Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 08, 2026 · 6 min read

73% of Hospital Sites Ignore Your Opt-Out, Study Finds

Piwik PRO and Verified Data scanned 59 major US hospital and clinic websites with an active Global Privacy Control signal switched on. Ad and marketing trackers, including Google Marketing Platform, kept running on 73% of them anyway.

Turning on a browser opt out signal is supposed to mean something. It is a legal request, backed by state law in a dozen states, telling a website to stop selling or sharing your data for advertising. A new report from Piwik PRO and Verified Data set out to check whether hospitals actually listen. They crawled 59 major US hospital and clinic websites from a California location with Global Privacy Control turned on, and found that most sites simply kept going. Google's ad platform, Meta's pixel, and dozens of other trackers loaded on health pages as if the signal had never been sent.

Key Takeaways

  • Piwik PRO and Verified Data scanned 59 major US hospital and clinic websites in a July 2026 report and found that 73% kept advertising trackers running even after a Global Privacy Control opt out signal was active.
  • Google Marketing Platform appeared on 33 of the 59 sites and Google Analytics on 20, despite Google's own terms barring HIPAA covered entities from sending it protected health information.
  • Twelve states, including California, Colorado, and Connecticut, now legally require businesses to honor Global Privacy Control, and the three states launched a joint enforcement sweep over the signal in September 2025.
  • 69% of the scanned sites were running marketing or advertising cookies, and researchers counted 75 distinct tracking tools spread across just 59 domains.
  • A federal court partially vacated HHS guidance on hospital tracking technology in 2024, but patient portals and other authenticated pages remain covered, meaning several appointment and symptom checker pages the study flagged still carry compliance risk.
Modern hospital reception area with a front desk computer monitor, representing hospital websites that keep running ad trackers after patients opt out

What Did the Study Find?

The Piwik PRO and Verified Data report crawled up to 25 pages per hospital domain, covering homepages, appointment booking flows, and symptom checker tools, while a Global Privacy Control signal broadcast from the browser. Across the 59 sites, researchers logged 75 unique tools in active use: 38 analytics platforms and 37 advertising or marketing tools. Google Marketing Platform showed up on 33 of the 59 sites, Google Analytics on 20, and Facebook, Microsoft Advertising, and The Trade Desk all appeared repeatedly.

The compliance gap is the headline number. 73% of the sites kept advertising or marketing trackers active despite the opt out signal, and 69% were running marketing or advertising cookies during the crawl. Brian Clifton of Verified Data, one of the report's authors, put the root cause bluntly: "Healthcare organizations often inherit their analytics setup." Tags get copied from a marketing agency template or a sister facility, and nobody revisits whether the resulting data flows are legal for a hospital to run.

What Is Global Privacy Control?

Global Privacy Control is a browser level signal that tells every website you visit, in one step, that you want to opt out of the sale or sharing of your personal data for targeted advertising. Firefox, Brave, and DuckDuckGo ship it as a built in setting; Chrome and Safari users can add it through an extension. Once enabled, the browser sends the signal automatically on every page load, so a visitor never has to fill out an opt out form site by site.

Twelve states, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas, now require covered businesses to treat the signal as a valid legal opt out request. California, Colorado, and Connecticut took that requirement seriously enough to launch a joint investigative sweep in September 2025. A hospital site that keeps loading ad trackers after GPC fires is not operating in a gray area in those states; it is failing a request the law already answered.

Why Is This a HIPAA Problem?

It is a HIPAA problem because the data these trackers collect is rarely generic browsing behavior. An appointment booking URL can reveal which department a visitor searched for. A symptom checker session paired with an IP address can reveal what condition someone was worried about, on the same day, from the same device. That combination can qualify as protected health information, and Google explicitly bars HIPAA covered entities from sending it any, refusing to sign a Business Associate Agreement for that use case.

HHS's Office for Civil Rights spent years warning covered entities about exactly this exposure, but the guidance did not survive court challenge intact. In June 2024, a federal judge sided with the American Hospital Association and vacated the part treating an IP address alone on a public unauthenticated page as protected health information. HHS chose not to appeal, but patient portals and logged in scheduling tools remain squarely covered, and several of the appointment flows Piwik PRO tested sit right at that boundary.

Why Email Users Should Care

A tracking pixel is a tracking pixel whether it sits on a hospital appointment page or inside a marketing email, built by the same industry using the same measurement logic. Once a hospital's marketing stack sends your appointment activity to an ad platform, that same platform, and often the same patient record, feeds the follow up emails and appointment reminders that land in your inbox next.

This is not a new pattern for the sector. A Rutgers study of 1,201 hospitals published in May 2026 found that 66% of US hospitals still ran a Facebook or Google tracking pixel, and doing so made a data breach 46% more likely. Hospitals have already paid over $100 million in tracking pixel settlements for this kind of data flow, and Kaiser alone settled a case tied to pixels that sent 13 million patients' data to Google over seven years. Piwik PRO's report is the same story from a different angle: most hospitals were already tracking, and now most refuse to stop even when a visitor explicitly asks.

What Can Patients Do?

You cannot force a hospital's marketing team to remove a tag from its site, but you can reduce what leaves your browser before it ever reaches one.

  • Turn on Global Privacy Control. Firefox, Brave, and DuckDuckGo have it built in; Chrome and Safari users need an extension that sends the signal automatically.
  • Use a general purpose tracker blocking extension so advertising and analytics scripts are stopped at the browser level instead of relying on the hospital site to honor your preference.
  • Avoid symptom checkers or appointment booking while logged into a Google or Facebook account in the same browser session, since cross site identifiers make it easier to link your health search to your identity.
  • File a complaint with the hospital's privacy office if you live in one of the 12 states that legally recognize GPC and can show the signal was ignored; state attorneys general have shown they will act on these complaints.

Looking Ahead

Piwik PRO's own recommendations read like a basic compliance checklist: audit every tool touching a health page, strip ad pixels off pages that discuss symptoms, enforce opt out signals at the tag management layer, and migrate analytics to a provider willing to sign a Business Associate Agreement. What the 73% figure shows is the gap between what the law now requires and what hospital marketing stacks actually do.

Regulators are not waiting for hospitals to catch up on their own. With three states already running a joint sweep on GPC compliance and nine more recognizing the signal, a 73% noncompliance rate inside an industry already facing suits like the Kaiser member's tracking class action looks less like an oversight and more like an invitation for the next enforcement action.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.