians…, [and] partnering with doctors, nurses, and other healthcare professionals to help improve the care patients receive.” Through its AI work, Google is developing “deep learning” applications for electronic health records. Google Health is expanding its team, including specifically to take advantage of the wearables market (and has also hired a former FDA commissioner to “lead health strategy”). Google is the leading source of search information on health issues, and health-related ad applications are integrated into its core marketing apparatus A billion health-related questions are asked every day on Google’s search engine, some 70,000 every minute (“around 7 percent of Google’s daily searches”). “Dr. Google,” as the company has been called, is asked about conditions, medication, symptoms, insurance questions and more, say company leaders. Google’s ad teams in the U.S. promote how health marketers can effectively use its ad products, including YouTube, as well as understand how to take advantage of what Google has called “the path to purchase.” In a presentation on “The Role of Digital Marketing in the Healthcare Industry,” Google representatives reported that After conducting various studies and surveys, Google has concluded that consumers consult 12.4 resources prior to a hospital visit. When consumers are battling a specific disease or condition, they want to know everything about it: whether it is contagious, how it started, the side-effects, experiences of others who have had the same condition, etc. When doing this research, they will consult YouTube videos, read patient reviews of specific doctors, read blog articles on healthcare websites, read reviews, side-effects, and uses of particular medicines. They want to know everything! When consuming this information, they will choose the business that has established their online presence, has positive reviews, and provides a great customer experience, both online and offline. Among the data shared with marketers was information that “88% of patients use search to find a treatment center,” “60% of patients use a mobile device,” “60% of patients like to compare and validate information from doctors with their own online research,” “56% of patients search for health-related concerns on YouTube,” “5+ videos are watched when researching hospitals or treatment centers,” and that “2 billion health-related videos are on YouTube.” The “Internet is a Patient/Caregiver’s #1 confidant,” they noted. They also discussed how mobile technologies have triggered “non-linear paths to purchase,” and that mobile devices are “now the main device used for health searches.” “Search and video are vital to the patient journey,” and “healthcare videos represent one of the largest, fastest growing content segments on YouTube today.” Their presentation demonstrated how health marketers can take advantage of Google’s ability to know a person’s location, as well as how other information related to their behaviors and interests can help them “target the right users in the right context.” To understand the impact of all of Google’s marketing capabilities, one also should review the company’s restructured (and ever-evolving) “Marketing Platform.” Google’s Map Product will be able to leverage Fitbit data Google is using data related to health that are gathered by Google Maps, such as when we do searches for needed care services (think ERs, hospitals, pharmacies, etc.). “The most popular mapping app in the U.S…. presents a massive opportunity to connect its huge user base with healthcare services,” explain Business Insider Intelligence. Google has laid the groundwork with its project addressing the country’s opioid epidemic, linking “Google Maps users with recovery treatment centers,” as well as identifying where Naloxone (the reversal drug for opioid overdoes) is available. Last year, Google Maps launched a partnership with CVS “to help consumers more easily find places to drop off expired drugs.” Through its Waze subsidiary, which provides navigation information for drivers, Google sells ads to urgent care centers, which find new patients as a result of map-based, locally tailored advertisements. Google’s impact on the wearable marketplace, including health, wellness and other apps The acquisition of Fitbit will bolster Google’s position in the wearables market, as well as its direct and indirect role providing access to its own and third-party apps. Google Fit, which “enables Android users to pair health-tracking devices with their phone to monitor activity,” already has partnerships with a number of wearable device companies, such as Nike, Adidas and Noom. Business Intelligencer noted in January 2020 that Google Fit was “created to ensure Android devices have a platform to house user-generated health data (making it more competitive with Apple products). In 2019, Google acquired the smartwatch technology from Fossil. Fitbit will play a role in Google’s plans for its Fit service, such as providing additional data that can be accessed via third parties and made available to medical providers through patients’ electronic health records. The transaction, said one analyst, “is partly a data play,” and also one intended to keep customers from migrating from its Android platform to Apple’s. It is designed, they suggest, to ensure that Google can benefit from the sales of health-related services during the peak earning years of consumers. The Google Play app store offers access to an array of health and wellness apps that will be impacted by this deal. Antitrust authorities in the EU have already sanctioned Google for the way it has leveraged its Android platform for anti-competitive behavior. Google’s health related investments, including its use of artificial intelligence, and the role of Fitbit data Verily is “where Alphabet is doing the bulk of its healthcare work,” according to a recent report on the role AI plays in Google’s plans to “reinvent the $3 Trillion U.S. healthcare industry.” Verily is “focused on using data to improve healthcare via analytics tools, interventions, research” and other activities, partnering with “existing healthcare institutions to find areas to apply AI.” One of these projects is the “Study Watch, a wearable device that captures biometric data.” Verily has also made significant investments globally as it seeks to expand. DeepMind works on AI research, including how it is applicable to healthcare. Notably, DeepMind is working with the UK’s National Health Service. Another subsidiary, Calico, uses AI as part of its focus to address aging and age-related illnesses. Additionally, “GV” (Google Ventures) makes health-related investments. According to the CB Insights report, “Google’s strategy involves an end-to-end approach to healthcare, including: Data generation — This includes digitizing and ingesting data produced by wearables, imaging, and MRIs among other methods. This data stream is critical to AI-driven anomaly detection; Disease detection — Using AI to detect anomalies in a given dataset that might signal the presence of some disease; and Disease/lifestyle management — These tools help people who have been diagnosed with a disease or are at risk of developing one go about their day-to-day lives and/or make positive lifestyle modifications. Google has also acquired companies that directly further its health business capabilities, such as Apigee, Senosis Health and others. Google’s continuous quest to gather more health data, such as “Project Nightingale,” has already raised concerns. There are now also investigations of Google by the Department of Justice and State Attorney’s-General. The Department of Justice, which is currently reviewing the Google/Fitbit deal, should not approve it without first conducting a thorough review of the company’s health-related business operations, including the impact (including for privacy) that Fitbit data will have on the marketplace. This should be made a part of the current ongoing antitrust investigation into Google by both federal and state regulators. Congress should also call on the DoJ, as well as the FTC, to review this proposed acquisition in light of the changes that digital applications are bringing to health services in the U.S. This deal accompanies lobbying from Google and others that is poised to open the floodgates of health data that can be accessed by patients and an array of commercial and other entities. The Department of Health and Human Services has proposed a rule on data “interoperability” that, while ostensibly designed to help empower health services users to have access to their own data, is also a “Trojan Horse” designed to enable app developers and other commercial entities to harvest that data as an important new profit center. “The Trump Administration has made the unfettered sharing of health data a health IT priority,” explained one recent news report. Are regulators really ready to stop further digital consolidation? The diagnosis is still out! For a complete annotated version, please see attached pdf

Subject: Which digital privacy proposals in Congress make the grade? Nov. 21, 2019 Contact: David Rosen, drosen@citizen.org (link sends e-mail), (202) 588-7742 Susan Grant, sgrant@consumerfed.org (link sends e-mail), (202) 387-6121 Caitriona Fitzgerald, fitzgerald@epic.org (link sends e-mail), (617) 945-8409 Katharina Kopp, kkopp@democraticmedia.org (link sends e-mail), (202) 836-4621 Campaign for a Commercial-Free Childhood · Center for Digital Democracy · Color of Change · Consumer Federation of America · Consumer Action · Electronic Privacy Information Center · Parent Coalition for Student Privacy · Privacy Rights Clearinghouse · Public Citizen · U.S. PIRG NOTE TO REPORTERS Grading Digital Privacy Proposals in Congress When it comes to digital privacy, we’re facing an unprecedented crisis. Tech giants are spying on our families and selling the most intimate details about our lives for profit. Bad actors, both foreign and domestic, are targeting personal data gathered by U.S. companies – including our bank details, email messages and Social Security numbers. Algorithms used to determine eligibility for jobs, housing, credit, insurance and other life necessities are having disparate, discriminatory impacts on disadvantaged groups. We need a new approach. Consumer, privacy and civil rights groups are encouraged by some of the bills that recently have been introduced in Congress, many of which follow recommendations in the groups’ Framework for Comprehensive Privacy Protection and Digital Rights in the United States (link is external). The framework calls for baseline federal privacy legislation that: - Has a clear and comprehensive definition of personal data; - Establishes an independent data protection agency; - Establishes a private right of action allowing individuals to enforce their rights; - Establishes individual rights to access, control and delete data; - Puts meaningful privacy obligations on companies that collect personal data; - Requires the establishment of algorithmic governance to advance fair and just data practices; - Requires companies to minimize privacy risks and minimize data collection; - Prohibits take-it-or-leave-it or pay-for-privacy terms; - Limits government access to personal data; and - Does not preempt stronger state laws. Three bills attained the highest marks in the recent Privacy Legislation Scorecard (link is external) compiled by the Electronic Privacy Information Center (EPIC): - The Online Privacy Act (H.R. 4978 (link is external)), introduced by U.S. Reps. Anna Eshoo (D-Calif.) and Zoe Lofgren (D-Calif.), takes a comprehensive approach and is the only bill that calls for a U.S. Data Protection Agency. The bill establishes meaningful rights for individuals and clear obligations for companies. It does not preempt state law, but it lacks explicit anti-preemption language, which would make it more effective. - The Mind Your Own Business Act (S. 2637 (link is external)), introduced by U.S. Sen. Ron Wyden (D-Ore.), requires companies to assess the impact of the automated systems they use to make decisions about consumers and how well their data protection mechanisms are working. It has explicit anti-preemption language and holds companies accountable when they fail to protect privacy. The private right of action should be broader, and the bill needs clear limits on data uses. - The Privacy Rights for All Act (S. 1214 (link is external)), introduced by U.S. Sen. Ed Markey (D-Mass.), has important provisions minimizing data collection and delinking user identities from collected data, and prohibits bias and discrimination in automated decision-making. It also includes a strong private right of action and bans forced arbitration for violations. It does not preempt state law, but it lacks explicit anti-preemption language, which would make it more effective. Two bills are plainly anti-privacy. The Information Transparency & Personal Data Control Act (H.R. 2013 (link is external)), introduced by U.S. Rep. Suzan DelBene (D-Wash.), falls woefully short. It provides few protections for individuals, contains overly broad exemptions and preempts stronger state laws. The Balancing the Rights of Web Surfers Equally and Responsibility (BROWSER) Act (S. 1116 (link is external)), introduced by U.S. Sen. Marsha Blackburn (R-Tenn.), is based on the old, ineffective take-it-or-leave-it terms of use model, does not allow agency rulemaking, is weak on enforcement and preempts state laws. Both are bad, anti-privacy bills. Future federal privacy bills must make the grade. Additional privacy bills are expected to be introduced by U.S. Sen. Maria Cantwell (D-Wash.) and U.S. Rep. Jan Schakowsky (D-Ill.). Separately, U.S. Sens. Richard Blumenthal (D-Conn.), Roger Wicker (R-Miss.) and Josh Hawley (R-Mo.) may release their own bills. These leaders should strive to meet the standards that the framework lays out. Baseline privacy legislation must not preempt stronger state protections and laws – such as the California Consumer Privacy Protection Act (link is external) that takes effect in 2020, biometric data protection laws such as those in Illinois (link is external) and Texas (link is external), and data breach notification laws (link is external) that exist in every state. States must be allowed to continue serving as “laboratories of democracy,” pioneering innovative new protections to keep up with rapidly changing technologies. In addition, federal privacy legislation must include a strong private right of action – a crucial tool consumers need to enforce their rights and change the behavior of powerful corporations – and establish safeguards against data practices that lead to unjust, unfair, manipulative and discriminatory outcomes. For more information, see these fact sheets (link is external). Please contact any of the individuals listed above to speak with an expert. ###