Doctissimo monetizes the results of “depression tests” without consent: the CNIL seized

A British NGO, Privacy International, has just filed a complaint with the CNIL about the Doctissimo health site. She accuses him of not respecting the GDPR and of doing business with certain data related to mental health.

Legal migraine coming for Doctissimo. The famous community website dedicated to health and well-being made recently the subject of a complaint before the National Commission for Data Protection (CNIL). On the move, the British NGO Privacy International, which explains that it has detected breaches of the General Data Protection Regulations (GDPR), which calls for immediate corrections.

Privacy International’s complaint is part of a broader work that has been underway for months, in particular through the production of a report in September 2019 on mental health. It had been followed by a second job, published in February 2020, supplementing the observations made previously on the business of health websites. Doctissimo is cited in both cases.

Doctissimo is accused of doing its bit with certain health data, especially mental. // Source: Volkan Olmez

The first report has ” revealed how a small number of websites offering depression tests share your answers directly with third parties. Doctissimo, a French health information site, was one of these sites. “, Denounces the NGO, in a press release. He added that in February 2020, this data sharing with third parties for marketing purposes was still in effect.

Numerous breaches of the GDPR

The complaint, dated June 26, specifically requests the CNIL, which turns out to be the reference supervisory authority since Doctissimo is a site based in France, to investigate the observations that the NGO has produced and take the where appropriate, the appropriate measures to force Doctissimo to end its practices, which violate the provisions of the GDPR at different levels.

Doctissimo « has no legal basis for the processing of personal data, since the conditions for valid consent are not met. […] Doctissimo also does not collect express consent in the case of personal data of a particular category “Denounces Privacy International, while this notion of consent is one of the pillars of the GDPR.

The GDPR has been in effect since May 25, 2018, and applies throughout the European Union. // Source: Illustration by Claire Braikeh for Numerama

It does not stop there: other points are called into question: security of the processing of personal data, data protection from the design of the information system and data protection by default, data minimization, transparency, loyalty, integrity, confidentiality, purpose and lawfulness. And to drive the point home, Doctissimo is also next to the nails when it comes to cookie management.

The CNIL has not reacted publicly to this file, which could have severe consequences on Doctissimo if the facts of which it is accused are proven: health data, category in which fall information on mental and psychic state, are sensitive data within the framework of the law and should in principle benefit from even more particular attention.