Press Releases

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) wrote to Meta CEO Mark Zuckerberg expressing concern and requesting more information regarding Meta’s practice of collecting user’s health information through tracking applications.

In the letter, Sen. Warner highlighted the need for user privacy and increased transparency around how user data is collected online, which has become increasingly important as the use of telehealth appointments, online appointment booking, and electronic record keeping have risen exponentially over the course of the pandemic.

“As we increasingly move health care online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information,” wrote Sen. Warner.

Specifically, Sen. Warner called attention to Meta Pixel, a tracking tool that sends Meta a packet of data whenever a user clicks a button to schedule a doctor’s appointment – without the knowledge of the individual making the appointment.

He continued, “I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online.  This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments.”

Sen. Warner also noted allegations that this practice of data harvesting and collection has been used by Meta to target advertisements across their platforms. In August of this year, two lawsuits were filed against the company over the alleged unlawful collection and sharing of health data without consent.

To address these concerns, Sen. Warner requested Meta respond to the following questions:

  1. What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
  2. How does Meta store information received through the Meta Pixel?
  3. Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
  4. How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
  5. What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
  6. According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
  7. Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?

Sen. Warner has been a leader in Congress pushing for increased transparency and protections surrounding user data and privacy. He introduced the DASHBOARD Act, which works to increase transparency around data collection; the DETOUR Act, which would prohibit companies like Meta from using deceptive dark patterns to manipulate users into handing over their data; and the Public Health Emergency Privacy Act, which would set strong and enforceable privacy and data security rights for health information.

A copy of the letter can be found here and below.

October 20, 2022

Dear Mr. Zuckerberg:

I write to you today to express my concern regarding Meta’s collection of sensitive health information through the Meta Pixel tracking tool without user consent.

As you know, I have long worked to protect user privacy and increase transparency around how user data is collected and shared. This mission is more urgent than ever as the last two years have shown us the importance of health care technology, with many relying on electronic health records, online appointment booking, and virtual patient portals to receive care during the pandemic. As we increasingly move health care online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information.

I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online.  This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments. Additionally, of particular concern are the recent allegations that Meta has used Meta Pixel data to inform targeted advertisements on Meta’s platforms.  The use of the Meta Pixel is widespread, as the tool was installed in the systems of 33 of the top 100 hospitals in the country and inside the patient portals of seven health systems at the time of the investigation.

Unfortunately, privacy issues involving the Meta Pixel are not new, as there has been previous scrutiny of the Meta Pixel outside of the health care context. Reports published earlier this year found that the Pixel sent personal information to Meta that was collected from the Free Application for Federal Student Aid (FAFSA) on the website of the Federal Student Aid (FSA) office within the U.S. Department of Education.  Data sent to Meta includes applicant first and last name, email addresses, and zip codes. Additionally, this is not the first time that your company has been involved in the wrongful collection of sensitive health information. In 2021, an investigation by the New York State Department of Financial Services found that Meta (then Facebook) collected user data from several health and wellness apps, including results from blood pressure and heart rate readings, menstruation and fertility tracking, pregnancy status, and other deeply personal information. 

Meta’s own business guidelines state that the company “[doesn’t] want websites or apps sending [Meta] sensitive information about people,”  including sensitive health information, which Meta identifies as medical conditions, sexual and reproductive health, mental health, details regarding medical devices and trackers, treatments, test results, body specifications or cycles, locations of treatment, and other health-related data.  Yet, in this most recent case and as we have seen previously, Meta is continuing to access this highly sensitive information.

It is critical that technology companies like Meta take seriously their role in protecting user health data. Without meaningful action, I fear that these continuing privacy violations and harmful uses of health data could become the new status quo in health care and public health.

To address the concerns raised in this letter, I request that you provide responses to the following questions by November 3, 2022:

  1. What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
  2. How does Meta store information received through the Meta Pixel?
  3. Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
  4. How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
  5. What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
  6. According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
  7. Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?

I look forward to your prompt responses.

Sincerely,

###