Privacy International study shows your mental health is for sale
A new study by Privacy International reveals how popular websites about depression in France, Germany and the UK share user data with advertisers, data brokers and large tech companies, while some depression test websites leak answers and test results with third parties. The findings raise serious concerns about compliance with European data protection and privacy laws.
This article is part of a research led by Privacy International on mental health websites and tracking. Read our full report.
According to the World Health Organisation (WHO), 25% of the population in Europe experience depression or anxiety each year, yet about 50% of people with major depression remain untreated. Opening up about depression to friends, family, colleagues and medical professionals can be crucial for getting help and support. But when data brokers, advertisers and online tracking companies collect data about our mental health without our knowledge or consent, this is highly intrusive. Information that reveals when exactly someone is feeling low or anxious - especially if combined with other data about their interests and habits - can be misused to target people when they are at their most vulnerable.
This is not the world we want to live in. Privacy International fights for a world in which people are in control of their data and the technology they use, and in which governments and companies are no longer able to use technology to monitor, track, analyse, profile, and ultimately manipulate and control us.
To understand how data relating to mental health is currently protected, Privacy International analysed 136 popular mental health web pages in France, Germany and the UK related to depression using the open-source tool webxray.
Our findings show that many mental health websites don’t take the privacy of their visitors as seriously as they should. This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws (see our full legal analysis in the report).
We found that:
- While third parties can provide useful services, our research shows that the predominant motivation to include third-party elements on mental health websites seems to be tracking for advertising and marketing purposes. According to webxray’s classification, 76.04% of web pages contained third-party trackers for marketing purposes.
- Google, Facebook and Amazon trackers were present on many of the web pages we scanned, which shows how hard it is to escape these companies. Google’s advertising services DoubleClick and AdSense, for instance, were used by the vast majority of web pages we analysed. 70.39% of all web pages we analysed use trackers by DoubleClick. Facebook is the second most common third-party tracker after Google and Amazon Marketing Services is also one of the most common third parties present on the web pages analysed.
- Depression-related web pages also used a large number of third-party tracking cookies, which were placed before users were able to express (or deny) consent. On average, mental health web pages placed 44.49 cookies in France, 7.82 for Germany and 12.24 for the UK. This raises serious questions about compliance with EU data protection (General Data Protection Regulation) and ePrivacy law (the ePrivacy Directive 2002/58/EC, as implemented by Member State laws).
- Numerous mental health websites include trackers from known data brokers, and AdTech companies, some of which engage in programmatic advertising, a practice that is under increasing scrutiny by European regulators and which raises specific privacy concerns when used on health-related websites.
To further understand which data is exchanged between websites and third parties, we selected a small sub-set of depression-related websites for additional analysis. We chose the first three Google search results for “depression test” in France, Germany and the UK and inspected and examined traffic, as well as cookies, on websites that offer free depression tests.
We found that:
- Some depression test websites (netdoktor.de, passeportsante.net and doctissimo.fr) use programmatic advertising with Real-Time Bidding (RTB). RTB is subject to complaints across Europe and Privacy International has complained about the practices of companies involved in RTB. That is because websites that use programmatic advertising with RTB risk sharing data relating to health with hundreds of companies in the RTB ecosystem. Typically, this includes information about the device used, or where a user is located. We found that in the case of some depression test websites we analysed this also included granular information about the exact web page people visited, and, as a result, what health conditions they been looking at. For example, as part of an RTB prebid request, the French website Doctissimo.fr sends content keywords (such as ‘dépression’, ‘déprimé’ (depressed), or ‘quizz’), the page URL (psychologie/tests-psycho/tests-psychologiques/coup-de-blues-ou-depression), as well as information about the page content (‘psychologie’, ‘test psychologiques’, ‘coup de blues ou dépression ?’) to the page https://europe-west1-realtime-logging-228816.cloudfunctions.net/realtime-logs(a cloud function hosted by Google that will process the request).
- A number of depression test websites store user’s answers to the test as variables (e.g. 1 = yes, and 0 = no) and share answers, as well as test results with third parties in the URL. Two websites (PasseportSanté and depression.org.nz) stored test results as variables in the URL, which is being shared with all third parties that the website contacts.
- Doctissimo.fr shares data with a third party directly. The website sends test answers, together with a unique identifier, to player.qualifio.com. Because Qualifio provides the test form, the company knows the test’s questions and answers. As a result, the company knows how uniquely identifiable individuals have responded to each question of the depression test. Because the request is sent in HTTP, instead of HTTPS, the request is potentially susceptible to interception.
- Finally, we observed that two depression test websites (the NHS mood test and depression.org.nz) use Hotjar, a company that, among other services, provides “session replay scripts” that could be used to log (and then playback) everything users typed or clicked on a website. In response to a query by Privacy International, a spokesperson for the NHS DIGITAL explained: "We do not record the session using Hotjars ‘session replay scripts’ when a user starts to complete the ‘mood self assessment quiz’.” (see our report for the full statement)
The findings of this study are part of a broader, much more systemic problem: the ways in which companies exploit people's data to target ads with ever more precision is fundamentally broken. It is exceedingly difficult for people to seek mental health information and for example take a “depression test” without countless of third parties watching. All website providers have a responsibility to protect the privacy of their users and comply with existing laws, but this is particularly the case for websites that share unusually granular or sensitive data with third parties. Such is the case for mental health websites.
We're hopeful that the UK regulator is currently probing the AdTech industry and the many ways it uses special category data in ways that are neither transparent nor fair and often lack a clear legal basis.
Download the full report here to learn more about the methodology we used, our full legal analysis, as well as company responses.