Your most personal purchases are out in the open

Ordering a self-test for a sexually transmitted disease, a pregnancy test, or medication for fungal infections is a moment of vulnerability for many people. You choose to order online, assuming it will be discreet. That assumption turns out to be incorrect. While you are paying, dozens of digital eyes are watching you. Your medical situation is immediately converted into merchandise. This is evident from extensive research by Radar and Investico, in collaboration with De Groene Amsterdammer.

The leak is bigger than you think

The results of the investigation speak for themselves. The journalists investigated twenty large online drugstores and webshops, including well-known names such as Kruidvat, Etos, and Bol.com. The result is shocking: all twenty parties share sensitive information with Google. At half of the stores, Meta, the parent company of Facebook and Instagram, also looks directly into your shopping cart. It is not limited to anonymous clicks. In some cases, such as DA, Plus, and flash delivery service Flink, even personal details, email addresses, and phone numbers are forwarded to the advertising platforms. This links your intimate medical purchase directly to your physical identity. So tech companies not only know *that* a pregnancy test has been sold, but also exactly *who* bought it and where they live. Even if you, as a consumer, consciously refuse cookies in the hope of protecting your privacy, the data flow continues at fifteen out of twenty webshops. The promise of privacy in the cookie banner often turns out to be a sham in practice.

A global web of watchers

It is tempting to point the finger solely at the big American tech giants from Silicon Valley. However, the reality is more complex and diffuse. The ecosystem of data collectors is much broader than just Google and Facebook. The study shows that the Chinese platform TikTok also receives data from Dutch stores such as DA and Plein.nl. But it doesn't stop there. Anyone who analyzes the technical infrastructure of sites such as Plein.nl will see that many more parties are knocking at the door. For example, cookies are placed by Pinterest, which also gives this platform insight into your interests and purchases. So it is not just an American or Chinese problem. It is a fundamental problem of modern e-commerce. Various techniques allow a huge number of parties to watch. Your data does not disappear into a single vault, but is spread across an opaque network of advertising brokers, social media, and media companies.

The technology behind the scenes: Server Side Tracking

Previously, as a consumer, you could still protect yourself reasonably well. You installed an ad blocker or refused tracking cookies in your browser. Those days are over. Online stores are increasingly using advanced methods to circumvent these blockades. A popular technique is ‘Server Side Tracking’ (SST). With this technique, the data is not sent from your laptop or phone to Facebook. Instead, the online store sends the data directly from its own server to the tech companies. You don't see this happening. Your browser doesn't see it. Your ad blocker can't access it. It's an invisible data tunnel that is completely beyond your control. Dutch companies are cleverly responding to this.

From a legal perspective, these online stores are on thin ice. Or rather, they have already fallen through it. According to the General Data Protection Regulation (GDPR), health data is considered ‘special personal data’. There is a strict ban on processing this data, unless there is a legal exception. The only relevant exception here is explicit consent. A simple check mark on an unclear cookie banner is absolutely not enough. The Dutch Data Protection Authority (AP) is clear about this: a ‘strengthened form of consent’ is required. Consumers must know exactly that their purchase of hemorrhoid cream will be shared with an advertising company. That is not currently the case. The current banners are vague and misleading. Professor Frederik Zuiderveen Borgesius states in the study that these practices are illegal. Yet companies are taking the gamble. Data trading is so profitable that any fines are factored in. Even previous sanctions, such as those against Kruidvat in 2024, have not forced a change of course.

Why does this affect you

You may wonder: why does it matter that Google knows I buy paracetamol? The problem lies in the accumulation of data. One purchase says little. But a history of purchases tells a whole story. It reveals whether you have a chronic illness. It shows whether you are trying to get pregnant. It shows whether you are struggling with depression. This data is used to create profiles. In the past, Microsoft used more than 650,000 labels to pigeonhole people. These profiles can have far-reaching consequences. Think of targeted advertisements at your weakest moments. But the risks go further. Insurers may be interested in this data. In the US, data from tech companies is already being used by the justice system. European privacy legislation appears to be a paper tiger in practice. As long as the profit margins on data are higher than the fines, your medical records will remain fair game.