A new study by Privacy International reveals how popular websites about depression in France, Germany and the UK share user data with advertisers, data brokers and large tech companies, while some depression test websites leak answers and test results with third parties. The findings raise serious concerns about compliance with European data protection and privacy laws.
- While third parties can provide useful services, our research shows that the predominant motivation to include third-party elements on mental health websites seems to be tracking for advertising and marketing purposes.According to webxray’s classification, 76.04% of web pages contained third-party trackers for marketing purposes.
- Google, Facebook and Amazon trackers were present on many of the web pages we scanned, which shows how hard it is to escape these companies.Google’s advertising services DoubleClick and AdSense, for instance, were used by the vast majority of web pages we analysed. 70.39% of all web pages we analysed use trackers by DoubleClick. Facebook is the second most common third-party tracker after Google and Amazon Marketing Services is also one of the most common third parties present on the web pages analysed.
- Depression-related web pages also used a large number of third-party tracking cookies, which were placed before users were able to express (or deny) consent. On average, mental health web pages placed 44.49 cookies in France, 7.82 for Germany and 12.24 for the UK. This raises serious questions about compliance with EU data protection (General Data Protection Regulation) and ePrivacy law (the ePrivacy Directive 2002/58/EC, as implemented by Member State laws).
- Numerous mental health websites include trackers from known data brokers, and AdTech companies, some of which engage in programmatic advertising, a practice that is under increasing scrutiny by European regulators and which raises specific privacy concerns when used on health-related websites.
To further understand which data is exchanged between websites and third parties, we selected a small sub-set of depression-related websites for additional analysis. Privacy International chose the first three Google search results for “depression test” in France, Germany and the UK and inspected and examined traffic, as well as cookies, on websites that offer free depression tests.They found that:
- Some depression test websites (netdoktor.de, passeportsante.net and doctissimo.fr) use programmatic advertising with Real-Time Bidding (RTB). RTB is subject to complaints across Europe and Privacy International has complained about the practices of companies involved in RTB. That is because websites that use programmatic advertising with RTB risk sharing data relating to health with hundreds of companies in the RTB ecosystem. Typically, this includes information about the device used, or where a user is located. We found that in the case of some depression test websites we analysed this also included granular information about the exact web page people visited, and, as a result, what health conditions they been looking at. For example, as part of an RTB prebid request, the French website Doctissimo.fr sends content keywords (such as ‘dépression’, ‘déprimé’ (depressed), or ‘quizz’), the page URL (psychologie/tests-psycho/tests-psychologiques/coup-de-blues-ou-depression), as well as information about the page content (‘psychologie’, ‘test psychologiques’, ‘coup de blues ou dépression ?’) to the page https://europe-west1-realtime-logging-228816.cloudfunctions.net/realtime-logs(a cloud function hosted by Google that will process the request).
- A number of depression test websites store user’s answers to the test as variables (e.g. 1 = yes, and 0 = no) and share answers, as well as test results with third parties in the URL. Two websites (PasseportSanté and depression.org.nz) stored test results as variables in the URL, which is being shared with all third parties that the website contacts.
- Doctissimo.fr shares data with a third party directly. The website sends test answers, together with a unique identifier, to player.qualifio.com. Because Qualifio provides the test form, the company knows the test’s questions and answers. As a result, the company knows how uniquely identifiable individuals have responded to each question of the depression test. Because the request is sent in HTTP, instead of HTTPS, the request is potentially susceptible to interception.
- Finally, we observed that two depression test websites (the NHS mood test and depression.org.nz) use Hotjar, a company that, among other services, provides “session replay scripts” that could be used to log (and then playback) everything users typed or clicked on a website. In response to a query by Privacy International, a spokesperson for the NHS DIGITAL explained: “We do not record the session using Hotjars ‘session replay scripts’ when a user starts to complete the ‘mood self assessment quiz’.” (see our report for the full statement)
The findings of this study are part of a broader, much more systemic problem: the ways in which companies exploit people’s data to target ads with ever more precision is fundamentally broken. It is exceedingly difficult for people to seek mental health information and for example take a “depression test” without countless of third parties watching. All website providers have a responsibility to protect the privacy of their users and comply with existing laws, but this is particularly the case for websites that share unusually granular or sensitive data with third parties. Such is the case for mental health websites.We’re hopeful that the UK regulator is currently probing the AdTech industry and the many ways it uses special category data in ways that are neither transparent nor fair and often lack a clear legal basis. Download the full report here at Privacy International.