Hey there, let’s talk about a recent case that’s making waves in the world of data privacy. In September 2024, a court decided to move forward with a lawsuit against Headway for sharing personal data with Google Analytics. Now, why is this such a big deal?
Typically, lawsuits related to personal data sharing under the CCPA have focused on advertising purposes. However, this case is different as it centers around website analytics, not advertising. Almost every website out there uses tools like Google Analytics to track and enhance performance. In the US, sharing personal data with analytics tools is common practice to improve measurement, especially since the CCPA primarily targets sharing for advertising purposes.
In the class-action lawsuit against Headway, the courts are examining another aspect of the CCPA: the proper encryption or redaction of personal data shared with third parties. It’s alleged that Headway, a platform for finding mental health therapists, failed to anonymize IP addresses when sharing data with Google Analytics. This led to sensitive medical information being exposed to Google, in direct violation of Headway’s privacy policy which promised data sharing only with partners related to mental health services.
So, what’s the key takeaway from all of this? Privacy teams now need to pay close attention to how personal data is shared with any third party, not just advertising partners. Many privacy teams currently lack the necessary visibility to effectively manage data processing. To address this, tools like Privado can track data flow across tech stacks and proactively alert stakeholders of potential risks before privacy violations occur.
The timeline of this lawsuit is quite interesting. It all started in July 2023 when an individual named M.G. filed a lawsuit against TherapyMatch (operating as Headway) for sharing mental health data with Google without proper consent. The case moved to federal court and went through several stages before the recent court decision in September 2024.
To ensure user privacy, businesses must take proactive steps. This includes implementing clear consent mechanisms, configuring tag managers accurately, setting up analytical tools with privacy in mind, and continuously scanning websites and apps for compliance issues. Privado offers solutions to help businesses maintain user privacy and comply with data protection laws by scanning digital assets, verifying consent mechanisms, analyzing tag managers and analytics configurations, and providing actionable insights.
If you’re looking to enhance your data privacy practices, consider requesting a free website audit from Privado. This comprehensive evaluation can help identify areas of risk and provide recommendations for improving privacy practices. So, take that first step towards better data privacy today!