Protecting cancer victims from ad tech

How ad tech companies (and the marketers and publishers that enable them) use our most sensitive, personal information against cancer victims and their families.

Protecting cancer victims from ad tech

My mother-in-law was diagnosed with Stage IV cancer a couple of weeks ago. It was a huge shock to her and to the family. While we wait for the DNA testing results on her tumor (dear Medicare: your rule that DNA tests can't be sent for 14 days after discharge from the hospital is ridiculous), the oncologist prescribed Keytruda.

I spent some time researching Keytruda to understand the side effects and treatment options. Today I got this ad on Twitter:‌

From a marketer perspective, this ad is completely useless. The doctor already prescribed Keytruda. In addition, my mother-in-law doesn't have lung cancer.

From a publisher perspective, this ad ruined my Twitter experience. The last thing I want when I am looking for some good old-fashioned social nonsense is a reminder that my mother-in-law has to go in for treatment tomorrow. I don't know what Merck is paying Twitter for this, but it's not enough.

From a consumer perspective, this is so incredibly creepy I can't even start talking about it. Did Merck seriously drop a cookie on me when I went to their site?‌

Great experience here: the very first thing they ask me when I visit their site is whether they can target me. Let's "customize my settings" and see if my privacy choice is really important to Merck. I have to click into "targeting cookies" and of course the default is active.‌

Let's click on that hard-to-notice "Cookies Details" and see what they are doing. Wow - there are so many people tracking me that they need a search bar. This was such a long list I had to record a video of all the cookies. It's not pretty.‌

Scrolling through the Keytruda privacy policy

What Merck (the marketer) should do

I know they would never do this, but imagine that Merck had a Keytruda Store in the middle of Soho. When you walk in, a kind person comes up and says "Hi there - I know this is probably the last place in the world you want to be. Let's go to my private office and talk about what's going on."

The current experience on is about the opposite of that. I was tracked, targeted, and profiled before I scrolled past the title. There was no acknowledgement of my emotional experience or needs; no respect for my privacy; no concept of creating a relationship or connection.

The Keytruda website should be completely private in every regard. I bet that the Merck team calls it the "Keytruda marketing site." Stop that right now. This is the Keytruda experience - the only direct connection you have with your customers and their families - and you are going to infuse every step of this journey with respect.

If Merck had treated me with respect, I might have trusted them with a little bit of information. I would have clicked a button that said "No, I don't have cancer, a loved one does". I would have shared the type of cancer, that she has already been prescribed Keytruda, and that I wanted to understand possible side effects. I would probably have given them my email so that they could send me more information.

Instead, Merck gave me one more reason to distrust pharmaceutical companies, to feel destabilized, to worry about the choice to give my mother-in-law this drug.

How regulators should address this

Consent should be opt-in, specific, and non-transferable.

By specific, I mean that the consumer should be told exactly what data is being shared. In the Keytruda example above, I am told that they are setting all of these cookies... but what exact information is going into them? For instance "We are telling this ad network that you are actively researching cancer treatments."

By non-transferable, I mean that the only companies that should use my data are those listed on this form. The fact that I saw a targeted ad on Twitter without any consent is very problematic. Reciprocally, any use of data should include clear provenance, meaning that Twitter should be required to tell me where they got the data used to target me. This allows me as a consumer to correct or remove this data, or remove my consent, if I so choose.

Sensitive personal data, especially anything connected to medical history or interest, should be held to a higher standard.

  • No blanket consent for sensitive data. You must explicitly execute a consent agreement with each entity that will receive access to sensitive personal data
  • Sensitive data may not be used for marketing or advertising purposes
  • Sensitive data may not be sold or transferred to or by data brokers (people are not products, privacy is a human right, why do data brokers even exist?)

If anyone in the privacy universe is interested in talking about these ideas (and others) please let me know...

What Twitter (the publisher) should do

Twitter didn't show up on that list of approved third-parties for cookie purposes. This probably means that LiveRamp matched my cookie to PII, then matched that to Twitter's PII, allowing Merck to target me on Twitter. (If you're not an ad tech nerd, that just means "they used an intermediary to get consent and share my data")

Twitter should add a "why did I see this ad" feature that can track back to the Keytruda website, possibly even with the ability to remove the cookie or tracking information that caused the ad to be shown. I think this would be an interesting thought experiment for the Twitter ads team: how often is this even possible?

Twitter should also require that Merck - and all marketers - ask for explicit consent before sharing data through an intermediary. This is more transparent for the consumer and probably reduces liability for all parties.

Closing thought

I use Safari, which supposedly doesn't allow third-party cookies.

Safari privacy report for

The fact that I am still getting tracked and targeted is problematic. The fact that I don't know why, or by whom - even as a 15-year veteran of ad tech - is unbelievable.

Anyone who thinks that Chrome turning off third-party cookies is going to fix this problem is naive. Ad tech solutions aren't going to solve ad tech problems.