Sensitive personal information about mental health is routinely being traded to advertisers around the web, a study has suggested. Privacy International (PI) investigated more than 100 mental health websites in France, Germany and the UK. It found many shared user data with third parties, including advertisers and large technology companies.
The way information was being sold was “neither transparent nor fair and often lacked a clear legal basis”, it said. Nearly all the websites investigated had large number of cookies – computer files that download on to a user’s device to enable tracking – three-quarters of which were there for marketing or advertising purposes, according to PI.
On average, each mental-health web pages contained: in France, 44 cookies, in the UK, 12 cookies and in Germany, seven cookies. Many of the web pages contained cookies that enable targeted advertising from Google, Facebook and Amazon. And many used Hotjar, a company that provides software that allows everything users type or click on to be logged and played back.
“It is exceedingly difficult for people to seek mental-health information and for example take a ‘depression test’ without countless third parties watching,” said Frederike Kaltheuner, PI’s director of corporate exploitation. “We visit these sites and reveal so much about ourselves and that should not be used by companies we have never heard of to track you around the internet and use the data in an opaque advertising eco-system.”
The EU’s General Data Protection Regulation (GDPR) raised the level of consent required before websites can download cookies on to a user’s device. Its ePrivacy Directive requires users are given clear and comprehensive information about what data is being used and how. And in the case of particularly sensitive data, such as health information, this consent must be explicit. But the PI investigation found many cookies were installed on people’s devices before any consent had been given.
Some websites had no consent form, while those that did ask for consent did so in a very generic way, the report said. “Most people don’t have the time to navigate complicated consent boxes which nudge them towards consent,” said Ms Kaltheuner. “These sites should not have any more cookies than are strictly needed. “Users should be able to say that they do not want to be tracked by Google, Facebook and data brokers.”
PI also analysed nine websites that offered visitors quizzes about their mental health. Three of these had cookies that enabled tracking for programmatic advertising, where hundreds of companies bid in real-time for advertising space, it said. This was problematic because sensitive information could be broadcast to all of those bidding, PI said.
Programmatic advertising is currently being investigated by the UK’s information commissioner. PI also found Doctissimo.fr sent test answers, together with a unique identifier such as an IP address, to a third party – Player.qualifo.com, which had provided the test form.