The lack of awareness around mental health leads individuals, patients or not, to look for answers to questions about mental health conditions online. The paradox lies in the ease with which we tend to share information, assumptions or inferences about our mental health status or the status of our loved ones online, although we have privacy concerns when discussing such issues in person. A Report published by Privacy International sheds light on the level of compliance of mental health websites. In this article, we look at the key messages of this report and, drawing on these findings, we provide GDPR and e-Privacy suggestions for organisations collecting (any) personal information on the web.
Key findings of the Report
Privacy International analysed 136 popular mental health web pages in France, Germany and the UK to present the following privacy-alarming findings:
- 78% of all web pages contained a third-party element, such as third-party cookies.
- Most of the third-party elements in the analysed websites serve advertising and marketing purposes, including Google, Facebook and Amazon trackers.
- A poor level of compliance with privacy and data protection law was found: In many cases tracking technologies, such as cookies, are being placed before the consent of the web user/visitor is provided.
- Where consent is requested, it often fails to meet the standards laid down by EU legislation, especially regarding the quality and quantity of the information provided.
- Several websites contain trackers from data brokers and AdTech companies, some of which engage in programmatic advertising with Real-Time Bidding. This allows the creation of user profiles based on web searches and history and the delivery of targeted advertisements. The shared data may include information about the location and type of device used, the content of the website, it’s URL and keywords. This is crucial because such data often include medical terms, which could then lead to inferences about the mental health status of the individuals.
- Four out of nine depression test websites share test results and answers with third parties.
The above led Privacy International to conclude that a significant number of the analysed websites fail to respect the fundamental rights of data protection and privacy, and may be sharing mental health information with social networks and advertisers. The data disclosure could lead to inferences and profiling, accurate or not, and, in combination with other data, to the identification of web-users and their targeting with marketing material, relevant or not to their medical condition (if any).
Data protection measures and controls
This report reveals that there is still space for improvement in online information collection compliance. Given that information collected online and shared with third parties may also constitute personal data under data protection law, organisations running websites and providing online content should review their practices and policies regarding the online collection and sharing of information. Below we provide key recommendations in line with the GDPR and e-Privacy requirements.
- Data minimisation: Carefully consider the necessary amount and types of personal data you collect and share with third parties – consider the reasonable expectations of privacy of your audience.
- Transparency is a legal requirement and fundamental for enabling individuals to decide about their personal data. You should have Privacy and Cookie Policies in place explaining the uses of tracking technologies and personal data. You should also provide a cookie banner/pop-up message when individuals visit your website for the first time.
- Request consent (meeting the GDPR standards) for analytical and marketing cookies.
- Contrary to the GDPR, EU e-Privacy law is regulated under the Directive 2002/58/EC and national laws in each Member State. In light of the anticipated e-Privacy Regulation, you should make sure that the applied third-party elements in your website comply with both regimes.
- You should check the national requirements and industry specifications. For example, the Information Commissioner’s Office has recently updated their guidance on cookies and raised concerns about how personal data is used in real-time bidding (RTB) in programmatic advertising.
- Empower data subjects in line with national guidance and best practices – you should provide user-friendly and effective control over cookie settings and not enable cookie management through browser settings from the user device.
- Implement technical changes on your website – and remove outdated features. For example, requiring users to accept non-essential cookies before they can access online content (cookie walls) is not permitted, nor should you include pre-ticked boxes for these non-essential cookies.
- Check whether the tracking mechanisms and features of your website could lead to profiling of the users and let them know about their rights.
- Consider the potential vulnerability of the affected data subjects based on your context. For example, in the mental health context, these conditions may indicate a vulnerable state of mind or position, where individuals may not have the capacity to decide about their personal data and may feel ‘exposed’ if such data is leaked. Such consideration should be embedded in data protection impact assessments (DPIAs) and security measures and controls (data protection/privacy by design).
- Privacy International also suggests the removal of the referrer header since this element can reveal information about the webpage address and last page the user was on.
Trilateral’s advisors can support you in assessing and meeting your compliance level and needs. For more information visit Trilateral’s Data Governance page and contact our team.