'Serious concerns' over mental-health websites leaking user data to brands

Mental-health websites do not take privacy of visitors as seriously as they should, campaigners warn.

Mental health: Privacy International report said sites are falling foul of GDPR (Getty Images)
Mental health: Privacy International report said sites are falling foul of GDPR (Getty Images)

People with mental-health issues are at risk of having their sensitive information leaked to advertisers, a privacy campaign group has revealed. 

A new study by Privacy International reveals how popular websites about depression in France, Germany and the UK share user data with advertisers, data brokers and tech companies, while some websites that contain depression tests leak answers and results with third parties.

Privacy International said the findings raise "serious concerns" about the ways in which websites about depression treat people’s data.

It found that 98% of all web pages it analysed contained a third-party element, such as third-party cookies, third-party JavaScript or an image hosted on a third-party server.

This comes with an inherent privacy risk for users, Privacy International said, because mental-health websites often reveal lots of sensitive information about the people visiting those sites.

While third parties can provide useful services, Privacy International’s research shows that the predominant motivation to include third-party elements on mental-health websites appears to be for advertising and marketing purposes.

For example, German website netdoktor.de has a page that features a depression test. This page places a tracking cookie by adtech company Criteo and other third parties, meaning the website is sharing the URL of a depression test web page with advertisers.

Criteo is a personalised retargeting company that works with internet retailers to serve personalised online ads to peple who have previously visited an advertiser’s website.

Privacy International said the way these websites get consent for using trackers does not comply with Europe’s General Data Protection Regulation. It found that three out of nine depression-test websites do not show a cookie banner, even though they are placing third-party cookies. It also found websites that ask for consent but do not offer a straightforward option to reject it. 

NHS website records what users are typing and clicking on

Some of these websites, where people are diagnosing depression, are also using programmatic advertising with real-time bidding. RTB, which is subject to complaints across Europe, involves data about users being broadcast to potentially thousands of ad exchanges that are competing within nanoseconds to serve an ad when a web page is loaded.

In some cases, Privacy International said it found depression test websites had included detailed information about the exact web page people visited and therefore what health conditions they had been looking at.

The UK's NHS website, for example, has a mood self-assessment test that people can use to look for symptoms of depression. The site shares the web address of the test with Adobe, as well as a user's final test score, as the screenshots below show:

On its documentation, Adobe says that the purpose of the tracking servers that collect this information are for measurement or analytics rather than marketing, even though this is a service that it also offers. 

The research also found that the NHS’s mood test uses Hotjar, a company that provides "session replay scripts" that can be used to log and play back everything users type or click on a website. 

When Privacy International contacted the NHS, it said individuals could not be identified from the information shared with Adobe. It added that the Hotjar functionality would be automatically disabled from the end of September, with users able to "opt in should they wish to". 

The NHS added: "Analytics cookies can be switched off by users through our website. Any information collected through this tool is anonymised, cannot be used to identify an individual and is not shared with any third parties. We do not record the session using Hotjar's ‘session replay scripts’ when a user starts to complete the ‘mood self assessment quiz’."

UK: nine in 10 mental-health websites have a Google tracker

Just over three-quarters (76%) of web pages analysed contained third-party trackers for marketing purposes. This figure was highest in the UK (86%), compared with 80% in France and 61% in Germany. 

Google’s Authorized Buyers (formerly DoubleClick) was used by a majority (70%) of web pages analysed, while other Google products such as Analytics, Tag Manager and Fonts were also used. The study found that more than nine in 10 mental-health websites in the UK (92%) had a Google tracker of some kind.

Facebook is the second-most-common third-party tracker on mental-health websites after Google (49% in the UK), while Amazon is third (12% in the UK). 

Mental-health web pages also used a large number of third-party tracking cookies, which were placed before users to express or deny content. On average, mental-health web pages placed 44.5 cookies in France, 7.8 in Germany and 12.2 in the UK. 

Websites that use third-party cookies for marketing purposes typically enable third parties to track users across the web with a unique identifier. 

For example, French website Doctissmo.fr has a pop-up consent box that disappears the moment the user takes any action on the site (such as scrolling) and this is interpreted as a user consenting to targeted ads. The website shares data with 448 advertising companies, Privacy International found. 

Privacy International said: "Our findings of this report show that many mental-health websites don’t take the privacy of their visits as seriously as they should. This research also shows that some mental-health websites treat the personal data of their visits as a commodity, while failing to meet their obligations under European data protection and privacy laws."