A new study has revealed that mental health websites in Europe are selling information collected from users, including psychological health data such as answers from quizzes, according to BBC News.
The study, by Privacy International (PI), found that the way this information was collected is “neither transparent nor fair” and that many websites are “failing to meet their obligations under European data protection and privacy laws.”
PI analyzed the data collection practices of 136 mental health websites in the UK, France, and Germany. They found that nearly all the websites used cookies to track users, three-quarters of which were being used for advertising, most often through Google, Facebook, or Amazon. Several popular depression tests investigated by the study were transferring results and answers to third-parties for ad targeting purposes.
The EU’s General Data Protection Regulation (GDPR) lays out particularly strict rules on the handling of health data from users. The GDPR not only states that consent must be given from users to share health data, but also that it must be explicit, specific, informed, and given freely, with an option to decline and continue to use the website.
The investigation found that cookies were often installed before any consent was given at all.
Many of the sites were using software that records everything a user types or clicks on a website. Some used a practice called Real Time Bidding (RTB), which has been involved in multiple complaints under the GDPR. In RTB, hundreds of companies bid for advertising space in real-time, and user data can be shared with any advertiser that bids. Complaints have argued that there’s no way to secure the data after it’s been shared with hundreds or thousands of third-parties.
This summer, the UK’s Information Commissioner’s Office indicated it may crack down on the practice in the future, after giving companies “an appropriate period of time to adjust their practices.”
According to a statement from PI technologist Eliot Bendinelli:
“It is exceedingly difficult for people to seek mental health information and for example take a depression test without countless of third parties watching. All website providers have a responsibility to protect the privacy of their users and comply with existing laws, but this is particularly the case for websites that share unusually granular or sensitive data with third parties. Such is the case for mental health websites.”