Highly sensitive personal information concerning mental health is being routinely sold to advertisers across the internet, a study has revealed.
Non-profit group Privacy International (PI) investigated more than 100 mental health-focused websites in the U.K., France, and Germany. PI discovered that most of them sent sensitive user data directly to advertising firms and tech companies, according to BBC News. It’s an alarming discovery, and one that suggests that individuals’ most sensitive online interactions are being targeted by profit-hungry businesses.
The way information was being sold was “neither transparent nor fair and often lacked a clear legal basis”, the company said.
Nearly all the websites investigated had large number of cookies – computer files that download on to a user’s device to enable tracking – three-quarters of which were there for marketing or advertising purposes, according to PI.
On average, each mental-health web pages contained:
- in France, 44 cookies
- in the UK, 12 cookies
- in Germany, seven cookies
Many of the web pages contained cookies that enable targeted advertising from Google, Facebook and Amazon.
And many used Hotjar, a company that provides software that allows everything users type or click on to be logged and played back.
Frederike Kaltheuner, PI’s director of corporate exploitation said:
It is exceedingly difficult for people to seek mental-health information and for example take a ‘depression test’ without countless third parties watching, …We visit these sites and reveal so much about ourselves and that should not be used by companies we have never heard of to track you around the internet and use the data in an opaque advertising eco-system.
The EU’s General Data Protection Regulation (GDPR) raised the level of consent required before websites can download cookies on to a user’s device.
Its ePrivacy Directive requires users are given clear and comprehensive information about what data is being used and how. And in the case of particularly sensitive data, such as health information, this consent must be explicit.
But the PI investigation found many cookies were installed on people’s devices before any consent had been given.
Some websites had no consent form, while those that did ask for consent did so in a very generic way, the report said.
Ms Kaltheuner commented:
Most people don’t have the time to navigate complicated consent boxes which nudge them towards consent, …These sites should not have any more cookies than are strictly needed. …Users should be able to say that they do not want to be tracked by Google, Facebook and data brokers.
Privacy International also analyzed nine websites that offered visitors quizzes about their mental health.
Three of these had cookies that enabled tracking for programmatic advertising, where hundreds of companies bid in real-time for advertising space, [and] this was problematic because sensitive information could be broadcast to all of those bidding, PI said.
Programmatic advertising is currently being investigated by the UK’s information commissioner.
PI also found Doctissimo.fr sent test answers, together with a unique identifier such as an IP address, to a third party – Player.qualifo.com, which had provided the test form.
Sources: BBC News