Skip to main content

Mental health app privacy language opens up holes for user data

Mental health app privacy language opens up holes for user data


Policies can change at any time

Share this story

Illustration by Alex Castro / The Verge

In the world of mental health apps, privacy scandals have become almost routine. Every few months, reporting or research uncovers unscrupulous-seeming data sharing practices at apps like the Crisis Text Line, Talkspace, BetterHelp, and others: people gave information to those apps in hopes of feeling better, then it turns out their data was used in ways that help companies make money (and don’t help them).

It seems to me like a twisted game of whack-a-mole. When under scrutiny, the apps often change or adjust their policies — and then new apps or problems pop up. It isn’t just me: Mozilla researchers said this week that mental health apps have some of the worst privacy protections of any app category.

Watching the cycle over the past few years got me interested in how, exactly, that keeps happening. The terms of service and privacy policies on the apps are supposed to govern what companies are allowed to do with user data. But most people barely read them before signing (hitting accept), and even if they do read them, they’re often so complex that it’s hard to know their implications on a quick glance. 

“​​That makes it completely unknown to the consumer about what it means to even say yes,” says David Grande, an associate professor of medicine at the University of Pennsylvania School of Medicine who studies digital health privacy. 

So what does it mean to say yes? I took a look at the fine print on a few to get an idea of what’s happening under the hood. “Mental health app” is a broad category, and it can cover anything from peer-to-peer counseling hotlines to AI chatbots to one-on-one connections with actual therapists. The policies, protections, and regulations vary between all of the categories. But I found two common features between many privacy policies that made me wonder what the point even was of having a policy in the first place.

We can change this policy at any time

7 Cups: We may change this Privacy Policy from time to time at our discretion

BetterHelp: We may update this privacy statement at our sole discretion. 

Cerebral: We reserve the right to change this Privacy Policy at any time.

Happify: Happify™ reserves the right to change or update this Privacy Policy at any time by posting a notice on the Site that we are changing our Privacy Policy…You will have a choice as to whether or not we use your information in this different manner and we will only use your information in this different manner where you opt-in to such use.

Even if you do a close, careful read of a privacy policy before signing up for a digital mental health program, and even if you feel really comfortable with that policy — sike, the company can go back and change that policy whenever they want. They might tell you — they might not. 

Jessica Roberts, director of the Health Law and Policy Institute at the University of Houston, and Jim Hawkins, law professor at the University of Houston, pointed out the problems with this type of language in a 2020 op-ed in the journal Science. Someone might sign up with the expectation that a mental health app will protect their data in a certain way and then have the policy rearranged to leave their data open to a broader use than they’re comfortable with. Unless they go back to check the policy, they wouldn’t know. 

One app I looked at, Happify, specifically says in its policy that users will be able to choose if they want the new uses of the data in any new privacy policy to apply to their information. They’re able to opt out if they don’t want to be pulled into the new policy. BetterHelp, on the other hand, says that the only recourse if someone doesn’t like the new policy is to stop using the platform entirely. 

Having this type of flexibility in privacy policies is by design. The type of data these apps collect is valuable, and companies likely want to be able to take advantage of any opportunities that might come up for new ways to use that data in the future. “There’s a lot of benefit in keeping these things very open-ended from the company’s perspective,” Grande says. “It’s hard to predict a year or two years, five years in the future, about what other novel uses you might think of for this data.” 

If we sell the company, we also sell your data

Happify: We reserve the right to release current or past Personal Information: if Happify™ is sold, merged or acquired; provided, however, that if Happify™ is involved in a merger, acquisition or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on the Site of any change in ownership or uses of your Personal Information, as well as any choices that you may have regarding your Personal Information.

Cerebral: In the event of a sale, merger, consolidation, change in control, transfer of substantial assets, reorganization, or liquidation, we may transfer, sell, or assign to third parties information concerning your relationship with us, including, without limitation, personal information that you provide and other information concerning your relationship with us 

BetterHelp: We may share your information in connection with an asset sale, merger, bankruptcy, or other business transaction.

7 Cups: In the event of a merger, reorganization, consolidation, restructuring, bankruptcy, sale of substantially all interests or assets, or other similar transaction, we may transfer you Personal Information to the subsequent owner or operator of the Services.

Feeling comfortable with all the ways a company is using your data at the moment you sign up to use a service also doesn’t guarantee someone else won’t be in charge of that company in the future. All the privacy policies I looked at included specific language saying that, if the app is acquired, sold, merged with another group, or another business-y thing, the data goes with it. 

The policy, then, only applies right now. It might not apply in the future, after you’ve already been using the service and giving it information about your mental health. “So, you could argue they’re completely useless,” says John Torous, a digital health researcher in the department of psychiatry at Beth Israel Deaconess Medical Center.

The policy, then, only applies right now

And data could be specifically why one company buys another in the first place. The information people give to mental health apps is highly personal and therefore highly valuable — arguably more so than other types of health data. Advertisers might want to target people with specific mental health needs for other types of products or treatments. Chat transcripts from a therapy session can be mined for information about how people feel and how they respond to different situations, which could be useful for groups building artificial intelligence programs. 

“I think that’s why we’ve seen more and more cases in the behavioral health space — that’s where the data is most valuable and most easy to harvest,” Torous says.

I asked Happify, Cerebral, BetterHelp, and 7 Cups about these specific bits of language in their policies. Only Happify and Cerebral responded. Spokespeople from both described the language as “standard” in the industry. “In either circumstance, the individual user will have to review the changes and opt-in,” Happify spokesperson Erin Bocherer said in an email to The Verge.

The Cerebral policy around the sale of data is beneficial because it lets customers keep treatment going if there’s a change in ownership, said a statement emailed to The Verge by spokesperson Anne Elorriaga. The language allowing the company to change the privacy terms at any time “enables us to keep our clients apprised of how we process their personal information,” the statement said.

Now, those are just two small sections of privacy policies in mental health apps. They jumped out at me as specific bits of language that give broad leeway for companies to make sweeping decisions about user data — but the rest of the policies often do the same thing. Many of these digital health tools aren’t staffed by medical professionals talking directly with patients, so they aren’t subject to HIPAA guidelines around the protection and disclosure of health information. Even if they do decide to follow HIPAA guidelines, they still have broad freedoms with user data: the rule allows groups to share personal health information as long as it’s anonymized and stripped of identifying information. 

these broad policies aren’t just a factor in mental health apps

And these broad policies aren’t just a factor in mental health apps. They’re common across other types of health apps (and apps in general), as well, and digital health companies often have tremendous power over the information that people give them. But mental health data gets additional scrutiny because most people feel differently about this data than they do other types of health information. One survey of US adults published in JAMA Network Open in January, for example, found that most people were less likely to want to share digital information about depression than cancer. The data can be incredibly sensitive — it includes details about people’s personal experiences and vulnerable conversations they may want to be held in confidence.

Bringing healthcare (or any personal activities) online usually means that some amount of data is sucked up by the internet, Torous says. That’s the usual tradeoff, and expectations of total privacy in online spaces are probably unrealistic. But, he says, it should be possible to moderate the amount that happens. “Nothing online is 100 percent private,” he says. “But we know we can make things much more private than they are right now.” 

“Nothing online is 100 percent private”

Still, making changes that would truly improve data protections for people’s mental health information is hard. Demand for mental health apps is high: their use skyrocketed in popularity during the COVID-19 pandemic, when more people were looking for treatment, but there still wasn’t enough accessible mental health care. The data is valuable, and there aren’t real external pressures for the companies to change. 

So the policies, which leave openings for people to lose control of their data, keep having the same structures. And until the next big media report draws attention to a specific case of a specific app, users might not know the ways that they’re vulnerable. Unchecked, Torous says, that cycle could erode trust in digital mental health overall. “Healthcare and mental health care is based on trust,” he says. “I think if we continue down this road, we do eventually begin to lose trust of patients and clinicians.”

Today’s Storystream

Feed refreshed Sep 25 Not just you

Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.

Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.

External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.