NHS’ mood assesment page with clear choice given to the user.

This is not the first time PI’s research pushes companies to change. Many Android apps using the Facebook SDK changed their default behavior following our App analysis in 2018, while Facebook changed the default parameters of its SDK to prevent data from being shared as soon as the user would open an app this SDK. Similarly, in September 2019, our research into menstruation apps led two of the main apps we exposed to stop sharing sensitive personal data with Facebook. This is a positive change that we welcome and that proves that websites and apps don’t have to trade your privacy.

Yet, selling your mental health data is still a thing. It shouldn’t be.

Unfortunately these good examples are far from being the norm. Most websites still share your data with third-parties for advertising purposes. Even more worryingly, two of the websites offering depression tests (French group TF1 owned health site Doctissimo and new-Zealand national public health programme’s Depression.org.nz) still share your test answers with third-parties*. This means that our initial analysis of these privacy and security issues still applies. This is unacceptable.

Our research also reveals that very little has changed in terms of the number of third parties contacted by mental health websites and cookies dropped. If anything it seems that the number of third party elements loaded has increased for all three countries we looked at. These elements could have other uses than marketing but given the high percentage of third parties with marketing purposes we can assume an important part of those are loaded for this purpose. For example, the page dedicated to treatments for depression on French health website Eurekasante contacts an astounding 71 third parties (compared to 36 in our first research) as soon as you open the page. Most of them for advertising purposes.

The biggest French health site Doctissimo.fr and new-Zealand national public health program’s Depression.org.nz still share your test answers with third-parties. That is unacceptable.

In other words, whenever you visit a number of websites dedicated to mental health to read about depression or take a test, dozens of third-parties may receive this information and bid money to show you a targeted ad. Interestingly, some of these websites seem to include marketing trackers without displaying any ads, meaning they simply allow data collection on their site, which in turn may be used for advanced profiling of their users. For example, the page dedicated to mental health on priorygroup.com contacts AppNexus, a company specialised in programmatic advertising, without displaying any ad on its page. AppNexus is not mentioned in the privacy or cookie policy and thus the reasons for sending data to this company are unclear.