Online therapy has become a booming industry in recent years, but with that growth comes questions about how well these types of companies are protecting the privacy of their patients.
Most recently, in June, Sens. Elizabeth Warren, Cory Booker and Ron Wyden asked two leading online therapy companies, BetterHelp and Talkspaceto provide information about how they handle user data and their privacy practices.
The Democratic senators said they were concerned that the companies could be leaving their patients “vulnerable to exploitation from large technology platforms and other online actors.”
BetterHelp markets itself as the world’s largest online therapy service with nearly 2 million users, according to its website. The company operates through thousands of therapists who can communicate with patients via phone, text or video chat.
But a 2020 investigation from Jezebel found that BetterHelp information was being shared with Facebook, including metadata of messages between patients and therapists. Facebook could also see the duration, approximate location and amount of time people spent on BetterHelp, according to Jezebel. (BetterHelp is an NPR funder.)
Talkspace told NPR that it has one of the most comprehensive privacy policies in the industry and that it’s gathering information to comply with the senators’ request.
Mary Potter, the company’s chief privacy officer, added that communication between patients and therapists takes place in “a fully-secure, encrypted private ‘room.’ We believe our technology fully meets [the Health Insurance Portability and Accountability Act] privacy and security requirements and protocols. For absolute clarity, we do not sell user information to third parties.”
BetterHelp told NPR that it is committed to privacy and security. A spokesperson said the company “has built state-of-the-art technologies, operations, and infrastructure to safeguard the information provided on our platform. Everything BetterHelp members share with their counselor is confidential, secure, and encrypted.”
With online mental health services providing a convenient alternative to traditional methods of in-person therapy for many people, NPR asked digital privacy experts to weigh in on what you should know about protecting your privacy when using these types of platforms.
The privacy tips here can apply to more than just online therapy services, but experts say these steps can help with privacy related to therapy apps as well.
It starts with your phone’s settings
“Go through the privacy settings on [your] smartphone operating system. Every time you download an app, go through its privacy settings. Enable all the options that allow you to limit how apps track you,” said Arvind Narayanan, an associate professor of computer science at Princeton University.
Narayanan said to pay attention any time a screen prompts you for permissions.
“Don’t simply tap the default option. When you try to restrict tracking, many apps will try to convince you that you’re missing out. These are generally misleading or deceptive claims,” he told NPR.
Opt out of personalized ads and cross-app tracking
John Davisson, director of litigation and senior counsel at the Electronic Privacy Information Center, said that although steps to protect your privacy mainly depend on the specific app, users can opt out of personalized ads on Google and turn off cross-app tracking.
“That prevents the data that you input to one application from being correlated or collated with data uploaded to another application,” Davisson told NPR.
If you’re signed into your Google account, turn the slider for “ads personalization” to “OFF” here. This opt-out will work for all of your signed-in devices when recognized as being signed in, according to Google.
And when signed out of your Google account, you can opt out of personalized ads across the web and on Google search under the options here.
You can turn off personalized ads on Apple devices, Androids and Facebook and Twitter as well by following steps here.
Disable your mobile advertising ID
Users can also disable their mobile advertising ID, which limits the ways that companies can collate your data, location, search history and browsing history, according to Davisson.
For iPhone users, go to Settings > Privacy > Tracking to see if there are any apps you previously allowed access to track. Switch the slider to “off” where it says “Allow Apps to Request to Track” so the button appears gray.
For Android users, go to Settings > Privacy > Ads > and tap “delete advertising ID.” An older version of Android may instead give the option to “Opt out of Ads Personalization.”
Read an app’s “privacy nutrition label” carefully
Reading apps’ “privacy nutrition labels” can give prospective users a clearer sense of the types of data apps are collecting and how it’s being used, according to Davisson.
Apple says these labels are a way to provide a more transparent explanation of how apps handle user data.
You can find Apple’s privacy nutrition labels when you scroll down on the page of an app in the App Store where you’ll see an “App Privacy” section.
Google Play implemented a similar label for Android users that began appearing on some apps in April.
Specifically with BetterHelp, the Mozilla Foundation recommends to not connect the app to any social media accounts or third-party tools and to not share medical data when connected to any of those accounts. “Click the ‘Shred’ button next to each message you’ve sent if you want it to no longer show in your account,” Mozilla’s privacy guide says.
With Talkspace, Mozilla recommends: “Do not give an authorization to use or disclose your medical information. If you have given it already (or if you are unsure), revoke it by sending an email to privacy@Talkspace.com. Otherwise, your medical data including psychotherapy notes may be shared for marketing.”
You can also ask Talkspace to limit what’s shared with your insurance by emailing firstname.lastname@example.org.
Another option for privacy-minded people is to use a virtual private network. VPNs are used to mask the location of your computer and stop an internet service provider from seeing the websites you visit.
But Narayanan said he believes VPNs are more cumbersome and less effective than other methods at protecting your data and privacy online.
Experts say online privacy remains largely out of the individual’s control
“Unfortunately, the lack of stringent regulation of apps like BetterHelp and Talkspace has forced people into a very difficult choice between obtaining mental health support on the one hand and knowing their privacy will be protected on the other,” Davisson said.
Davisson stressed that people’s individual digital trails are too complex to monitor and safeguard their own data in every context.
“There’s a significant gap in privacy protection and regulation that allows these types of apps to fall through,” he said.
Federal privacy laws vary by sector, and HIPAA is limited to health plans, health care clearinghouses, and health care providers, according to Davisson.
The federal law seeks to protect patients’ personal health information from being exposed without their knowledge or consent, but Davisson said this does not typically apply to mental health apps or other health apps like period trackers.