Last week, the Wall Street Journal broke a very big story. Google, in partnership with health insurer Ascension has been gathering personal health data about millions of Americans as part of a project called “Project Nightingale.”

The kicker? No one bothered to tell the patients or doctors that this was going on, and in fact, the project has been in place for over a year. I confess to being more than a little gob smacked. I mean, every time I go to a doctor’s office, I must sign my understanding of HIPAA (Health Insurance Portability and Accountability Act), and my doctors won’t even communicate with me by email anymore because of HIPPA considerations. So how is this even remotely okay?

Even though Ascension employees have questioned this data collection, it appears that Google and Ascension have found a HIPAA loophole. To quote the WSJ:

“…privacy experts said it appeared to be permissible under federal law. That law, the Health Insurance Portability and Accountability Act of 1996, generally allows hospitals to share data with business partners without telling patients, as long as the information is used “only to help the covered entity carry out its health care functions.”

Regulators are scrutinizing the legality of this initiative. In a rare bi-partisan moment, Congressional Democrats and Republicans agreed to scrutinize these activities, especially given what followed.

In the same week we learned that Google is buying Fitbit, a maker of health activity monitors. When you start to put all the pieces together, a somewhat frightening picture emerges: Google Home, listening to your conversations and recording your food purchases (and maybe even what you’ve got in your fridge), Google Nest, keeping track of your thermostat temperatures and lighting preferences, Fitbit, monitoring your activities all day and while you sleep and of course, your search history, where it can be observed what you think and worry about (my own search history is filled with my paranoid illness fantasies).

And what’s Google going to do with this information? It gets worse.

Google in this case is using the data in part to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care. Staffers across Alphabet Inc.,Google’s parent, have access to the patient information, internal documents show

Well, it’s a really short walk from “changes to their care” to “refusing to cover their care” because they haven’t followed doctor’s orders to cut back on sugar consumption, lose weight or exercise more often. It’s a short walk to some serious ugliness. Makes you feel like yelling “Get out of my life, dammit!”

Groups are already lining up to fight the initiative, but you might rightly ask “What does this have to do with retail? This is healthcare.” And the answer is “a lot.” Most analyst firms, including IHL Group and RSR ourselves, have highlighted all the ways retailers want to track their customers – clearly for the purpose of creating more personalized and relevant offers.

However, as I pointed out in my predictions for 2019 (how is this year already almost over, by the way?), data privacy is going to be one big fly in the ointment of conversational commerce and more. We know Alexa is listening. It turns out that Google Home is also watching. Recent commercials on TV show Google Home responding to user hand signals along with listening for the user’s commands. This is borderline creepy from the jump, and put in the context of Project Nightingale, starts to become downright disturbing.

I have said this before on many occasions and feel obligated to say it again. Retailers MUST be very careful in their decisions around consumer tracking and offer personalization. In some ways, segmentation is more sensible than personalization, especially without explicit permission. I think it’s fine to ask for permission, especially if it’s done in such a way that the consumer feels he’s getting something useful from it. But there’s a very fine line. Google and Ascension may have thought Americans weren’t paying attention; the news organizations are all busy with various governmental crises around the world – but the WSJ was paying attention. And so are consumers. They’re cranky. They’re temperamental. And really, if the big players aren’t careful, consumers will batten down their hatches. Duckduckgo.com (a search engine that does NOT track you) is already becoming popular.

Apple’s TV commercials coincidentally or maybe not so coincidentally are making consumer privacy a keystone of the company’s marketing message. This commercial aired the day after the WSJ first announced Project Nightingale. I don’t know how many people have watched it on TV. I do know that 24 million have watched it on YouTube. And if I didn’t know better, I’d think Apple knew about Project Nightingale and it was their prepared response. It’s a good one. And the message is correct.

It’s the consumer’s data. You don’t get to have it without permission. EVER. As the liner notes on Apple’s YouTube video say:

We believe your privacy should never be something you have to question. It should be simple, straightforward, and understood.

Whatever you may or may not think of Apple, it would be good to internalize this message. Privacy is not dead. And if it is, expect its resurrection soon. Otherwise, all that great data is going to disappear in a puff of smoke. And we’ll be back to guessing what the heck consumers want.

Seller, beware.