Health Data, Privacy, and Ethical Marketing: What Companies Need To Know

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi, I’m Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology, since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:56

And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com How are you today?

Justin Daniels 1:32

Doing fine. How are you?

Jodi Daniels 1:33

Oh, well, now that I have the right little plug in gadgets so people can actually hear us on our microphones, that’s good. See, the cool little gadgets don’t work when they’re not actually plugged in. Indeed, they don’t like you always, always chat. So just in case anyone was curious, I hope you all can hear us just fine. Well, today we have Ben Chapman, who is the General Counsel and Chief Privacy Officer at Swoop, and prior to Swoop, Ben was deputy general counsel for real chemistry, and he has nearly 10 years experience in ad tech, data and privacy matters. So Ben, welcome to our silly show.

Ben Chapman 2:16

Thank you for having me. Very exciting.

Jodi Daniels 2:18

You like fun over here.

Justin Daniels 2:20

So Ben, can you talk to us a little bit about your career journey?

Ben Chapman 2:26

Yeah, I actually started out as a bankruptcy attorney doing international bankruptcy. The very first case I was on was the Madoff case. It was super fun. I am super grateful for my mentors and the learning that I got doing that. But I, you know, I kind of had an affinity for some of the tech cases that we were doing. And probably about 10 years ago, 2015 2016 the opportunity presented itself to kind of spin into the media, ad tech, agency world. So I transitioned to Publicis and learned all I could about that. And then, you know, later, got the opportunity to join real chemistry and work with a great bunch of people, you know, more focused on the pharma industry, and that’s actually where I started. You know, working with Swoop and the data matters that they do. And, you know, recently, Swoop kind of was spun out from being a wholly owned subsidiary of real chemistry to its own entity. And you know, we’re kind of pursuing our omni channel growth, and I went along with Swoop as the General Counsel and chief privacy officer.

Jodi Daniels 3:39

So let’s chat a little bit about health data and privacy, which are both in the news a lot lately, in their own respective ways, and we have a growing list of privacy laws. So why does privacy matter so much in healthcare marketing right now?

Ben Chapman 3:57

Yeah, I mean, excellent question, right? I think the sort of easy answer is that you know, as you mentioned, all of the growing list of privacy laws, they are setting new standards of how to treat sensitive data right, and that generally includes health data. Some are coming out, like the Washington my health my data law that are specifically geared towards consumer health data, and they are intended to pick up where sort of the federal private, you know, healthcare privacy laws leave off. So companies really need to be mindful about privacy laws and how the different, differing privacy laws may treat the data that they’re working with. It’s also incredibly important, because, you know, these messages are important to get to the right consumers in the world that we operate in. You have a lot of people who you know, want to hear the message that would benefit. From hearing the messages, messages that these you know, pharma companies and healthcare companies are trying to get across to them, and knowing how to do that in a responsible and ethical way is really, really important.

Jodi Daniels 5:14

Now, I think it’s also important to understand healthcare and what we mean by health data. So, Ben, you mentioned the Washington law a little bit, which can be really broad when you’re thinking healthcare and healthcare marketing. Can you share a little bit about what that might look like?

Ben Chapman 5:34

Healthcare like, as in, well, like health data, health data, right? I mean, the interesting thing about these laws is that they all contain, or the newer ones are containing provisions that will deem things to be health data that ordinarily might not be considered health data, right, purchasing history, if it’s tied to a particular type of, you know, drug or something that indicates that an individual might have a condition automatically. Now that is deemed to be health data, if you can draw inferences about it an individual based on their purchase history or other types of information, it can be deemed so broadening the scope of what is, you know, health data is the purpose of these laws and to make people really think about how they’re using it to reach the patients and the individuals who may benefit from these messages.

Jodi Daniels 6:32

Thank you for clarifying. I think that’s really helpful for everyone to understand.

Justin Daniels 6:38

So it’s important to ensure companies are following ethical data practices. What are the best practices around healthcare marketing to be privacy friendly, in your perspective?

Ben Chapman 6:46

Yeah, you know what we are focused on at Swoop, and what we try and communicate, what we’re trying to demonstrate, transparency, I think, is number one, right? I’ve worked with some really wonderful professionals in this space, and they keep, you know, hammering this home. Say what you do with the data and do what you say. It’s really important to earn the trust of the community. You want individuals, you want patients who can, you know, be helped by these messages to trust that you’re going to use their data in the right way and that you’re not doing things with it that you know you didn’t disclose. So I think transparency is probably one of the key elements here. Another one is, you know, assessing the impact from the individual perspective, right the individual consumer, the individual patient, always, always view what you’re doing from that lens, because that’s the goal of these privacy laws. They are there to protect the consumer. They’re there to protect the individual. If you really think about your practices and what you do from that viewpoint, I think that it gives you a leg up for for sure, some of the best folks, even even opposing counsel that I’ve sat across from, some of the best attorneys in this field, have you know started the conversation with let’s Talk about how we handle our data from our clients point of view, right? What are their expectations? And I think that that is a really, you know, important framework to start and you know also to ensure that you’re being privacy friendly. Evaluate your partners really. Use trusted data partners. Use trusted agency partners. You know, I think a lot of it’s interesting. I hear a lot of folks that say, Well, we have contracts with our agency so, you know, whatever, whatever they say goes, but I think that the way that these privacy laws work, they’re really looking up and down the chain to make sure that everybody is kind of keeping tabs on one another and using the best practices out there. So really evaluate your partners and ensure that you know you are satisfied with their methodologies and processes.

Jodi Daniels 9:11

And do you have a tip for someone listening who says, you know, that’s a good idea? I was just listening, or I was just reliant on my contract, but I guess I should do a better evaluation job. What? What might one or two steps, starting steps be to evaluate, in your opinion?

Ben Chapman 9:28

One, understanding what the data is, right? I also find it super helpful. It’s surprising to hear how many viewpoints there are on matters that have been around for a while, since these privacy laws came into that, I think asking fact, factual questions about what a process is will really kind of cut through the well, it we believe it’s this or we believe it’s that, right? A lot of these laws are untested, and I think will be developed in courts, but until. There is, you know, a lot more guidance just asking fast, factual questions of your data partners, what do you do? What are the steps? What is your methodology? And understanding that some of this is, you know, the data partners secret sauce, and they need to protect their information, but doing it under you know, confidentiality agreements and ensuring that you have enough information to make that determination on your own. I think that’s a really, really key thing.

Jodi Daniels 10:29

Thank you. Now, we were just talking a little bit ago about how some of the state privacy laws have expanded the definition. And a lot of people, when they think health, they think HIPAA. What are your thoughts for how should companies comply with HIPAA and the growing list of state privacy laws with this expanded definition?

Ben Chapman 10:55

Yeah, and that’s something that we are highly focused on. You know, being in the healthcare and consumer space, we are keenly focused on all of the applicable laws. And it’s not an either or it’s a both. And you really need to understand the impact or the coverage of HIPAA up to the point that it may no longer apply. That understand all of the limits where these laws may kick in, and, you know what, or just the balance of them, really seek guidance. That is my number one, you know, viewpoint on that is that you something may seem black and white, but really, there’s a whole community of privacy professionals out there that, you know, I think we’ve even engaged at these conferences and hearing the range of viewpoints, it’s super helpful to shape your own and think of things. Think of the data in a way that you might not have thought about it before. Think of the way that you’re handling it in a way that you might not have thought of before. So really, you know, it’s a holistic approach, and you should really rely on the community that’s out there, you know, for assistance with that.

Jodi Daniels 12:12

Great thoughts. And I like also the idea of continuously learning and hearing from other people. It’s very much a gray space.

Ben Chapman 12:20

Yes, yes. You know, something that has really, if there’s one thing that has surprised me since kind of really stepping into the Chief Privacy Officer role, it is that there are reasonable, very reasonable and learned minds can have different views on the same topic. You know, even some of the things that people are, I still hear debated in these you know, privacy industry functions are, you know, does this constitute personal data? At what point you know, does it become personal data? At what point is it not? You know, even, like the definitions of data broker and whether you have to be on the registry or not, it’s reasonable minds can come to differing views. I think the important thing, though, is to make sure that you have a good reason, thought-out approach to it, and again, harping back on this really thought out approach from the patient’s viewpoint, right? It’s them that matter.

Jodi Daniels 13:20

Very important perspective.

Justin Daniels 13:23

So as someone who’s in a highly regulated space and in the budding privacy field, what has been your biggest learning to date as general counsel and chief privacy officer, it sounded like you just alluded to one with the wise minds can differ.

Ben Chapman 13:39

Yeah, I look, I think that that’s it. On more than one occasion, I have been, you know, across the table from folks who just don’t see it how I do, and I can also see how they’ve come to their conclusion. So I think that’s why, I also think it’s important to really stick to the facts here, you know, and every company, every entity, is going to have to make their own determination about, you know, what their risk tolerance is, and what they really believe is happening. If you stick to the facts and get enough information to make your own determination about whether someone is safe or not, you know, and doing all they can to comply with privacy laws. I think that is, you know, really a good track to go.

Jodi Daniels 14:31

So with your new found Chief Privacy Officer hat on, what might you say to someone new stepping into a privacy role. What advice would you offer them?

Ben Chapman 14:46

Ask questions. A lot of them seek help. It’s kind of one of the first things I did. You know, suddenly being responsible for an entire company’s compliance. It really does take a community. And I don’t, I don’t think it’s ever a good idea to think that you know all of the answers, especially with you know, such a new area of law. So getting those viewpoints, asking the questions, don’t be afraid to ask the questions that I have experienced just genuine warmth and, you know, welcoming by the privacy community and attending these things, it’s been terrific. So really ask a lot of questions and seek help. I also think it helps to be genuine, like genuinely curious about the topic. I kind of followed the route where I am because I liked the ad tech and data side of media more, and I was genuinely curious about how to work. How it works, how does an ad get in front of you? But also balancing that with, hey, I want that to be done in a responsible and ethical way. I want to be able to look at you and tell you, how did this ad get served to you, you know, in a passable way and in a way that makes you believe that I care about your privacy, that I’m not trying to identify you specifically, right?

Jodi Daniels 16:12

Yeah, I know we’re speaking about healthcare and marketing and privacy today, but we were trying to watch a family movie on a particular streaming service, and the ads that were coming through were not family friendly, and there was no there was no pause, skip, a button, and all I wanted to do is be able to mark this is so wrong for this family. Can you please? This is where personalization needs to happen. So Right? There’s a lot of room for how did this ad get to you?

Ben Chapman 16:49

Yes, yeah, I know. Look, I’m completely with you. And I think, look, even the way that we do it, it is highly likely that you’re going to get an ad that is not necessarily relevant to you. But you know, at least we are trying to build as comprehensive an audience as we can, in a privacy safe manner, but taking the context right? What are you watching? What’s who’s likely to be watching this? You know, Jodi, I think even you and I have talked about, don’t mess with kids. Don’t mess with grandma. Don’t mess with sensitive information you really have, especially with that kind of stuff, you really have to be careful and really think about who is, who could likely see the ad that you’re trying to get out there. It is incredibly important.

Justin Daniels 17:40

So Ben, when you’re out hanging out, maybe on New Year’s Eve with some friends, and maybe this whole topic we just discussed comes up. Do you have a best privacy tip you’d like to share with our audience in that vein or any vein that you prefer?

Ben Chapman 18:00

Look, I I love the don’t mess with kids. Don’t mess with grandma, of course. But I look, it always goes back to putting the individual and the patient first. If you can’t tell a story that, if you can’t explain to them in a way that they can feel comfortable and trust that you are handling information, even pieces of their information, right? Even if you don’t know exactly who it is, parts of that information go into making how online ads are served up, so ensuring that you’re able to put yourself there and explain that in a way that is responsible and ethical and that you can stand behind, I think, is, is really, you know, the most crucial advice that I could give.

Jodi Daniels 18:47

And when you are not studying up and talking about privacy, what do you like to do for fun?

Ben Chapman 18:53

Ah, my partner and I, actually, we are huge live music fans, some years are better than others. 2024 happened to be a spectacular year. We also use it as kind of an excuse. So we all we’re always going to concerts, and we use it as kind of an excuse to also fit in some travel as well. It’s always fun to go to a destination and explore the destination when you know you have like the event to go to. You know, in 2024 was an incredible year. I, you know, I saw Taylor Swift in Amsterdam, and Fred Again in Toronto, and Chappell Roan in Montreal, and No Doubt at Coachella. It was a really incredible year. So that’s, that’s really what you know when I’m checking out, not thinking about privacy. I’m trying to see what setlists are coming up.

Jodi Daniels 19:47

We have a lot of privacy and music people. We could, we could actually take our guests and organize them by their fun activities and create little community fun.

Justin Daniels 19:57

You can just say that would be fun. But. Yeah, what ads would you serve them?

Jodi Daniels 20:04

I wouldn’t, they publicly share what they like to do for fun. It is all out there. I just need someone to comb through and put it all together, aggregate, and I could create little communities. That’s exactly right.

Justin Daniels 20:14

And Ben, what ads would we serve them? Let’s talk about the music people first, right?

Ben Chapman 20:19

I mean, look, Spotify. You know, the Apple Music; that’s low-hanging fruit that seems reasonable, but look at the connection that I just made. It’s fun to travel and see a concert, so maybe Delta wants to get it on. I don’t know. You could find some travel bucks who don’t mind going along for the ride to see a concert.

Jodi Daniels 20:40

There you go. Well, Ben, if people would like to connect, where could they go?

Ben Chapman 20:46

You can reach me on LinkedIn. I think that the last one is the last hash is, Chapman or you can feel free to reach out to me directly at Ben@swoop.com.

Jodi Daniels 21:02

Well, Ben, thank you so much for sharing a perspective we really haven’t talked too much about on the show, which is marketing and privacy and health data and certainly an area to continue to to be a focus for a variety of different reasons. So Ben, we’re so glad that you joined us today. Thank you.

Ben Chapman 21:19

Thank you for having me. It was a pleasure.

Outro 21:25

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.