GettyImages-512015968
A class-action lawsuit claims Facebook is illegally informing its ads with data from cancer-related websites. sean gallup/getty images

Does Facebook think you have cancer? The social network has an unparalleled view of its users’ interests, in part because of the ubiquitous “like” button, which allows Facebook to track its 1.5 billion users around the web when they’re logged in, which is pretty much all the time.

That feature also allows Facebook to target advertising based on those interests with unnerving detail. That’s what the plaintiffs in a new class-action discovered when they started getting very specific ads addressing certain types of cancer after visiting websites like cancer.org, cancer.net, melanoma.org, shawneemission.org, barnesjewish.org, clevelandclinic.org and MDAnderson.org.

The case, filed last month in federal court in San Jose, California, alleges that Facebook is capturing medical information via online searches performed on those sites, and that that information was then used to target those users based on a condition, breaking the Federal Wiretap Act, the Health Insurance Portability and Accountability Act as well as several state privacy laws.

“Facebook is capturing users’ searches for medical information from medical websites without users ever knowing this sensitive data is being shared with Facebook, for marketing and other purposes,” Paul Kiesel, the lead attorney for the case, told International Business Times.

Kiesel has been a thorn in Facebook’s side before. Named one of “America’s 12 Techiest Lawyers” by the American Bar Association Journal in 2015, Kiesel sued Facebook back in 2012 for its advertising targeting practices. That suit was dismissed by U.S. District Judge Edward J. Davila in San Jose, who ruled last year that the plaintiffs failed to “adequately connect” the value of the data “to a realistic economic harm or loss,” according to Bloomberg.

Kiesel amended that case after the dismissal and refiled it to the court. “Much like the Monty Python skit, we aren’t dead yet,” Kiesel told International Business Times.

paul kiesel
Named one of "America's Most Techie Lawyers," Paul Kiesel (center) runs a consumer litigation firm, Kiesel Law LLP, which specializes in class-action lawsuits. KIESEL LAW LLP

While this case is similar, he says the data breached is more private and the impact to Facebook users more serious. “This is a far more dangerous case as it relates to the individual side of privacy,” he said.

The suit has drawn the notice of some big privacy advocates, who say this case could put the whole ad targeting industry on trial, especially the use of health-related data. It’s a case that some privacy advocates have been “waiting for,” Deborah Peel, founder of nonprofit Patient Privacy Rights, said. “We’ll do everything we can to help promote it.”

Facebook said the company plans to dispute the claims and declared that the basis of the case is not valid. “This lawsuit is without merit and we will defend ourselves vigorously,” a Facebook representative told IBT.

Part of the reason privacy advocates say this suit is explosive is the allegation that medical data was transferred, a violation of the Health Insurance Portability and Accountability Act, or HIPAA. The HIPAA violation comes from capturing medical information without gaining the person’s permission. The websites Adventist, Barnes Jewish, Cleveland Clinic and MD Anderson are “covered entities” governed by HIPAA, the case claims.

But there’s a gray area in the proof of that transmission. The websites do not explicitly state that there is a Facebook plug-in on their website and that they transmit tracking information to Facebook, Kiesel notes in his case. And that’s part of the problem, he alleges; the defendants do not fully disclose their data practices.

“The new complaint is likely not going to get thrown out like the last ones. They have a HIPAA violation that could stick,” Pam Dixon, executive director of World Privacy Forum, a public interest research group, wrote in an email. For someone to pull this information, they must “express consent, and it can’t be passive consent.”

Two of the medical facilities named in the suit responded to queries from IBT. A representative for the University of Texas MD Anderson Cancer Center said “we do not knowingly or intentionally transmit protected health information to Facebook or other social media platforms in contradiction of our Privacy Policy.”

The Melanoma Research Foundation said it “takes privacy very seriously and is confident this suit is without merit.”

Not all medical information is protected under HIPAA. It must be personally identifiable. For instance, sending a Christmas card to a doctor would be personal health information. But what you search for on the internet is not necessarily equivalent to your medical history. And yet if the data is transmitted back to Facebook and matched with an identity, then it is identifiable, at least to Facebook.

The claims can also make a compelling story before a jury. “HIPAA does add an interesting element and kind of a new element. There’s the addition of sensationalized events, and the tales he’s able to tell that are going to be very compelling,” said Kate Klonick, a Ph.D. candidate at Yale Law School and a resident fellow at the Information Society Project.

The lawsuit claims that Facebook places more than 225 million users into 154 medical categories for direct marketing. Facebook declined to comment on its ad categories or if these 154 medical categories exist.

facebook hiv
An exhibit from the lawsuit shows how advertisers on Facebook select "Diagnosis of HIV/AIDS" as a keyword.

Nowhere in Facebook’s privacy policy or terms of use is “health” or “medical” specifically stated. The privacy policy does say that Facebook can receive information from other websites and apps that work with Facebook, such as having a “like” button, log-in or ad service.

Facebook explains on another page that the information it collects can be used for advertising, and only after it “has been aggregated with other data collected from other advertisers or otherwise collected on Facebook and (ii) not allow other advertisers or third parties to target advertising solely on the basis of Event Data collected from your website or mobile app.”

Facebook creates “affinity groups” for its users, which are categories such as music genres or causes that Facebook, through its data tracking, believes the users will be interested in and respond well to the corresponding topics in an ad. The American Cancer Society, for instance, could target ads for an upcoming cancer awareness walk based on people who have “liked” breast cancer posts or visited related websites.

After a Facebook user sees an ad, they are empowered to turn it off. Clicking on a gray arrow in the post will allow users to click “Why am I seeing this?” and also select “Hide Ad,” which will affect the user’s backend profile for future ad targeting.

facebook privacy
Facebook created the "privacy dinosaur," a guide for users to navigate privacy checkups while using the social network, in 2014.

Users also are empowered to turn off all advertising that is based on the use of websites and apps, by going here, clicking on “Choose Setting,” and selecting “Off.”

But there is no way for someone to see if they are in a “cancer” affinity group in the first place. “We’ve been hearing this complaint for a while,” Dixon said. “We tell everyone you must log out of Facebook, remove your history so this doesn’t happen you. ... Where the information goes, it’s not completely transparent.”

Update 6:15 p.m. ET: Facebook sent IBT a more detailed statement after publication. "We take privacy very seriously and comply with applicable laws related to the collection and use of personal information. Our policies state clearly that companies' websites are prohibited from sharing health and other sensitive information with Facebook when using our advertising services," a Facebook representative said.