A joint investigation by the Guardian and Radio Sweden into online pharmacy websites found that customer data was being collected on specific symptoms used in search terms and products added to online shopping baskets, the news outlet alleged this weekend (April 15).

Lloydspharmacy was one of hundreds of pharmacies across Europe found to have been using tiny pieces of computer code or “pixels” embedded into checkout pages than can share personal information with the social media companies access, according to the Guardian.

Read more: Stress levels and pay rises in 2022 at Boots, Lloydspharmacy and Well

As well as information about the products being selected, the pixels were in some cases included in the websites' search results, which could give the social networks an insight into customers’ specific symptoms, the newspaper alleged.

These pixels are also able to share personal information such as customers’ names and phone numbers with the social media companies, according to the Guardian.

Lloydspharmacy told C+D yesterday (April 18) that it takes the issues raised by the investigation “very seriously”.

A spokesperson said: “We are currently undertaking an investigation and will take appropriate steps when more details are known.”

 

Scope of media investigation

 

According to the Guardian, one test carried out by journalists saw the pixels “collect exact search terms” entered on Lloydspharmacy’s website as well as the products added to the customer’s basket, which the paper said included Viagra, thrush cream and a chlamydia test.

Monitoring network traffic made it “possible to see those terms being sent to the social media companies”, the news outlet reported.

“In the checkout process, both the Facebook and TikTok tracking pixels collected the email address of the user. [Lloydspharmacy] also sent Facebook the user’s first and last name, while it sent TikTok their phone number,” the Guardian claimed.

Read more: Revealed: Almost 50 data breaches involving pharmacies in 16 months

The journalists who carried the investigation claimed that “explicit consent” for sharing the data had not been given at any point and that “there was no option to turn off the transmission in the cookie disclosure”.

The investigation found that over 200 online pharmacies across Europe carried the advertising pixels from Facebook, TikTok or both on their websites, the Guardian said.

But it claimed that a closer look at the largest pharmacies revealed only Lloydspharmacy was “sending sensitive medical information, as well as personally identifiable data, to TikTok specifically”.

The newspaper also alleged that the TikTok pixel was completely removed from Lloydspharmacy’s website “shortly after” the multiple was contacted for comment.

Meanwhile, the Facebook pixel was “updated to only operate after the user accepts cookies”, it claimed.

But in a comment to the Guardian, Lloydspharmacy said that the change was not due to the inquiry but a result of “the transition of its IT systems to the Hallo Healthcare Group” earlier this month.

 

Sensitive data should not be collected

 

TikTok told C+D that pixels should not be used to send the social media giant “sensitive data, including personal health information”, which it said would constitute a breach of its terms.

TikTok “continuously” works with companies to stop the “inadvertent transmission of such data”, a spokesperson said.

Read more: What you need to know about new patient data safety recommendations

They commented: “Like other platforms, the TikTok pixel is used by advertisers to measure the effectiveness of their ads, show ads to users who have visited their website, and help optimise campaigns based on specific signals that advertisers have chosen to send to us.” 

Meta, the company behind Facebook, said that if a business sends potentially sensitive data, which may in some case happen in error, the platform’s filtering mechanism is designed toremove it before it is stored in advertising systems.

A spokesperson for Meta said: “Advertisers should not send sensitive information about people through our business tools.

“Doing so is against our policies and we educate advertisers on properly setting up business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”