Privacy International report claims European websites sell mental health information to advertisers and fail to meet GDPR
A new study by the charity Privacy International (PI) claims that popular health websites in Europe routinely share users’ mental health information with advertisers, data brokers and large tech companies.
The charity analysed more than 136 popular web pages related to depression in Germany, France and the UK, using the open-source tool webxray to identify companies that collect user data.
The investigation found many of the web pages enabled cookies that enabled targeting advertising from large companies such as Google, Amazon and Facebook.
It also claimed companies including French website Doctissimo and German website Netdoktor use programmatic advertising with Real Time Bidding (RTB), in which hundreds of companies bid in real time for advertising space. PI says RTB “risks sharing data with hundreds of companies in the RTB ecosystem,” including information about the device used or where a user is located.
But Doctissimo spokesperson Olivier Abecassis told Healthcare IT News the website does not use RTB for medical data and users’ answers to its online depression test are “fully anonymous.”
Netdoktor had not responded to Healthcare IT News’ request for comment at the time of publication.
WHY IT MATTERS
PI argues it is “highly intrusive” of companies to collect data about users' mental health without their knowledge or consent.
“Information that reveals when exactly someone is feeling low or anxious - especially if combined with other data about their interests and habits - can be misused to target people when they are at their most vulnerable,” the report says.
THE LARGER CONTEXT
Since the EU’s General Data Protection Regulation (GDPR) came into force in May 2018 the healthcare industry has faced multiple challenges protecting sensitive data.
Websites and apps are required to obtain user consent before placing cookies on devices subject to limited exemptions. However, PI says that many cookie notices fail to meet this requirement.
“For consent to be valid it has to be freely given, specific, informed and unambiguous, by way of a clear affirmative action. It should also be as easy to withdraw as to give consent. If special category data is processed (for instance, data concerning health), the consent also needs to be explicit,” the report says.
ON THE RECORD
Abecassis of Doctissimo said: “Regarding cookies, each local regulator defines detailed regulation following GDPR and we follow the French regulator guidelines regarding consent. There is a pending discussion to update these regulations - as soon as the French regulator defines them, we will implement them.”