AI Mental Health Apps Shared Sensitive User Data with Advertisers and Third Parties

In March 2023, Mozilla Foundation's Privacy Not Included research published findings that most popular AI-powered mental health applications were sharing highly sensitive user data with third-party advertisers and data brokers. The investigation examined 32 mental health and prayer apps, finding that 29 failed basic privacy and security standards. The research revealed that platforms like BetterHelp, Talkspace, Youper, and others had integrated Facebook pixels, Google Analytics, and other tracking technologies that automatically transmitted users' intake questionnaire responses, therapy session metadata, and personal mental health struggles to advertising networks. BetterHelp, the largest online therapy platform with over 4 million users, was found to be sharing particularly sensitive data including users' health questionnaire answers about depression and anxiety, email addresses linked to therapy sessions, and IP addresses tied to mental health consultations. The company had promised users that their data would remain confidential and would not be used for advertising purposes, but Mozilla's technical analysis revealed extensive data sharing with Facebook, Snapchat, Criteo, and Pinterest for targeted advertising purposes. The Federal Trade Commission launched an investigation into BetterHelp's practices following the Mozilla report and consumer complaints. In March 2023, the FTC announced a $7.8 million settlement with BetterHelp for sharing consumers' sensitive personal health information with third parties for advertising purposes. The settlement required BetterHelp to limit its data sharing, obtain explicit consent before sharing health information, and contact affected users about the privacy violations. The FTC found that from 2017 to 2020, BetterHelp pushed sensitive data about users' mental health struggles to Facebook and other platforms despite promising users their data would remain private. The Mozilla research also identified significant security vulnerabilities in these applications, including weak password requirements, lack of encryption for sensitive data, and failure to delete user data upon request. Many apps were found to be collecting unnecessary personal information including precise location data, contact lists, and device identifiers that were then shared with advertising networks. The investigation highlighted how AI-powered mental health tools, which often marketed themselves as private and secure alternatives to traditional therapy, were actually harvesting user data at unprecedented scale. The incident raised broader questions about the regulation of digital health tools and the adequacy of HIPAA protections for app-based mental health services. Unlike traditional healthcare providers, many mental health apps operate outside HIPAA's scope, leaving users vulnerable to data exploitation. The FTC settlement with BetterHelp represented one of the largest privacy enforcement actions in the digital health space and established important precedent for holding mental health platforms accountable for data sharing practices.