If you type “anxiety” or “depression” into an app store search bar, you will find countless options.  While there are many, many different apps to handle all sorts of psychological challenges, there also are many varied ways in which these apps handle the privacy of the users.

Over the past year, the popularity of these types of apps has risen tremendously. According to a national Consumer Reports survey conducted at the end of last year, four out of 10 Americans reported experiencing depression or anxiety due to the pandemic. One way to cope with some of these issues is through a mental health app. Some of these apps connect you with a licensed therapist via video chat, while others provide guided mediations, mood-tracking diaries, therapy chatbots, and cognitive behavioral therapy exercises. And some of these apps, while not providing you with access to a therapist, may instead ask you to complete mental health symptom questionnaires. The data provided through those features might not necessarily be treated as confidential by the app developers, or by the law.

To find out more about data collection, use and disclosure in this area, Consumer Reports’ Digital Lab researchers evaluated seven of the most popular mental health apps.

Generally, these mental health apps functioned like many other apps on your phone. For example, some of these apps were sharing unique IDs associated with individual devices that tech companies use to track what a user does across other apps. That information can be (and is) combined with other data for targeted advertising. While consumers may know that many apps do that (track their use of all the apps on their phone), should mental health apps be doing that too? And what prevents them from tracking their users in this way?

Unfortunately, most of these apps operate in a gray area of the law. For example, in most cases, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not apply to these apps.  Consumers can’t assume that just because health information is input into the app that they are protected under HIPAA. And, while some of these apps say that they won’t use sensitive data (such as medical symptoms) for targeted advertising, they may not treat the fact that you’re using the mental health app as sensitive data in and of itself. This means that an app could use the fact that you’re using a mental health app in combination with other data points and determine which ads to show you. Have you read the privacy policy in your app?

Additionally, which third parties might be getting your data? Several mental health apps say in their privacy policies that your data may be shared with researchers. Consumers might think that this means that de-identified information is combined with data from other users, to help researchers learn more about how to treat mental health. However, according to the report, some of the privacy policies of these apps are a bit fuzzy on the distinction between medical research and marketing or app-design projects.

The bottom line: these mental health apps are a great resource for consumers and can offer many benefits. However, before you download the app to your phone and start sharing highly personal, sensitive data, read the privacy policy and make an informed decision before disclosing your data.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.