Casually browsing the web comes with the expectation that you’re probably going to be tracked by data brokers who are thirsty for your internet habits, but one might also expect that on certain corners of the web, your information is treated with more sensitivity. But a new report found that even on mental health websites, your privacy is second to generating those sweet personalized ads.
This week, Privacy International published a report—Your mental health for sale—which explored how mental health websites handle user data. The digital rights nonprofit looked at 136 mental health webpages across Google France, Google Germany and the UK version of Google, according to the report. They chose websites based on advertised links and featured page search results for depression-related terms in French, German, and English, and also included the most visited sites according to web analytics service SimilarWeb.
Webxray’s analysis found that 76.04 percent of the webpages had trackers for marketing purposes—80.49 percent of the pages in France, 61.36 percent of the pages in Germany, and 86.27 percent of them in the UK. Among the third-party trackers also included the likes of advertising services from Google, Facebook, and Amazon, with Google trackers being the most present, followed by Facebook and Amazon.
A deeper dive into a subset of these websites—the first three Google search results for “depression test” in the three countries—also indicated some more specific and egregious ways in which these trackers are shilling some of our most intimate data. For instance, among the findings from that additional analysis, Privacy International found that some of the depression test websites stored user’s responses and shared them along with their test results with third parties. They also found that two depression test websites use Hotjar, an online feedback tool that can record what someone types and clicks on a webpage. It’s not difficult to imagine how such data—responses to a depression test—can be exploited.
And the report also brings up the issue around consent—especially given the EU’s recently enacted General Data Protection Regulation (GDPR) and its push to better protect the digital privacy of consumers. Not only were many of these webpages tracking users’ sensitive information, but they were doing so without meeting the new legal standards for consent. Privacy International found that three out of nine of the depression test websites analyzed didn’t include a cookie banner indicating that the websites had third-party trackers. Additionally, it found that four of the six that did have a banner didn’t include an explicit way to opt-out of consenting to have their data tracked.
“Our findings of this report show that many mental health websites don’t take the privacy of their visitors as seriously as they should,” the report states. “This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws.”
While it’s really not a huge surprise that shady data brokers have extended their grasp into even the more vulnerable and sensitive parts of the internet, it’s still a humbling reminder that you shouldn’t expect any website, regardless of its nature, to be straightforward around consent and its tracking practices. Privacy International recommended in its report that users should block third party cookies on their browsers, use ad-blockers and anti-tracking extensions, and to do some due diligence before filling out an online mental health test to determine if it’s secure.
We have reached out to Facebook, Amazon, and Google to comment on the findings of the report that they have trackers on mental health websites, and how they are using that data.