> If you visit a pharmacy website to buy prescription meds you have to enter PII.
Yes. And they are responsible for where that information ends up, regardless of how and where they advertise. So basically, anyone running any website at all should be really careful to not add any third party (e.g. Facebook) scripts to their page. I'd rather run a business not knowing whether my ad campaigns work at all, than run one where I don't know if I'm liable for breaking laws.
Analogy: if you have a photo sharing website, like Flickr, then from those photos (and the combination of different photos) Flickr can in theory derive a lot of sensitive information; does that make it somehow stupid or irresponsible to post photos to Flickr? I'd say that depends completely on how we expect Flickr to behave.
It's like visiting a physical pharmacy. In theory, somebody could be spying on the people who enter and leave the place, keeping a giant database with frequency, faces, etc. The question whether it is stupid to enter a pharmacy in person should be answered with: "No, we have laws that protect us against malevolent actors".
Yes. And they are responsible for where that information ends up, regardless of how and where they advertise. So basically, anyone running any website at all should be really careful to not add any third party (e.g. Facebook) scripts to their page. I'd rather run a business not knowing whether my ad campaigns work at all, than run one where I don't know if I'm liable for breaking laws.