YoungMinds
Trading kids mental health conditions with ad systems
The YoungMinds website has a cookie banner like
We use cookies on this website to store user preferences, aid in accessibility and analyse our traffic. We do not store any personal or identifiable data.
Does that banner indicate that if you accept cookies, data will be collected by advertising and content personalisation systems of your browsing habits on the site? No
A child should be able to trust a children's charity, so accepting seems like the obvious choice.
When they do that, Facebook, LinkedIn and Google start collecting data to support their advertising systems. The domains don't always hide it either with collection from ads.linkedin.com and adservice.google.com.
They collect the page the child is visiting, perhaps on coping with Drugs and alcohol
Facebook, not happy with just the page being visited, also grabs some page data to help its advertising system
"title":"Drugs and Alcohol | Support For Young People | YoungMinds"
YouTube tracking
YoungMind's website includes a section for Young People with support articles, like this on Anxiety, that include video content.
The video content is hosted using YouTube embeds and therefore directing troubled children to the online harms risks of YouTube.
The embeds were also not using YouTube's privacy enhanced mode. Thus, from a privacy perspective this was a worse situation than the Childline situation currently.
As a result of this, identifiable data is being sent to YouTube, without user consent, from the YoungMinds website, about kids interest in Anxiety, a health condition. Data, that YouTube advises they will use for personalised adverts and video recommendations.
Is it fixed?
No.
Fundamentally, the integration is still an online safety risk and encourages the child to go to YouTube to watch videos about their problem.
The charity has swapped to YouTube Privacy Enhanced Mode, so faces much of the same data protection failings as the NSPCC.
Raising the complaint
30th November 2022, YoungMinds and the ICO received a complaint detailing how YoungMinds were sharing identifiable data with YouTube about users of their website. The complaint included an
30th January 2023, further checks of the page revealed the integration of Facebook, LinkedIn and Google Ads when their misleading cookie banner was clicked.
Their Response
After not hearing anything, on the 4th of January, I reached out to one of their staff on LinkedIn who consulted interenally and discovered that the complaint had gone into their spam folder.
They have acknowledged some of the problem and I have been advised that they are investigating this.
"We’re going to need a bit more time to fully understand and process everything, and decide how to respond to each point. We’ll get back to you once we’ve done a full assessment."
"..."
"we were very grateful that you pointed out that we were collecting cookies prior to a user opting in. We accept this is very poor practice"
15th February 2023: Final response?
The charity has decided that they are compliant. The closing of a case by the ICO has been seen as confirmation they are compliant.
So compliance apparently trumps morals: it's okay to invade kids privacy if it isn't breaching the law
But more worryingly, they are obviously not compliant and may have misunderstood what the ICO's case closure actually meant.
We have now, along with our external data protection support at GRCI Law, reviewed your email dated 30 January 2023.
At YoungMinds we take our data protection obligations seriously and always seek to be compliant with relevant legislation as well as the guidance issued by the UK’s Supervisory Authority, the Information Commissioner’s Office. The ICO has been satisfied with our report to them and informed us that they have closed this case. We must only operate within the compliance framework provided by the ICO, and therefore also consider this matter closed and will not enter into any further correspondence on this matter.