Regulated for Medicine, Unregulated for Data: What Pharmacies Do With Your Consent

Healthcare is built on trust.

Every medication, prescription, dosage, and manufacturing process is subject to strict oversight. In both Europe and the United States, pharmaceutical regulation exists for a reason: mistakes can have life changing consequences.

Similarly, healthcare data is protected by the Health Insurance Portability and Accountability Act (HIPAA). But standards appear far less rigorous when it comes to digital data collected by healthcare websites.

That contradiction became impossible to ignore during a recent study conducted by Ghostery.

Across online pharmacies in Europe and the United States, we tested a simple question:

What happens after a user explicitly rejects tracking and data collection?

Users said “no.” Their data was still shared in most cases.

The Privacy Paradox in Healthcare

Healthcare is one of the most heavily regulated sectors in the world.

Medicine is regulated to the milligram. Clinical procedures undergo years of validation. Packaging, storage, labeling, advertising, and prescriptions are all carefully controlled.

Patients naturally assume that companies handling medication and health related products would apply the same seriousness to protecting personal data. After all, online pharmacies may process information connected to illnesses, treatments, medications, mental health, sexual health, fertility, chronic conditions, or addiction related products.

This is not ordinary browsing behavior.

Health related data is among the most sensitive categories of personal information that exists.

Yet many pharmacy websites still rely on complex ecosystems of analytics scripts, advertising tools, consent management platforms, and third party integrations that continue collecting information even when users explicitly opt out.

Whether caused by negligence, poor implementation, lack of oversight, or overreliance on third party tooling, the outcome remains the same:

Users who said “no” were still tracked.

Why This Matters Far Beyond Advertising

Privacy violations in healthcare are not abstract technical issues.

The consequences can be deeply personal.

Health related browsing data can reveal pregnancy concerns, chronic illnesses, mental health struggles, sexual orientation, ethnicity, and medication usage patterns. Combined with advertising ecosystems and data brokerage practices, this information can potentially be used for profiling, targeting, or discrimination.

The risks are not theoretical.

One of the most widely discussed recent scandals involved GoodRx, which was targeted by the U.S. Federal Trade Commission for sharing sensitive health related information with advertising companies including Facebook and Google. According to the FTC, the company shared data connected to medications and health conditions despite promising users their information would remain private.

Another major investigation by The Markup revealed that hospital websites were transmitting potentially sensitive patient information to Facebook through Meta Pixel integrations.

Concerns intensified further after the overturning of Roe v. Wade in the United States. Investigations and reporting from outlets including The Guardian and Reuters highlighted growing fears around reproductive health data, online tracking, and the possibility of sensitive digital information being used in legal investigations.

In 2024, European pharmacies also came under scrutiny over sensitive data sharing practices. The Swedish Data Protection Authority fined pharmacy operators Apoteket and Apohem millions of euros after sensitive customer information was transmitted to Meta through the company’s “Automatic Advanced Matching” feature. According to the regulator, the shared data was capable of revealing highly sensitive information, including health conditions, medication interests, and sexual health related purchases. 

Features such as Meta’s “Automatic Advanced Matching” go far beyond traditional cookies by attempting to create highly persistent identifiers based on personal information collected directly from websites. Privacy advocates increasingly view these techniques as a workaround for the decline of third party cookies and among the most invasive forms of digital tracking currently in use.

Against that backdrop, pharmacy tracking is no longer “just advertising.”

Patients should not have to wonder whether researching medication or managing a health condition quietly feeds advertising profiles and third party tracking systems behind the scenes.

To better understand how widespread these practices may be, we conducted our own consent compliance audit across major online pharmacies in Europe and the United States.

How We Conducted the Study

Together with Verified Data, we conducted consent compliance audits across pharmacy websites in Europe and the United States.

The audit process followed a consistent four step methodology designed to simulate real user consent choices and monitor whether tracking activity continued afterward.

The methodology was intentionally straightforward.

European Pharmacies

For European pharmacies, automated audits were conducted from servers located in Germany within the European Union using a reject-all consent state.

This meant simulating a user who explicitly selected the reject-all option on a displayed consent banner and hence opted out of tracking and data collection. The audit tool then continued browsing each website - scrolling, clicking buttons, links and any video starts - and monitored whether requests associated with analytics, advertising, or tracking technologies were still transmitted afterward.

The legal framework for these audits is the General Data Protection Regulation (Articles 6(1)(a) and 7) together with the ePrivacy Directive (Article 5(3)). If tracking requests continued despite the rejected consent choice, these instances were classified as violations.

United States Pharmacies

For U.S. pharmacies, automated audits were conducted from servers located in California, USA.  These simulated users expressed an opt-out through the use of the legally recognised Global Privacy Control (GPC) signal.

The legal framework for these audits is the California Consumer Privacy Act § 7025 (formerly § 999.315). When a browser sends the GPC signal, companies must treat it as a valid, binding request to limit data processing, just as if the user had clicked a "Do Not Sell My Information" link, including by disabling third-party tracking, targeting cookies, and data sharing.

The audit tool simulated a visitor browsing each website - scrolling, clicking buttons, links and any video starts. If websites continued transmitting what should be disabled  requests, these cases were classified as violations.

In practice, the study tested the simple question:

Would pharmacies respect users saying “no”?

In most cases we tested, rejected consent choices failed to prevent continued tracking activity.

Results: Compliance Risk Across Audited Pharmacies

The findings suggest that, in many cases, consent banners and privacy controls may create the appearance of user choice without consistently enforcing those choices technically.

Only two out of 20 pharmacies audited fully respected rejected consent choices and stopped transmitting tracking related requests afterward. Both compliant implementations were observed among European pharmacies, demonstrating that privacy compliant setups are technically achievable.

The chart below shows the distribution of compliance risk scores across the 20 audited pharmacies included in the study.

The full study methodology, audit framework, scoring criteria, and the complete list of audited pharmacies are available in the appendix of the downloadable PDF report.

What The Tracking Actually Looked Like

In several cases, pharmacy websites transmitted browsing information directly to advertising and analytics companies including Google, Facebook, Microsoft, Snapchat, Yahoo, Criteo, TradeDesk, Amplitude, and Datadog.

These requests can reveal which pages users visit, which products they browse, and potentially what types of health related information they are researching.

One example with the critical part in isolation: forhers.com leaks visited URLs to Google via the ref parameter, for instance:

https://www.googleadservices.com/[...]&ref=https://www.forhers.com/weight-loss&[...]

https://www.googleadservices.com/[...]&ref=https://www.forhers.com/weight-loss/wegovy-pill&[...]

By sharing this information, Google would be able to reconstruct most of the user's browsing activity on that website.

Requests sent to Google’s advertising infrastructure included references to pages related to weight loss browsing activity. This demonstrates that third parties can receive information about the pages users visit while interacting with healthcare related websites.

Some tracking systems also used hashed or obfuscated URL structures instead of plain readable page addresses. While less immediately visible to humans, these identifiers can still function as persistent references to specific browsing activity and may potentially be reverse mapped by the receiving platforms.

We Assumed Good Faith First

Before publishing our results, we chose a collaborative approach.

Ghostery and Verified Data directly contacted all pharmacies in this study twice, across Europe and the United States. We shared our findings privately, in a constructive manner, attached technical reports, and offered to discuss the methodology or underlying audit files in detail.

Our assumption was simple:

Most violations were likely not intentional.

Modern websites are technically complex. Consent management systems can be misconfigured. Third party scripts can behave unexpectedly. Large organizations often rely on multiple vendors and inherited infrastructure that create blind spots over time.

That is exactly why we reached out before publication.

We wanted to give organizations the opportunity to investigate, respond, and correct potential issues.

But despite repeated outreach efforts, none of the pharmacies we contacted engaged meaningfully with the findings. While some organizations sent automated acknowledgements or redirected us to generic privacy request portals, none engaged with the substance of the reports themselves.

That silence raises uncomfortable questions about how seriously consent compliance is actually treated within parts of the industry.

Consent Banners Mean Little If Websites Ignore Them

The broader issue extends beyond pharmacies alone.

Across the modern web, consent banners increasingly create the appearance of control without necessarily guaranteeing meaningful enforcement of user choices.

Users click “Reject All” believing their decision matters and that websites will stop transmitting information about the pages they visit, products they browse, or topics they interact with.

For online pharmacies, that expectation becomes especially important. Browsing activity may indirectly reveal highly sensitive information, including mental health research, medication usage patterns, fertility related searches, sexual health products, weight loss concerns or chronic conditions.

But if tracking continues anyway, consent becomes performative rather than real.

In healthcare related environments, failures to respect those choices become especially serious.

An industry trusted with people’s physical well-being should also be capable of respecting their digital autonomy.

Why Browser Level Protection Matters

The reality is that users cannot simply assume websites will respect their privacy choices correctly.

When websites fail to respect privacy by default, users increasingly need tools that actively defend their choices. That is precisely why browser level protections matter.

Ghostery includes technologies like Never-Consent, designed to automatically reject tracking requests and express dissent on the user’s behalf. It sends a clear signal to pharmacies and other websites that health related browsing activity and personal information are not consented for tracking, profiling, or monetization.

What Happens Next

We still hope pharmacies will engage constructively with the findings and address unresolved issues proactively.

The goal of this project is not public shaming. It is accountability and improvement in a sector that should set the gold standard for privacy practices.

However, if organizations remain non-responsive and unresolved issues persist, we plan to publish comparative findings across leading pharmacy websites in Europe and the United States.

Transparency matters.

Users deserve to know which companies respect their choices and which do not.

Do You Swallow This Pill?

Online privacy cannot rely solely on regulators, policy announcements, or consent banners that may or may not function as promised.

Users increasingly need to take an active role in protecting themselves online.

That starts with awareness, but it also includes practical protections directly inside the browser you use every day. 

For pharmacies, the message is simple:

Respecting consent is not optional. Trust depends on it. While many online pharmacies may intend to do the right thing, they must also take proactive steps to protect customer trust and reduce the risk of litigation or reputational damage. 

Independent audit tools such as Verified Data help organizations verify and continuously monitor their websites for consent compliance.

For users, the question is equally direct:

Do you swallow this pill?

Demand transparency. Demand accountability. And do not assume that highly regulated industries automatically protect your privacy simply because they protect your health.

Study Methodology & Sites Audited

The audit study was conducted throughout Q1 2026 using the automated audit tool Verified CONSENT. For full details of the audit methodology and the list of companies included in the study, you can download the PDF report here. No registration is required.

About the Organizations Behind This Study