Dutch suicide prevention website shares data with tech companies without consent

The Dutch suicide prevention website 113 shared visitor data with third-party companies, including Google and Microsoft, without user consent, prompting an investigation and temporary suspension of data sharing practices.

Research conducted by ethical hacker Mick Beer of Hackedemia.nl revealed that the Dutch suicide prevention site 113 shared technical data—such as location, browser type, device details, and screen recordings—with third parties, including Google and Microsoft. This occurred even when visitors did not accept cookies or give explicit consent, raising serious privacy concerns.

Following the findings, Stichting 113, the organization operating the website, temporarily disabled all measurement and analysis tools to cease data sharing. The organization stated it is investigating the incident, assessing potential impacts, and has not yet announced whether these tools will be reactivated.

Why It Matters

This development is significant because it involves the potential violation of the General Data Protection Regulation (GDPR), which mandates strict protections for sensitive personal data, including data related to mental health and suicide prevention. The incident raises concerns about the privacy and security of vulnerable individuals seeking help online and the accountability of organizations handling such data.

Background

The website 113 is a critical resource for individuals in the Netherlands experiencing suicidal thoughts or mental health crises, providing confidential support channels. The revelation of data sharing practices comes amid broader scrutiny of online privacy and data protection laws. Prior to this incident, the site was considered a trusted resource, but the research exposes potential vulnerabilities in its data handling procedures.

“Anyone who surfed to the 113 website left a digital footprint behind. Google and Microsoft can use this information to build general user profiles.”

— Mick Beer, ethical hacker

“It concerns technical data regarding a website visit, so-called metadata. We realize that visitors must be able to trust that their privacy is protected and regret that concerns have arisen.”

— Stichting 113 spokesperson

What Remains Unclear

It remains unclear whether the data sharing was intentional or a technical oversight, and whether any sensitive information from help-seekers was actually compromised. The full scope of the incident and its potential impact are still under investigation.

What’s Next

The organization plans to complete its investigation, determine if any GDPR violations occurred, and decide whether to resume data collection practices. Further updates are expected as the investigation progresses, including possible policy changes or legal actions.

Key Questions

Did the website share any actual conversation or chat data?

No, the organization stated it shared only technical data about website visits, not substantive conversation or chat content.

Could this data sharing have harmed users seeking help?

It is currently unclear if any harm occurred. The data shared included metadata like location and device info, but not personal chat content.

Will the website resume data sharing in the future?

The organization has not confirmed whether data sharing will be resumed; it is currently under review as part of their investigation.

What legal implications might this have?

If found to violate GDPR, the organization could face fines or sanctions. The investigation will clarify whether laws were breached.

How are users supposed to trust the site after this incident?

The organization has expressed regret and is taking steps to improve privacy protections, but trust will depend on transparency and corrective actions taken.