In Poor Health: An Assessment of Privacy Policies at Direct-to-Consumer Web Sites

Abstract

Overall, consumers are concerned about the privacy of their personal health information. However, they are also active seekers of health care information online. Many of these information searches lead consumers to Web sites sponsored by pharmaceutical companies that provide information about drugs that are available only through prescription. Many of these Web sites collect personalized information about site visitors to facilitate information exchanges between visitors and site sponsors. This study examines the types of information collected at Web sites that promote product-claim drugs and studies the privacy notices that such sites provide. The author evaluates the degree to which such notices comply with Federal Trade Commission Fair Information Practices. Drug Web sites collect a range of information through a variety of interactive methods. The Web sites have relatively high compliance with two of the Fair Information Practices, notice and choice, but they have poor compliance with the access and security Fair Information Practices. In addition, readability of the policies is low. The author discusses implications for the industry and public policy.

More than half of online consumers use the Internet to find out information that influences their health care decisions (Drummy 2002). A Harris study found that 80% of the U.S. online population has searched the Internet for health information at least once, half search for health information at least once each month, and more than one-fourth bypass search engines and go directly to Web sites they believe offer health care information (Harris Interactive 2002). Between 2002 and 2003, the number of people searching online for health information increased from 26 million to 41 million (Aikin 2002). The increase in popularity of these sites may indicate that most people are interested in understanding their medical options and preparing for conversations with their doctors.

Direct-to-consumer (DTC) Web sites for branded drugs provide information about drugs, including a drug's risks and benefits. In addition, Web sites provide a variety of activities that enable visitors to interact with the site to access information and offers related to the branded drug. Often, visitors have the opportunity to provide information at the site as part of the interaction. However, personal health information is an area that consumers consider highly private. All Web sites are encouraged to post notices that explain the type of information they collect and how they use this information. The Federal Trade Commission (FTC) has established guidelines for Web sites to use in developing privacy notices with the overall goal of helping consumers determine if they should provide information to the sites they visit. In general, compliance with FTC guidelines is high.

A recent analysis of Web sites dedicated to health information (including both commercial and noncommercial sites) found that many sites do not have privacy notices (Graber, D'Allessandro, and Johnson-West 2002). When privacy notices exist, they are often written in language that is difficult to comprehend. This study specifically examines Web sites for branded drugs to assess the types of information such sites collect, how they plan to use this information, and how well they communicate their policies to consumers.

Review of the Literature

Dupuits (2002) suggests that the Internet serves several purposes for consumers searching for health information. First, the Internet distributes information about diseases and the drugs that treat them. Second, the Internet supports informed decision making by enabling consumers to access information about risks of specific drugs. Third, the Internet provides information about support behaviors that patients can adapt to enhance treatment. Finally, the Internet provides a means for information exchange and support through various online communities, which can mentally benefit patients. Direct-to-consumer branded-drug Web sites tend to focus on the educational roles (Wilkes, Bell, and Kravitz 2000), but many also provide other services for consumers, including trial offers, prescription refill reminders, and risk assessments.

Recent studies indicate that consumers consider the Internet a good place to find health information (Martin-Facklam et al. 2004). Anderson's (2004) recent study found that 78% of online users search online for health information, and 87% consider this information reliable. Of specific interest to this study, a Food and Drug Administration (FDA) survey found that 38% of the respondents use the Internet as a source of information for finding prescription drugs (Thomaselli and Elkin 2003). One-third to one-half of consumers believed that the information they found online greatly assisted them in making decision about their health (Pew Internet and American Life Project 2000).

Many consumers learn about branded-drug Web sites from traditional DTC advertising in television and magazines. Direct-to-consumer advertising ranked among the highest ad spending categories for the past three years. Approximately $3 billion were spent in consumer media to support these products (Barlett et al. 2004). In addition, DTC interactive marketing budgets increased 13% in the United States in 2003 (McKillen 2003).

Drug companies allocate the majority of their advertising budgets to branded advertising messages—that is, advertisements that describe both the medical condition that needs treatment and the drug that can treat it (Sheehan 2003). Branded messages in broadcast advertising must comply with the FDA adequate provision regulation, which requires each broadcast branded message to direct consumers to places where they can find a drug's complete prescribing information. This information includes all risks and benefits associated with the drug. In most cases, branded television advertisements feature Web site addresses, toll-free numbers, and the names of magazines running print advertisements as places where consumers can obtain this information.

Today, however, DTC branded advertising focuses less on traditional media and more on interactive media, such as direct mail and the Internet. This shift is due to drug companies' decisions to focus less on acquiring new customers and more on managing long-term relationships. In addition, consumers prefer going to a drug's Web site over using other methods to obtain information, such as toll-free numbers (Wray 2004).

DTC Web Site Offerings

As do many other types of Web sites, DTC branded-drug Web sites (e.g., viagara.com) use interactive capabilities to a great degree. Macias and Lewis (2003) report that the diversity and degree of interactivity used in DTC branded-drug Web sites is high. These sites use interactive features in two ways. First, they educate consumers by providing information about the drug itself, the disease, support measures, special offers, and ways to locate physicians and pharmacists. Second, interactive features help companies form relationships with consumers by facilitating online communities that help people with illnesses feel less alone, provide them support from others who have experienced what they are experiencing, and add to the educational mission with personal tips. Interactive features offered on DTC Web sites include personal testimonials, bulletin board sites, and information exchanges that foster community.

Many branded-drug DTC Web sites allow visitors to provide nonidentifiable information using techniques such as assessment tools, for which visitors answer a series of questions about their personal demographics and symptoms. After visitors provide such information, the Web site indicates the likelihood that they have the illness or that they might contract the illness in the future. Visitors may also provide identifiable information through site registrations; companies can link this information with information provided anonymously. Given this type of data collection at Web sites, it is not surprising that online consumers display a high level of concern about online privacy (Sheehan 2004).

Online Privacy Concerns

Over the past ten years, numerous U.S. opinion polls have indicated that people are concerned about their online privacy, specifically with respect to online data collection (Sheehan 2004). These same polls also demonstrate that consumers' level of privacy concern differs according to the type of information that online entities collect: Consumers are most concerned about the collection of their financial and health information. One poll indicates that more than three-fourths of respondents believed that privacy of their health information was important to them, and more than 75% of online consumers reported that they would not share personal information about themselves with pharmaceutical companies (Liebman 2002). Anderson (2004) reports that approximately 40% of online users are concerned about giving information to online health sites. Although public opinion polls indicate that consumers want more control over online information, it is unclear how consumers can obtain this control. People have supported several options to gain this control, including new legislation, increased consumer education, and industry-mandated opt-in programs centered on obtaining customer consent to receive information from a company.

Online consumers express high levels of concern about the privacy of their online health information. A Gallup survey found that more than three-fourths of all consumers believe that privacy of their personal health information is important to them, whereas 84% are concerned that their personal health information can be available to others without their consent (Quality Letter for Healthcare Leaders 2001). Only 8% of respondents reported that a Web site could be trusted with personal health information. An Internet Healthcare Coalition study reports that 75% of people who sought health care information online were concerned about Web sites sharing information with third parties without patients providing permission (Quality Letter for Healthcare Leaders 2001). A Pew study reveals that 85% of people who searched for health-related information were concerned that an insurance company might raise their rates or deny them coverage because of the health sites they had visited online. Furthermore, 52% were concerned that their employer might find out what health sites they had visited online (Pew Internet and American Life Project 2000).

Web Site Privacy Notices: Presence and Content

The FDA is currently developing guidelines for how drug manufacturers should communicate information online, but the timing for the announcement and implementation of such guidelines is unknown. Instead, the FDA encourages DTC Web sites to follow the FTC guidelines for Fair Information Practices (FIPs; Worah and Bimbraugh 2004). The FIPs are designed to balance the need for companies and other online entities to collect and use online visitors' personal information with the desires of those visitors to be able to control the disclosure and usage of their information (Milne and Culnan 2002). The four principles are as follows:

•

Notice: Entities collecting information should inform online visitors what personal information is collected and how it is used.

•

Choice: Online visitors should be able to object if their information is to be used for purposes beyond the initial transaction, including being shared with third parties.

•

Access: Online visitors should be able to review the information that online entities collect about them and to correct any errors.

•

Security: Organizations should protect personal information from unauthorized access or errors during transmission or storage (FTC 1998).

To communicate privacy practices, in general, Web sites use some type of online privacy notice. Privacy notices are statements that describe how Web sites collect and use information (Metz 2001). Studies have shown that the presence of a privacy notice (regardless of the content) can alleviate consumer concerns about disclosure of information to third parties (Andrade, Kaltcheva, and Weitz 2002). A Forrester study shows that more than half of online consumers read privacy policies before making a purchase online (O'Connor 2003). Although many consumers may read such notices, they often believe that they contain confusing legal language and are too long to be useful (Milne and Culnan 2002).

The FTC has conducted several “sweeps” of Web sites to examine compliance with FIP (Milne and Culnan 2002). More than three-fourths of the sampled sites had privacy policies as of the 2001 sweep. In addition, three-fourths of the sites appeared to comply with the first two FIPs of notice and choice. However, in the 2001 sweep, fewer than one-third of the sampled sites provided information about access and security. The Progress Freedom Foundation conducted a similar study in 2001; this study obtained results similar to those in the FTC studies; that is, approximately 83% of a random sample of sites had at least one privacy disclosure. However, this study found that only 60% notified visitors about the type of personal information collected, fewer than half provided a choice about the use of information, and slightly more than half provided information about steps taken to provide security (Adkinson et al. 2002).

In addition to these broad sweeps of random Web sites, several additional studies have assessed privacy compliance among specific online sectors. A study of 80 Internet health sites, which included the top 25 Internet health sites (e.g., webmd.com) found that 30% of such sites did not have a privacy policy (Graber, D'Allessandro, and Johnson-West 2002). A 2000 study of the retail sector indicated that approximately 40% of retail Web sites had a posted privacy notice (Miyazaki and Fernandez 2000). Fewer than one-third of these retail sites disclosed whether they shared information. A study of the Fortune E-50 found that only two of the top 50 e-companies fully complied with the four FTC FIPs (Ryker et al. 2002). Another 63% of firms were in partial compliance with the four FIPs, and the remaining third failed to comply with one or more FIPs; access and security had the largest degrees of noncompliance. A study of hotel Web sites showed that approximately two-thirds of the Web sites were in partial compliance with all four FIPs; again, access and security had the largest degree of non-compliance (O'Connor 2003). A study of church Web sites indicated that such sites rarely provide privacy policies, and when such policies are listed, most sites provide notice of information collection and information about the disclosure of such information, but few sites discuss the placement of cookies or provide access to collected information (Hoy and Phelps 2003).

Readability of Health Information

Graber, D'Allessandro, and Johnson-West's (2002) study of health information Web sites highlighted a disturbing statistic: Visitors to the Web sites needed an average of two years of college-level education to comprehend the information at the Web site. In addition, no Web site had a privacy policy that was comprehensible by most English-speaking people in the United States. Recent census data show that approximately 85% of adults have a high school diploma, and approximately 25% of adults have one or more college degrees. Despite these statistics, literacy research shows that many people read three to five grades lower than their highest level of schooling. In a recent study, Hochhauser (2003) suggests that people with high school diplomas often read at what is considered a seventh- to ninth-grade reading level. Hochhauser studied Health Insurance Portability and Accountability Act (HIPAA) privacy notices, which are legal documents that health care providers are required to give to patients to inform them of their information rights. He found that more than half the sentences in the notices were classified as difficult, pompous, or complicated, and only 19% were simple, normal, or narrative.

A body of literature on research into information provided by health care providers has shown that patient information booklets or pamphlets, a primary source of health information, are frequently too difficult for many people to read and comprehend. When patients are faced with such information, their anxiety may increase (Graber, D'Allessandro, and Johnson-West 2002). A recent report by the Institute of Medicine indicates that nearly one in two Americans does not understand basic health information (Partnership for Clear Health Communication 2004). According to this study, low literacy levels among Americans result in misunderstanding of simple information, such as directions for taking medicine or hospital discharge instructions. This may also prevent use of the Internet by people with low literacy skills.

Graber, D'Allessandro, and Johnson-West (2002) studied 50 samples of patient education materials from the Internet and found that, on average, the information was written at a tenth-grade reading level, which is higher than the eighth-grade level recommended for the general public. This supports previous findings that various health educational resources are written above the eighth-grade reading level (King, Winton, and Adkins 2003). In a systematic review of 79 studies that assess the quality of consumer health information on the Internet, 70% of the articles conclude that quality is a problem (Kisely, Ong, and Takyar 2003). People who search for information on the Internet may have trouble understanding not only the information about the product at the site but also the privacy policies at the site.

People have difficulty understanding written materials when the required reading level of a particular text exceeds their reading ability. Patients reading health information can become fatigued and discouraged, which may affect their compliance with the information they receive. Much of the patient education information on the Internet may be at too high a reading level for many patients to comprehend (Oermann and Wilson 2000). This is important to consider because visitors may arrive at the privacy policies after struggling with difficult information at a Web site. Thus, they may not be as open to reading the information contained in a privacy policy.

Consumers and Privacy Notices

Consumers appear to appreciate the existence of privacy notices at Web sites, and in general, online users claim that having a privacy policy is vital to a Web site's credibility. However, the same study found that people almost never refer to a site's privacy policy when evaluating credibility (Princeton Survey Research Associates 2002). A November 2001 Privacy Leadership Initiative survey showed that only 3% of online users read privacy notices carefully, and 64% only glance at or never read privacy notices. Milne and Culnan's (2004) study reports that half of all consumers rarely or never read privacy notices. Some of these people explained that they were already familiar with the company or that they trusted the company; others noted that privacy policies were long, boring, and incomprehensible. Of the remaining respondents, most reported that they read the privacy notices because the site asked for personal information or for their credit card number. The majority also reported that they wanted to understand how sites use information.

Research Questions

People use DTC branded-drug Web sites to learn about drugs that may be of use to them. Although these DTC branded-drug Web sites provide information to help visitors make good choices, the sites are also likely to collect personal information that may cause many people to become concerned about their privacy. An appropriate privacy notice that is easily understood by consumers will help site visitors make good decisions about their Web activities. This study attempts to learn about privacy notices of DTC branded-drug Web sites. The specific research questions are as follows:

RQ₁

: What types of information do DTC branded-drug Web sites collect?

RQ₂

: To what degree are privacy policies of DTC branded-drug Web sites in compliance with the FTC guidelines for FIPs?

RQ₃

: How readable are privacy notices at DTC branded-drug Web sites?

RQ₄

: Do levels of compliance and readability vary by manufacturer?

Method

In this content analysis of privacy policies, I used a census of all identifiable, working DTC branded-drug Web sites as of March 1, 2004. The census used the Web sites included in Macias and Lewis's (2003) study of the content of DTC Web sites as a starting point. These 90 sites were collected through an exhaustive search of offline and online drug advertisements by searching for advertisements seen on television, at sites such as Webmd.com, through pharmaceutical corporate Web sites for information on drug marketing activities and links to DTC branded-drug sites, and trade and journal articles (Macias and Lewis 2003). This count of 90 sites parallels other academic studies that identified approximately 100 different DTC brands (Bell, Kravitz, and Wilkes 2000). Of the 90 sites included in Macias and Lewis's study, I excluded 7 from this study because the sites were no longer active, were for drugs that had changed status to over the counter, or were in the process of being redesigned and thus contained no information to be studied. I supplemented the remaining 83 sites with 11 additional sites. I found these sites either from stories about them in the trade publication Advertising Age or from seeing the advertising in television or print. Therefore, this study analyzes 94 DTC branded-drug Web sites.

At several sites, the home page allowed visitors to access either consumer or medical professional information. For this study, I evaluated only the consumer section. Many DTC branded-drug Web sites link to outside sites, some of which are created by the pharmaceutical manufacturers themselves. I did not include such linked sites in the analysis.

These 94 sites encompass a range of illnesses (see Table 1). Although drugs to treat psychiatric and neurological disorders continue to top the list in terms of frequency, there are also increases in the numbers of advertised drugs used to treat dermatological and respiratory conditions. Twenty-eight different companies manufacture these drugs. Two companies manufacture almost one-fourth of the drugs: Pfizer produces 11, and GlaxoSmithKline produces 10. This represents an increase in the number of advertised drugs for both these companies, which in the previous study had only 7 drugs each on the list (Macias and Lewis 2003).

Table 1

Conditions Treated by Drugs Included in the Sample

Condition/Disorder Treated	Frequency
Psychiatric/neurological disorders	14
Other	10
Dermatological conditions	9
Respiratory conditions	8
OB-GYN conditions	8
Musculoskeletal ailments	7
Allergies	7
Cardiovascular disease	5
HIV/AIDS	6
Infections/non-HIV diseases	5
Urological conditions	5
Diabetes	3
Gastrointestinal conditions	3
Cancer	2
Tobacco addiction	2

Macias and Lewis (2003) note that DTC branded-drug Web sites use the interactive capabilities of the Web to a great degree. In their study, almost two-thirds of the sites allowed visitors to register to access sections of the Web site or to receive additional information (e.g., rebate offers) from the manufacturer. In addition, there was a range of other interactive activities that allowed for information collection, including surveys (at 40% of the sites), the ability to e-mail a friend the page information (27% of the sites), the ability to submit questions to the site (21% of the sites), refill reminders (14% of the sites), and other feedback mechanism (11% of the sites).

I first examined the types of information that each site collected. To develop a coding scheme, I randomly selected and examined ten DTC branded-drug sites to classify the different types of information. I also noted how the information was collected (e.g., registrations, quizzes). Information types included demographic information (e.g., name, address, phone, sex, ethnicity), medical information (e.g., symptoms, prescriptions), and other information (e.g., information on the Web site itself and on knowledge of the disease). Information collection activities included registration forms, polls, surveys, and refill reminders. During the coding of the full sample, I added any information items that were not found in the initial small sample to the coding scheme.

I then evaluated the content of privacy notices using a scheme that reflects the FTC FIPs. The FTC used this scheme in a series of four sweeps from 1998 to 2001. The coding scheme assesses whether notice is given in four areas: what personal information is collected, how the information is used internally, whether information is disclosed to third parties, and whether information is collected with cookies. It assesses compliance with the choice FIP by examining whether consumers have a choice about whether they receive future communication from the company and whether companies share this information with third parties (this second area was not included in the FTC studies, but it is included in other studies, such as that of Adkinson et al. [2002]). It assesses the access FIP by examining whether the notices indicated that visitors could review their information and correct any information that they wanted and whether they could delete information. It assesses the security FIP by examining whether the site undertook any actions to address security of information during and after transmission to the Web site. I trained two coders to evaluate the privacy statements using these measures. Because of the explicit explanations provided in previous studies that could be used in this study as coding instructions, intercoder reliability was 100%.

In addition, I use two measures to examine the readability of the Web site. The Flesch (1979) reading-ease score was developed in the early 1940s; it measures both average sentence length in words and average word length in syllables. The resultant reading-ease score ranges from 0 (“very difficult”) to 100 (“very easy”). In addition, the Flesch reading-ease score can be translated into a grade-level estimate. Today, the Flesch reading-ease and grade-level scores are two of the most commonly used measurements of readability (Institute of Educational Sciences 2003). Microsoft Word programs automatically calculate the Flesch reading-ease score, so for this study, privacy policies were copied verbatim into a Word document, which calculated the Flesch scores. One limitation of the Flesch index is that the highest grade level estimate it scores is 12th grade. To augment this analysis, I also applied the Gunning-Fog readability index to the privacy notices. This readability program scores to the postgraduate level (e.g., the 17th grade).

Results

Of the 94 sites, 88 (94%) had a posted link to privacy notices. This is an increase from Macias and Lewis's (2003) study, which indicates that only 81% of the sites had a privacy notice. The sites labeled privacy notices primarily as either a privacy policy (44% of the sites) or a privacy statement (41% of the sites). The FTC (2000, p. 192) describes a privacy policy as a “comprehensive description of a Web site's information practices that is located in one place on the site and may be reached by clicking on an icon or hyperlink.” Although the FTC does not have a posted definition for a privacy statement, it describes an information practice statement as “a discrete statement that describes a particular practice regarding consumers' personal information” (FTC 2000, p. 192). In the current study, it appears that DTC branded-drug Web sites use the terms “privacy policy” and “privacy statement” interchangeably because coders observed no difference in the types of practices detailed in policies and statements. Of the remaining sites that had privacy notices, six sites described the information under the broader terms “legal,” “legal notices,” or “legal stuff,” and one site called the information a “disclaimer.” Yet another site simply identified the link as “privacy.” Of the six sites without links to privacy notices, four collected personally identifiable information about site visitors, and two did not.

Types of Information Collected

The first research question asked what types of information are collected at DTC branded-drug sites. Table 2 provides an overview of the types of information collected, divided into three categories: demographic information, medical information, and other information. More than half of the sites collected some type of demographic information, including a visitor's name, e-mail address, and postal address. In addition, one-third of the sites collected information about a visitor's age in an identifiable manner (i.e., during the same information collection process in which a person's name was collected). Four sites (4%) collected age information anonymously, approximately one-quarter (27%) of the sites collected telephone numbers, approximately the same percentage collected information about the visitor's gender, and more than 10% collected information about a friend of the visitor who might be interested in the site; this information would be used to send the friend information about the drug.

Table 2

Types of Information Collected

	Information Item	Number (Percentage) of Sites that Collected Identifiable Information	Number (Percentage) of Sites That Collected Anonymous Information	Total Number (Percentage)
Demographics	Name	54 (57)		54 (57)
	E-mail address	53 (56)		53 (56)
	Postal address	48 (51)		48 (51)
	Birthday/age	31 (33)	4 (4)	34 (37)
	Telephone number	26 (27)		26 (27)
	Gender	19 (20)	3 (3)	22 (23)
	Name of a friend who might be interested in the site	10 (11)	1 (1)	11 (12)
	Friend's e-mail	10 (11)	1 (1)	11 (12)
	Ethnicity	2 (2)	1 (1)	3 (3)
Medical information	Medication person is currently taking	29 (31)	5 (6)	34 (37)
	Disease diagnosis	18 (19)	1 (1)	19 (20)
	Current symptoms	10 (11)	8 (9)	18 (19)
	Length of time visitor has had symptoms	7 (7)	5 (6)	13 (14)
	Medication person has taken in the past	11 (12)	1 (1)	12 (13)
	Refill date of current prescription	10 (11)		10 (11)
	Current health insurance	2 (2)		2 (2)
Other information	Miscellaneous information
	about the drug		30 (32)	30 (32)
	Attitudes toward Web site	13 (14)		13 (14)

Many of the DTC branded-drug sites collected health or medical information about the visitor. Approximately 40% of the sites collected information about the visitor's current medication regime, and one-fifth asked whether the visitor had been diagnosed with the disease treated by the drug. Approximately one-fifth of the sites asked about the visitor's current symptoms, and approximately 14% of the sites asked about the duration of such symptoms. Fewer than one-fifth of all the sites asked about medications that the visitor had tried in the past (both DTC and over the counter), the refill date of the visitor's current prescription, and the visitor's health insurance.

In terms of “other” information, approximately one-third of the sites quizzed visitors on their knowledge of the properties of the drug (e.g., a “true/false” poll asking visitors whether they believed that the drug was habit forming). A small percentage (14%) asked visitors about their attitudes toward the Web site in terms of the ease of navigating the site and the quality of the information on the site.

Table 3 describes the various manners in which this information was collected. Many of the collection activities were clearly identified information exchanges: The visitors provided information about themselves and received something in return (e.g., additional information, a rebate or free trial, access to other sections of the Web site, a refill reminder). In addition, several different techniques were used to collect information anonymously: symptom questionnaires, quizzes about diseases, shot polls, and so forth. Some techniques, such as a doctor visit checklist and risk assessment, sometimes collected identifiable data and sometimes collected anonymous data. What is not clear from the numerical analysis is that anonymous data collection may not always be anonymous: More than three-fourths of the anonymous collection activities occurred at sites that collect visitors' identifiable information through other means. For example, one site might collect a visitor's name and e-mail address to send the visitor more information. The visitor might then complete an “anonymous” checklist for a doctor's visit, outlining his or her symptoms and medical history. The site could then match the anonymous data with the identifiable data for a clearer picture of the visitor.

Table 3

Information Collection Mechanisms

	Number (Percentage) of Sites That Collected Identifiable Information	Number (Percentage) of Sites That Collected Anonymous Information	Total Number (Percentage)
Checklist for doctor visit	11 (12)	17 (18)	28 (30)
Quiz	1 (1)	26 (28)	27 (29)
“Send me information” form	23 (24)		23 (24)
Risk assessment	10 (11)	10 (11)	20 (22)
Rebate	13 (14)		13 (14)
Registration	12 (13)		12 (13)
Symptom questionnaire	3 (3)	8 (9)	11 (12)
Poll		11 (12)	11 (12)
Feedback form	3 (3)	4 (4)	7 (7)
Refill reminder	7 (7)		7 (7)
Free value cards	6 (6)		6 (6)
Free trial	5 (5)		5 (5)

Compliance with FTC FIPs

The second research question asked whether the DTC branded-drug sites comply with the four FTC FIPs of notice, choice, access, and security. Table 4 details overall compliance with the FTC FIPs. As I previously mentioned, most (93.7%) of the sites posted some type of privacy notice. The highest level of compliance was with the first FIP, notice: 88.4% of the Web sites provided notice to visitors that personally identifiable information, such as their e-mail, name, or address, was collected at the site, and 89% provided notice that non–personally identifiable information about visitors was collected with cookies or with some other technology. Approximately 80% provided information about how the sites used information within the company; many sites stated that information was used to enhance the Web site experience and to respond to visitors' information requests. More than 85% of the sites notified visitors about practices regarding disclosure of information to third parties. Most sites stated that they provided visitors' information to third parties, though a small percentage of the sites stated that they did not.

Table 4

Summary of Drug Web Site Privacy Policies: Compliance and Readability (N = 94)

FIP	Description	Percentage of All DTC Branded-Drug Sites Providing Information About the Practice
Privacy notice posted		93.7
Notice	Sites provide a notice about what information is collected.	88.4
	Sites provide a notice about how information is used internally.	79.8
	Sites provide a notice about disclosure to third parties.	85.3
	Sites provide a notice about the placement of cookies.	89.5
Choice	Sites provide a choice about future communications.	29.4
	Sites provide a choice about disclosure to third parties.	22.1
Access	Sites provide information about consumer access to information.	14.7
	Sites allow visitors to delete information they previously provided.	12.0
Security	Sites provide information about security procedures after information has been collected.	23.2
	Sites provide information about security procedures during transmission.	25.5
Flesch reading ease: average		32.8
Flesch reading ease: grade level		11.9
Gunning-Fog readability		14.3

The second FIP, choice, had minimal compliance among the sites. Fewer than one-third (29%) of the sites allowed visitors to chose whether they would or would not receive future communications from the company after the visitors had given their information. An even smaller percentage (22%) of the sites allowed visitors to chose whether their information would be given to third parties or not.

Few sites were in compliance with the third FIP, access. Approximately 15% of all sites stated that visitors were allowed to inspect and correct information that they provided to the Web site. An even smaller percentage (12%) allowed visitors to delete their personal information. Of the sites that did allow access, most provided telephone or email contact information that visitors could use to arrange a review of their data. The privacy policies of many other sites encouraged visitors to e-mail the Web site with updated information (e.g., new e-mail addresses). These sites were not considered in compliance with the access policy, because Web sites would not allow the visitors to access the information for review.

Finally, the Web sites performed poorly in meeting the fourth FIP, security. Fewer than one-fourth (23%) of privacy notices provided information about how sites kept visitors' information secure. These security measures included training selected employees who would have access to the information and providing internal security measures to keep information private. Approximately one-fourth (25%) of the sites addressed security during transmission of information by informing visitors that such a transmission was risky. These notices stated that though the site would attempt to protect privacy during transmission, visitors were transferring information at their own risk.

Only one site provided a privacy seal and explained the significance of the seal: The site for Celebrex, which is manufactured by Pfizer, featured the TrustE symbol and explained that the company was a licensee of TrustE. However, note that that the site was compliant with only three of the four FTC FIPs: The site did not provide any information about consumer access, though the site did state that consumers could contact Pfizer to provide updated information.

Readability of Privacy Policies

The third research question asked about the readability of the privacy policies. Table 4 shows that the Flesch scores ranged from approximately 5 to approximately 41, and the average Flesch score was 32.8. According to Flesch (1979), these scores make DTC privacy notices more difficult to understand than the average issue of The New York Times or The New York Review of Books and on par with the average score for the Harvard Law Review. In comparison, an average issue of Reader's Digest scores a 65, and Sports Illustrated scores a 63 (Flesch 1979). The average Flesch grade level was 11.9, meaning that the privacy notices did not meet the eighth-grade requirement that Graber, D'Allessandro, and Johnson-West (2002) suggest. The Gunning-Fog readability index for the privacy notices was 14.3, meaning that the notices were written at the level of comprehension for someone with at least two years of a college education.

Compliance by Manufacturer

The fourth research question asked whether compliance differed by manufacturer. Table 5 outlines overall manufacturer compliance. Of the 29 companies, 6 had “corporate” privacy policies on their sites. For example, privacy notices at sites sponsored by GlaxoSmithKline each included a Web page as part of the overall site titled “The GSK Privacy Policy.” Other sites, such as those for drugs manufactured by Aventis, linked directly to a corporate privacy notice site at the Aventis Web site.

Table 5

Summary of Manufacturers' Web Site Privacy Policy Compliance and Readability

Manufacturer	Number of Sites	Privacy Notice (%)	Notice of Information Collected (%)	Notice of Disclosure (%)	Notice of Internal Usage (%)	Choice (%)	Choice to Delete (%)	Access (%)	Security Transmission (%)	Security Internal (%)	Fog Grade Level	Reading Ease	Flesch Grade Level
Pfizer	11	100	91	27	82	18	0	0	0	18	13.6	32.5	11.9
GlaxoSmithKline^a	10	100	100	100	100	0	0	0	0	0	15.8	40.8	12
AstraZeneca^a	7	100	100	100	100	100	100	0	100	0	14.9	40.3	12
Merck^a	7	100	100	100	15	100	0	0	15	100	16.3	29.8	12
Novartis	7	100	100	100	100	86	14	100	42	14	14.2	26.7	12
Roche	6	66	33	66	50	33	16	0	16	16	13.8	17.2	12
Bristol-Myers Squibb	5	80	80	80	80	60	20	20	0	20	14.9	32.3	12
Ortho-McNeil	5	100	80	100	80	20	0	0	80	0	15.4	27.58	12
Eli Lilly	4	100	100	100	100	0	25	0	0	0	16.1	34.2	12
Wyeth	4	100	100	100	100	100	0	0	0	75	14.0	38.53	9.7
Aventis^a	3	100	100+	100	100	100	0	100	0	100	10.7	39.1	12
Jannsenn/J&J^a	3	100	100	100	100	0	100	0	100	0	15.7	30.6	12
Schering	3	100	33	100	100	66	0	33	33	66	17.0	27.65	12
Abbott^a	2	100	100	100	50	0	100	0		0	15.3	31.8	12
Boehringer	2	50	50	50	50	50	0	50	0	0	15.6	33.1	12
Galderma	2	100	100	100	100	0	0	0	0	50	11.3	23.35	12
Connetics	1	100	100	100	100	0	0	0	0	0	15.1	39.3	12
Dermik	1	100	0	100	100	100	0	0	0	100	11.9	39.3	12
Fei	1	100	100	100	100	0	0	0	0	0	14.8	28.1	12
Forrest	1	100	100	100	100	100	0	0	100	0	17.0	31.1	12
Gynetics	1	0	0	0	0	0	0	0	0	0	0	0	N.A.
Novo Nordisk	1	100	100	100	100	0	0	0	0	0	12.7	29.9	12
Ortho Biotec	1	100	100+	100	100	0	0	0	0	0	15.4	29.6	12
Pharmacia	1	100	100	100	100	100	0	0	100	100	10.7	32.5	12
Sanofi	1	100	100	100	100	100	0	0	0	0	17.0	33.5	12
Savient	1	100	100	100	100	0	0	0	100	0	14.6	28.8	12
Shire	1	100	100	100	100	100	0	0	0	0	14.9	31.8	12
Tap	1	100	100	100	100	100	100	0	100	100	15.4	22.7	12
Unimed	1	0	0	0	0	0	0	0	0	0	0	0	N.A.

Manufacturer has a corporate privacy notice and information about cookies only.

Notes: N.A. = not available.

When reviewing privacy notices on a manufacturer-by-manufacturer basis, it is apparent that no single manufacturer can claim 100% compliance with the FIPs. For example, Aventis discusses the four FIPs in its privacy statement but does not identify the types of personal information it collects. Instead, Aventis's notices discuss the placement of cookies, which collect unidentifiable personal information. Aventis also does not allow visitors to delete information, only to change it.

Eight manufacturers (Pfizer, GlaxoSmithKline, AstraZeneca, Merck, Novartis, Roche, Bristol-Myers Squibb, and Ortho-McNeil) represented about two-thirds (62%) of all the Web sites. In an earlier study, Milne and Culnan (2003–2004) found that larger companies are more likely to post privacy disclosures than smaller companies. Most of these eight companies have privacy notices at branded-drug Web sites, thus complying with the first FIP, notice. However, many of the sites sponsored by these eight manufacturers have poor compliance with the remaining FIPs; only Novartis consistently provides information about access, and only Merck provides information about security. Two manufacturers, AstraZeneca and Merck, provide visitors with some choice on how their information will be used in the future.

Only one manufacturer, Wyeth, has privacy policies that approach the recommended readability level that Graber, D'Allessandro, and Johnson-West (2002) outline in accordance with the Flesch scale. Using the Gunning-Fog scale, two companies, Aventis and Pharmacia, have policies that someone with only two years of a high school education might understand.

Discussion

The U.S. government is committed to protecting health information. Congress developed the HIPAA regulations in recognition that “advances in electronic technology could erode the privacy of health information” (Department of Health and Human Services 2003, p. 32). Although HIPAA does not currently extend to DTC branded-drug Web sites, the rules for information collection and usage described in HIPAA should alert the pharmaceutical industry that it is important to protect consumers' health information and inform them of Web site policies regarding information collection and usage.

This study of privacy notices from 94 different DTC branded-drug Web sites found that privacy notices provide adequate disclosures of the types of information collected and intended uses of the information, but they provide insufficient information on security of collected data, postcollection access of information by site visitors for review and revision, and consumer choice on how the information is used.

At DTC branded-drug Web sites, visitors often receive information about a drug during an interactive exchange. For example, an interactive feature at the Celebrex Web site allows visitors to click on a picture of a body to indicate where they have joint pain (e.g., a knee, a shoulder). This leads visitors to information about that specific body area, while providing the drug manufacturer with a tally of the types of pain that visitors experience. Therefore, information about the drug becomes connected to information about the user. At other places on the site, visitors provide their personal information to receive written information or a free trial. The information about pain, collected anonymously, can be connected with identifiable information that can then be placed in an information database, which may or may not be sold to outside companies. The health information provided by the site becomes linked to personal visitor information in the information exchange.

This exchange is not problematic if people believe that this information is being safeguarded by pharmaceutical companies. However, given this study's findings, sites rarely indicate that any safeguards are in place, and they rarely provide consumers with choices about how their information is used. Until these privacy notices become more compliant with FTC FIPs, consumer decision making with respect to providing information at these Web sites is not being facilitated. The FDA should work with the FTC to consider how to integrate HIPAA policies into guidelines for DTC promotions on the Internet.

It is also important that site visitors change established behaviors and actually read the privacy notices before providing information at DTC branded-drug Web sites. The FDA should instruct Web sites to notify visitors about this information exchange. For example, sections of Web sites that provide fill-in forms could have a brief statement outlining the privacy policy so that consumers could make an informed decision at the time of information collection. For example, visitors completing the online form to request a free trial of Celebrex might first read the statement, “Please read our privacy policy to learn how we use the information you will be providing to us”; the site might then provide a link to the privacy notice. For other types of collection, such as the feature that allows visitors to click on the body part that is causing them pain, sites might provide a pop-up box reminding visitors to read the privacy notice.

In February 2004, the FDA issued a strategic plan for DTC branded-drug messages in print and broadcast; this plan included a change in regulations that would revise the nature and scope of the risk information currently provided in DTC branded-drug advertising to make this information more easily understandable and consumer friendly (FDA 2004). However, this strategic plan did not address DTC presence on the Internet. The FDA's desire for consumer-friendly language should extend to DTC branded-drug Web sites' privacy policies. In its regulation for DTC advertising, the FDA insists that advertisements contain consumer-friendly language. This policy, reiterated in the draft guidance aiming to improve health information, has the goal of increasing consumer understanding of key risks of drugs. Likewise, the FDA should also encourage Web sites to use consumer-friendly language so that consumers can understand risks associated with the transmittal of information.

Many sites insist that visitors provide personal information to access certain types of information located only in special sections of the Web site. This type of data collection serves to penalize people who choose not to provide their personal information by blocking their access to information that is not readily available anywhere else. For example, the Allegra Web site targets people who suffer from allergies and offers rebates, pollen forecasts, and free e-mail access to medical professionals for those who register. The Web site for the drug Amaryl targets people with diabetes and provides a blood glucose diary and access to a diabetes library and healthy lifestyle programs. These sites do not offer offline ways to access this information, even if the visitor would be more comfortable providing his or her personal information over the telephone or in written form. The FDA mandates both online (i.e., Web) and offline (e.g., toll-free number) access to full prescribing information about advertised drugs; encouraging alternative ways to access this “special” information would appear to support the spirit of this regulation on the Web. Thus, pharmaceutical companies should provide ways for consumers to access specialized information without having to compromise their own privacy, such as providing access to such sites without registration, allowing “visitor” status for an initial visit to such sites, and providing this information offline at specific clinics or doctors' offices.

Most important, the FDA needs to increase its level of scrutiny on DTC Web sites not only to evaluate the information about drugs that these sites provide but also to examine the privacy notices for compliance with the FIPs and to ensure that privacy notices are accessible and readable. This might require working together with the FTC to develop an evaluation system for Web sites. In addition, consistent monitoring of DTC branded-drug Web sites to ensure continuous compliance is recommended. Currently, the FDA evaluates branded advertising in broadcast and print media, but it does not review DTC branded-drug Web sites unless a complaint is filed.

As with all content analyses of any type of policy notices, this study is limited in that it measures only what the DTC branded-drug Web sites claim that their practices are, not what they really implement. It also does not consider another category of Web sites provided by pharmaceutical companies: Web sites that offer information only about the condition that a drug treats, not about the drug itself. In addition, it does not address the actual usage of such sites by online consumers. Further research can evaluate actual consumer interaction with such sites and assess how the sites' privacy notices affect such activities.

In summary, DTC branded-drug Web sites are a valuable source of information to many people who are interested in learning more about medical conditions and the drugs that treat them. Given this, the FDA must acknowledge that these Web sites are as important as other DTC messages in traditional media, such as television and magazines. The FDA must examine information on these sites just as it examines promotional information in other media. However, pharmaceutical companies must also work with the FTC to examine information collection practices because in many cases, information collection is part of the delivery of health information. Drug companies and government agencies must ensure that visitors find and understand such notices, either through on-site announcements or through a public education campaign. Given the increasing importance of these sites to consumers, the increase in marketing budgets that companies allocate to these sites, and consumers' continued concern about the privacy of their health information, both the FDA and the FTC must do all they can to help consumers make the right decisions about the types of information they provide to DTC sites.

References

Adkinson

William F.

, Eisenach

Jeffrey A.

, and Lenard

Thomas M.

(2002), “Privacy Online: A Report on the Information Practices and Policies of Commercial Web Sites,” (accessed July 23, 2005), [available at http://www.pff.org/issues%2Dpubs/pubs_search_results.as].

Aikin

(2002), “Direct to Consumer Advertising of Prescription Drugs, 1999–2002: Preliminary Patient Survey Results,” research report, Division of Drug Marketing, Advertising, and Communications, Food and Drug Administration, (June 18).

Anderson

James G.

(2004), “Consumers of E-Health,” Social Science Computer Review, 22 (2), 242–48.

Andrade

Eduardo B.

, Kaltcheva

Veltitka

, and Weitz

Barton

(2002), “Self-Disclosure on the Web: The Impact of Privacy Policy, Reward, and Company Reputation,” in Advances in Consumer Research, Vol. 29, Susan M. Broniarczyk and Kent Nakamoto, eds. Valdosta, GA: Association for Consumer Research, 350–53.

Barlett

Donald L.

, Steele

James B.

, Karmatz

Laura

, Kiviat

Barbara

, and Levinstein

Joan

(2004), “Why We Pay So Much for Drugs,” Time, (February 2), 45–52.

Bell

Robert A.

, Kravitz

Richard L.

, and Wilkes

Michael S.

(2000), “Direct-to-Consumer Prescription Drug Advertising, 1989-1998: A Content Analysis of Conditions, Targets, Inducements, and Appeals,” Journal of Family Practice, 49 (4), 329–35.

Department of Health and Human Services (2003), “Standards for Privacy for Individually Identifiable Health Information,” in Code of Federal Regulations, Vol. 45, § 160.

Drummy

William M.

Jr. (2002), “A Fine Line,” (October 1), (accessed July 20, 2005), [available at http://www.pharmexec.com].

Dupuits

Francois M.H.M.

(2002), “The Effects of the Internet on Pharmaceutical Consumers and Providers,” Disease Management and Health Outcomes, 10 (11), 679–91.

10.

FDA (2004), “Guidance for Industry: Brief Summary: Disclosing Risk Information in Consumer-Directed Print Advertisements,” (accessed March 3, 2005), [available at http://www.fda.gov/cder/guidance/5669dft.pdf].

11.

Flesh

Rudolph

(1979), The Art of Readable Writing. New York: Harper and Row.

12.

FTC (1998), “Privacy Online: A Report to Congress,” (accessed July 26, 2005), [available at http://www.ftc.gov/reports/privacy3/index.htm].

13.

FTC (2000), “Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress,” (accessed July 26, 2005), [available at www.ftc.gov/reports/privacy2000/privacy2000.pdf].

14.

Graber

Mark A.

, D'Alessandro

Donna M.

, and Johnson-West

Jill

(2002), “Reading Level of Privacy Policies on Internet Health Web Sites,” Journal of Family Practice, 31 (7), 642–45.

15.

Harris Interactive (2002), “Internet as Health Information Resource,” Health Care News, (June 11), 1–2.

16.

Hochhauser

Mark

(2003), “Why Patients Won't Understand Their HIPAA Privacy Notices,” (April 10), (accessed July 20, 2005), [available at http://www.privacyrights.org/ar/HIPAA-Readability.htm].

17.

Hoy

Mariea

and Phelps

Joseph

(2003), “Consumer Privacy and Security Protection on Church Web Sites: Reasons for Concern,” Journal of Public Policy & Marketing, 22 (Spring), 58–70.

18.

Institute of Educational Sciences (2003), “Readability Formulas,” University of Memphis, (accessed July 25, 2005), [available at http://cohmetrix.memphis.edu/cohmetrixpr/readability.html].

19.

King

Maia M.

, Winton

Alan S.W.

, and Adkins

Angela D.

(2003), “Assessing the Readability of Mental Health Internet Brochures for Children and Adolescents,” Journal of Child and Family Studies, 12 (1), 91–99.

20.

Kisely

Stephen

, Ong

Greg

, and Takyar

Ashish

(2003), “A Survey of the Quality of Web Based Information on the Treatment of Schizophrenia and Attention Deficit Hyperactivity Disorder,” Australian and New Zealand Journal of Psychiatry, 37 (2), 85–91.

21.

Liebman

Milton

(2002), “For Online Privacy Compliance, HIPAA Rules,” Medical Marketing and Media, (May), 35.

22.

Macias

Wendy

and Lewis

Liza Stavchansky

(2003), “A Content Analysis of Direct-to-Consumer (DTC) Prescription Drug Web Sites,” Journal of Advertising, 32 (4), 43–56.

23.

Martin-Facklam

Meret

, Kostrzewa

Michael

, Martin

Peter

, and Haefeli

Walter

(2004), “Quality of Drug Information on the World Wide Web and Strategies to Improve Pages with Poor Information Quality,” British Journal of Clinical Pharmacology, 57 (2), 80–87.

24.

McKillen

Dan

(2003), “Web Watch,” Medical Marketing and Media, (February), 30–31.

25.

Metz

(2001), “What They Know,” PC Magazine, (November 13), 104–118.

26.

Milne

George R.

and Culnan

Mary

(2002), “Using the Content of Online Privacy Notices to Inform Public Policy: A Longitudinal Analysis of the 1998–2001 Web Surveys,” The Information Society, 18 (5), 345–59.

27.

Milne

George R.

and Culnan

Mary

(2004), “Strategies for Reducing Online Privacy Risks: Why Consumers Read (or Don't Read) Online Privacy Notices,” Journal of Interactive Marketing, 18 (3), 15–29.

28.

Miyazaki

Anthony D.

and Fernandez

Ana

(2000), “Internet Privacy and Security: An Examination of Online Retailers,” Journal of Public Policy & Marketing, 19 (Spring), 54–61.

29.

O'Connor

Peter

(2003), “What Happens to My Information if I Make a Hotel Booking Online: An Analysis of Online Privacy Use, Content and Compliance by International Hotel Companies,” Journal of Service Research, 3 (2), 4–28.

30.

Oermann

Marilyn H.

and Wilson

Feleta L.

(2000), “Quality of Care Information for Consumers on the Internet,” Journal of Nursing Care Quarterly, 14 (4), 45–54.

31.

Pew Internet and American Life Project (2000), “The Online Health Care Revolution: How the Web Helps Americans Take Better Care of Themselves,” (November 26), (accessed July 20, 2005), [available at http://www.pewinternet.org/reports/reports.asp?Report=26&Section=ReportLevel1&Field+level1ID&ID=88].

32.

Princeton Survey Research Associates (2002), “A Matter of Trust: What Users Want from Web Sites. A Report on Consumer Concerns About Credibility of Web Sites,” (April 16), (accessed July 20, 2005), [available at http://www.consumerwebwatch.org/news/1.abstract.com].

33.

Quality Letter for Healthcare Leaders (2001), “Many Worried About Dissemination of Online Health Care Data,” 13 (1), 15.

34.

Ryker

, Lafleur

, Cox

, and McManis

(2002), “Online Privacy Policies: An Assessment of the Fortune e-50,” Journal of Computer Information Systems, 42 (4), 15–20.

35.

Sheehan

Kim Bartel

(2003), “Balancing Acts: An Analysis of Food and Drug Administration Letters Regarding Direct-to-Consumer Advertising Violations,” Journal of Public Policy & Marketing, 22 (Fall), 159–69.

36.

Sheehan

Kim Bartel

(2004), “How Public Opinion Polls Define and Circumscribe Online Privacy,” First Monday, 9 (July), [available at http://firstmonday.org/nextissue/sheehan/index.html].

37.

Thomaselli

Rich

and Elkin

Tobi

(2003), “Web Thrives as DTC Platform,” Advertising Age, 74 (45), 21.

38.

Wilkes

Michael S.

, Bell

Robert A.

, and Kravitz

Richard L.

(2000), “Direct-to-Consumer Prescription Drug Advertising: Trends, Impact, and Implications,” Health Affairs, 19 (March–April).

39.

Worah

Vashist

and Bimbraugh

Niklul

(2004), “Guide to DTC Pharmaceutical Advertising on the Internet,” Owen Graduate School of Management, Vanderbilt University, [available at http://66.102.7.104/search?q=cache:FeVEQegd_B0J:elab.vanderbilt.edu/research/papers/pdf/student_projects/DTC_Pharmaceutical_Advertising.pdf+fda+dtc+internet&hl=en].

40.

Wray

Donna

(2004), “Driving Efficient DTC Online: A Marketer's Toolkit,” DTC Perspectives, 3 (1), 62–66.