When we hear Facebook is monetizing the personal information of its members without their knowledge, we react with indignation. When we read that Google reads all of our email for keywords, we are offended.

And, when we understand that Alexa is listening to us all the time, we wonder if there’s any part of our lives that is safe from invasion.

My question to you is: Do we need laws to affirm that these are intrusions into our privacy or do we inherently understand that these practices are just plain wrong and never should have been undertaken in the first place?

I ask because with the full implementation of the California Consumer Privacy Act (CCPA) in January 2020 (actually parts of the law took effect this January), our colleagues in healthcare marketing are asking us:

• What are the implications of the law?
• What kind of consent does it require and for what kinds of practices?
• Is California “GDPR lite”? Is it “Intro to GDPR” with a second act to follow?

While all of these questions are absolutely pertinent, we will not know if our conjectures are correct until the law is implemented, potential violations charged, and decisions ruled on. In addition to the CCPA, other states and the federal government are working on and passing similar legislation, compounding the questions around how to handle healthcare marketing data.

What is the right thing to do in how we treat the personal information of others?

Every company and institution is making its best efforts to “engage its healthcare professional clients,” win their loyalty and the favor of their choices every day. We need to be ready to respect their personal information in the process without a law that requires us to do so. We need to respect the personal information of our most important audiences – those physicians and consumers who enter into a relationship with us by way of our products and services.

What is the right thing to do in how we treat the personal information of others?

For those custodians of personal information who are not ready to respect the rights and sensitivities of others, there is a new term to describe their practices – it is called “ethics washing.” It means that a custodian of personal information goes through the motions of pretending to care; they make the symbolic representations and talk about their “processes and safeguards” but in fact do nothing to threaten their business model or cost structure of doing business. Before we cast stones at Facebook and Google for doing that, we should each have a reckoning with the practices of our own companies and organizations.

Recently, one of my DMD colleagues shared with me a conversation with a client who said that s/he would pay attention to the CCPA after someone had first been fined for violating it. I found that statement to be a refreshing, truthful approach to the current “to be determined” legal environment.

Oftentimes, there is a gap between personal information principles and information practice covered by ethics washing.

Due to lack of regulation thus far, data vendors such as DMD are not held accountable to any real standards. Representations about information practices are taken at face value without any verification. DMD defines our processes such that they can be independently verified.

And, while we wish to believe that everyone is as truthful in their processes, if highly visible and regulated companies such as Facebook, Google, and Amazon can work around personal information principles, how likely is it that niche industry companies will hold themselves to a higher standard?

How much do we need a law to tell us what is the right thing to do?

At the moment, 16 states have personal information privacy bills before their state legislatures. The New York law is substantially stronger than the CCPA in that it permits a direct action by a private person who does not have to first make a case to the state attorney general. Proposed legislation is moving ahead in Texas. If these pending bills pass, then the three most populous states in the U.S. will have passed some form of personal information protection.

There is a gap between personal information principles and information practice.

No doubt, some of our esteemed colleagues in healthcare marketing will be waiting for the first company to be caught and punished before doing more than superficial ethics washing.

Again I ask you, we who work to engage and build relationships with healthcare professionals and consumers, how much do we need a law to tell us what is the right thing to do?