Mental health site sharing your personal data? We're going after them

Following our report "Your Mental Health for Sale", PI has submitted a complaint against Doctissimo to the French data protection authority (CNIL)

Key points
  • PI previously exposed how popular mental health websites share personal data with third parties through advertising practices, including answers to depression tests in some cases
  • Some websites decided to change their practices following PI's report.
  • Despite our efforts to raise potential GDPR compliance issues with the company, Doctissimo did not seem to change its data practices.
  • Last week (June 26 2020) PI submitted a complaint to the French regulator (CNIL) against Doctissimo, including some new research findings.
News & Analysis

In September 2019, PI published the report Your Mental Health for Sale. Our investigation looked into popular mental health websites and their data sharing practices.

Our findings suggest that, at the time of the research, most websites we looked at were using third party tracking for advertising purposes, sometimes relying on programmatic advertising technologies such as Real Time Bidding (RTB), sharing personal data with potentially thousands of actors. Some websites were also found sharing answers to depression tests. In most of these cases, their practices raised serious questions regarding their compatibility with data protection laws, considering that they didn't seem to collect users' consent in accordance with the strict requirements imposed by EU data protection laws, like the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

But we didn't stop there. In February 2020, we published a follow-up analysis to measure change and evaluate how many of these sites had modified their practices to better protect users' privacy. The results were mixed, and while some sites did take action to amend their their data practices, others did not.

A screnshot of the NHS' mood assessment page
NHS’ mood assessment page was one of the pages that made positive changes following publication of our report

Our research exposed multiple issues with Doctissimo.

We focused on Doctissimo because it's among France's biggest health and well-being websites and with 12 millions unique visitors per month, Doctissimo has very effective Search Engine Optimisation (SEO) practices. This makes it a highly desirable platform for advertisers (and the top result for any health related Google search).

What we found made us concerned. For example, the consent banner on the website disappeared as soon as the user scrolled or clicked a link*. We question whether this is enough to signal the user's consent to their data being shared with 556 partners (at the time of testing in April 2020).

*Note: It now appears that Doctissimo has updated its cookie banner on June 28 2020, just a few days after our complaint was submitted to the CNIL. To view the site as it was at time of the complaint, please visit: https://web.archive.org/web/20200626164154/https://www.doctissimo.fr/

PI's research also demonstrated how Doctissimo uses Real-Time Bidding (RTB), a practice subject to complaints across Europe and examined in Privacy International complaints against AdTech companies. Our 2019 research exposed how Doctissimo shares answers to its depression test with a third party not mentioned anywhere on its website: Qualifio.

Up to the day we submitted our complaint and despite our attempts to reach out to Doctissimo (before releasing the report in August 2019 and before releasing our follow up in February 2020), we never received an answer and we observed no change with regard to the issues mentioned above in the 9 months that followed our initial research.

Screenshot of A POST request from Doctissimo to Qualifio with answers to a depression test question
A POST request from Doctissimo to Qualifio with answers to a depression test question

Publishers such as Doctissimo are part of a broader advertising ecosystem compromised of AdTech companies, Data Brokers and Credit rating agencies. This industry relies on the collection, processing and sharing of massive amounts of personal data, putting users' privacy and security at risk. PI has challenged this ecosystem by bringing complaints to multiple Data Protection Authorities against many of its actors.

This time, we are asking the regulator to take action and enforce the law. On June 26, we filed a complaint with the French data protection authority CNIL (Commission Nationale de l'Informatique et des Libertés) against Doctissimo. This complaint includes our initial technical analysis as well as a follow up analysis looking into the recently added Doctissimo covid-19 chatbot*.

*Note: As of June 28 this chatbot seems to have been removed as well

To find out more about our legal argument and technical analysis, read our complaint here