A look at Vienna's doctor websites

When you visit a doctor's website, you're usually looking for something specific: Where is the practice located? Can I get an appointment promptly? Does the site appear competent? It is assumed that the interaction will be treated as confidentially as a personal visit to the practice. It would be deeply disturbing if a person inquiring about treatment options found that their inquiries were being routed directly to companies like Google or Facebook. Our study of doctors' online presence revealed alarming insights: Many medical practices share exactly this kind of information - and often much more - when someone visits their website.

Examination method

Our investigation covered the entire directory of medical websites listed by the Vienna Medical Association. On praxisplan.at we found 17,757 doctors, 1,631 of whom had provided their web address. 95 of these URLs were unreachable and had to be excluded from our analysis. The remaining 1,536 websites were then examined for their data protection practices using a specially developed data protection tool.

The tool automatically crawled the homepages and associated subpages, visiting an average of 25 pages per website. During this time, there was no interaction with the website - in particular, no cookie banners were accepted or rejected. Our main focus was cookies and establishing connections with third parties. In the big debate about cookies, it is often forgotten that caution is also required here.

Findings

Cookies

Setting or reading cookies usually requires the express consent of the user, as this involves reading or changing information from their devices. However, there are situations in which placing or reading cookies is unavoidable and consent is not required. However, these exceptions must be assessed strictly according to necessity, which in the light of the legal justifications is to be understood as a technical, but not an economic, necessity.¹

A classic example of this is that a web shop may store the contents of the shopping cart in a cookie in order to make it accessible again the next time the user visits.² But this cookie should not be set before something has actually been placed in the shopping cart.

Although the majority of websites - namely 836 (51%) - follow an exemplary approach by not setting cookies without consent, there is a wide range of practices: 256 (16%) websites set between 5 and 10 cookies, 245 (15%) 2 to 4 cookies, and 270 (17%) only a single cookie without prior consent. This shows that although many take data protection seriously, a significant minority still aggressively places cookies.

Not every cookie that is placed on the visitor's device is a priori evil or requires consent. But if you take a closer look at the five most frequently placed cookies, you will see that many of them would have required consent and are therefore illegal. Others are more in a gray area.

According to our analysis, the most frequently placed cookies are from the Google Analytics service. This service not only collects excessive statistical data about its visitors for the website operator, this data is also automatically transmitted to Google. There are initially no restrictions for Google as to how it can further use this data.

Since Google knows and can contextualize the content of the website you visit, and at the same time has the ability to closely track visitors during their visit via Google Analytics, Google can use this to create a medical profile about them. If you visit a plastic surgery site, Google knows that you are interested in it. If you visit several sites on this topic, some of which use Google Analytics, Google knows that the interest is probably a need. This is all information that Google provides to advertisers to sell their products and political opinions.

Caution is advised when using Google Analytics. In the past, the Austrian data protection authority has prohibited its use and the Swedish data protection authority has imposed penalties of up to €1 million.

Even in the data protection declaration, Google expressly states that the consent of users must be obtained. Google even threatens to block the service for providers who do not do this. However, it appears that Google is not living up to its self-imposed standards.

Furthermore, Google admits that data collected via Google Analytics is always sent to the USA and processed there.³ For this purpose, website operators must conclude an order processing agreement with Google despite the data privacy framework between the EU and the USA that is currently in force.

Many Viennese doctors use homepage builders, “which often inherently use unnecessary cookies and integrate external services.”⁴ Specifically, around 5% of Viennese doctors use the homepage builder from the provider Wix.com. This service sets many cookies on users’ devices without consent.

Wix claims that these cookies are essential to the operation of their websites. Nevertheless, it is questionable why ten different cookies are necessary when many other websites get by without them. It is difficult for operators of such sites to clearly convey the purpose of these cookies. The documentation provided by Wix provides little information on this and it is not possible to disable these cookies. There is currently a lack of case law here, but the choice of the modular system should be carefully considered for data protection reasons.

Third Party Connections

Our analysis shows that numerous sites load external resources from third-party providers without obtaining visitors' consent. Connections to Google services such as Google Fonts and Google Maps, which not only load resources but can also share user data with Google, are particularly common.

These data transfers are legally complex. While cookies require clear consent, the regulation for external URLs is often less clear.

Here it depends heavily on the context as to what can be included without being asked. Is there an order processing agreement with the third-party provider? Will data be sent to an unsafe third country? Could the connection just as easily be made internally? Does the data request only serve to display content or also for other purposes such as tracking?

If you look at the most common connections to third-party providers that come about without the user's consent, then these are exclusively connections to Google services.

What stands out here are Google Fonts, which were integrated into around a third of the pages examined, which is prohibited without consent under current case law.

In contrast to this ruling, the doctors' pages are not directly integrated, but are loaded as part of other Google services. Over a third of the websites examined use Google Maps. If you integrate Google on your website, Google Fonts are always loaded.

Here, too, Google requires site operators in its terms of use to first obtain consent from visitors. However, how this should be legally structured is questionable. Because it is difficult to tell from Google's data protection declarations what kind of data is processed and how.

But Google says that at a minimum, location data, device information, IP addresses and browser data are used to optimize their services and offer personalized advertising. This raises questions about privacy and data protection, particularly around how transparent Google is about how it uses and stores this data.

Here it is also important to differentiate between the free integration of Google Maps, which is used most frequently on the pages analyzed, and the use of Google Maps via Google Cloud.

In the free version, Google reserves the right to use all data collected (identifiers via cookies, IP addresses, browser type, pages visited, etc.) for its own purposes - i.e. to earn more money with advertising.

In the Google Cloud version, Google at least does not seem to use the data collected for personalized advertising (i.e. advertising that follows you across the Internet on various websites and devices). It still remains unclear what Google does with the data, how long it is stored and where it ends up.

Conclusion

It is shocking to see how many websites doctors use to treat their patients' highly sensitive concerns and data irresponsibly and negligently.

Others are already doing everything right and showing how it can work, such as integrating an interactive map of the city of Vienna instead of Google Maps. This is how Dr. does it, for example. Edith Roth-Schiffl on her contact page.

Although the problems on the websites examined may be deep data protection violations, they are not particularly difficult to fix. Most doctors run relatively simple websites. For example, Google Maps is often integrated into contact pages. It would be easy to remove these cards or replace them with the alternatives mentioned above without losing quality. Many only integrate Google Analytics on their websites.

Our experience has shown that the data collected is viewed by very few people. Since Google Analytics is often the only connection to third-party providers on the websites examined, you could gain a lot by deactivating this service. Most of these sites could do without an annoying cookie banner.

But the responsibility cannot be placed solely on the doctors. Many commission web agencies to create and operate the website and they are also liable. Agencies very often have the urge to integrate services like Google Analytics without first considering whether their customers will ever view the data or benefit from it.

However, the majority of Viennese doctors' websites still have significant data protection deficiencies. What is particularly problematic is the fact that many websites pass on data to third parties, especially large tech companies, without informing users or obtaining their consent.

It is crucial that physicians and their website operators develop a deeper awareness of data protection and take appropriate measures to protect the privacy of their patients and website visitors. This includes the critical review and, if necessary, reduction of third-party connections as well as transparent and user-friendly handling of cookies and other tracking technologies.

Ultimately, in the digital age, it is essential that medical professionals maintain the highest standards of patient protection and discretion not only in their practices, but also online. Technological developments and the possibilities of the Internet offer great opportunities for medicine and patient communication. However, these should not be exploited at the expense of privacy and trust.