Mental health websites don't have to sell your data, but most still do.
This statement was originally published on privacyinternational.org on 31 January 2020.
The changes discussed in this article are based on a second analysis performed in late November, 3 months after the original study Your Mental Health is for Sale and following the exact same methodology. All data collected can be found at the bottom of this page.
Change is possible
Back in September 2019 we published the report Your Mental Health is for Sale exposing how a majority of the top websites related to mental health in France, Germany and the UK share data for advertising purposes. This report most notably highlighted how numerous mental health websites engage in programmatic advertising, a type of advertising that relies on sharing your personal data with hundreds if not thousands of companies to eventually serve you targeted ads. It also exposed how a small number of websites offering depression tests share your answers directly with third parties.
Thanks to wide coverage and outrage as well as a related study by the Financial Times published on the front page of the paper edition, this report led some websites to reconsider their practices and implement changes to limit the amount of data shared.
Our re-scan of the websites shows, for example, that the NHS’ depression test no longer sends answers to a third party server and has been completely purged of all third parties, including Hotjar, a company providing session recording capabilities. The charity Mind also reported to the Financial Times that they had been reviewing their practices: “As a result of a report published by Privacy International in September, we have removed marketing trackers from our site and won’t reinstate them until our review has finished and we are satisfied we’re using them appropriately”. Similarly, the Health Prevention Agency reduced the number of third parties for the website depression.org.nz. Another positive change we observed is the decrease in the number of mental health websites in Germany contacting third-parties for marketing purposes from 61.36% to 50%.
NHS’ mood assesment page with clear choice given to the user.
This is not the first time PI’s research pushes companies to change. Many Android apps using the Facebook SDK changed their default behavior following our App analysis in 2018, while Facebook changed the default parameters of its SDK to prevent data from being shared as soon as the user would open an app this SDK. Similarly, in September 2019, our research into menstruation apps led two of the main apps we exposed to stop sharing sensitive personal data with Facebook. This is a positive change that we welcome and that proves that websites and apps don’t have to trade your privacy.
Yet, selling your mental health data is still a thing. It shouldn’t be.
Unfortunately these good examples are far from being the norm. Most websites still share your data with third-parties for advertising purposes. Even more worryingly, two of the websites offering depression tests (French group TF1 owned health site Doctissimo and new-Zealand national public health programme’s Depression.org.nz) still share your test answers with third-parties*. This means that our initial analysis of these privacy and security issues still applies. This is unacceptable.
Our research also reveals that very little has changed in terms of the number of third parties contacted by mental health websites and cookies dropped. If anything it seems that the number of third party elements loaded has increased for all three countries we looked at. These elements could have other uses than marketing but given the high percentage of third parties with marketing purposes we can assume an important part of those are loaded for this purpose. For example, the page dedicated to treatments for depression on French health website Eurekasante contacts an astounding 71 third parties (compared to 36 in our first research) as soon as you open the page – most of them for advertising purposes.
The biggest French health site Doctissimo.fr and new-Zealand national public health program’s Depression.org.nz still share your test answers with third-parties. That is unacceptable.
In other words, whenever you visit a number of websites dedicated to mental health to read about depression or take a test, dozens of third-parties may receive this information and bid money to show you a targeted ad. Interestingly, some of these websites seem to include marketing trackers without displaying any ads, meaning they simply allow data collection on their site, which in turn may be used for advanced profiling of their users. For example, the page dedicated to mental health on priorygroup.com contacts AppNexus, a company specialised in programmatic advertising, without displaying any ad on its page. AppNexus is not mentioned in the privacy or cookie policy and thus the reasons for sending data to this company are unclear.
Some of the practices observed, such as setting third-party cookies before users have a chance to express their consent, are, as we have already set out, unlawful in regard to GDPR and ePrivacy law. This is especially concerning given the nature of the information exchanged with these sites. It is highly disturbing that we still have to have to say this, but websites dealing with such sensitive topics should not track their users for marketing purposes. Your mental health is not and should never be for sale.
3. What you can do about it
Despite this grim painting of the situation you are not helpless and we and others in civil society are working to challenge these practices (see our timeline of complaints against AdTech). Our research exposed many aspects of what is wrong with targeted advertising and the AdTech ecosystem supporting it. This research can be easily reproduced to expose companies for what they are doing and force change in their practices. Mental health is just one example among other abuses based on data collection and sharing, but this is a systemic issue that can be observed all across the internet. So if you are a journalist or if you have the time and skills to do so/to help, have a look at our methodology and give it a try!
As a user, you might think that this battle is already lost and that there is little you can do. We believe the burden should not be on users to protect themselves and that what is most needed is enforcement of the law. Yet, there are things you can do to protect your privacy. Browser extensions such as uBlock Origin, Privacy Badger, Decentraleyesor Ghostery will prevent loading third parties without your consent. The solutions are available on most browsers and for most OS. On mobile, solutions such as Better Blocker on iOS or Blockada and NetGuard on Android can help limit the number of trackers apps and websites can set.
These solutions aren’t perfect, but they are a way for you to show your disagreement with certain websites’ practices when it comes to your privacy.
4. What will be PI be doing this year
PI is still fighting AdTech and we are not stopping here. This year we will keep calling on regulators to take action against AdTech companies, Data Brokers and Credit Rating agencies. We are developing as well as supporting studies and efforts that focus on AdTech to keep exposing companies engaging in data exploitation practices and advocating for change.
* The Health Prevention Agency (HPA) (in charge of the website depression.org.nz in New Zealand) did make some changes following our initial research. While we welcome these changes (notably removing a number of third-parties, including Hotjar), we remain concerned that test answers are still stored in the URL as this means that these answers are shared with all remaining third parties (Facebook, Google, Amazon, Youtube). Even if such results are not uniquely identifiable to the HPA, this does not mean that they may not be linked to individuals by third partiies, using techniques such as fingerprinting.