Mozilla’s latest *Privacy Not Included guide called out 29 mental health and prayer apps handling privacy poorly. Since then, six companies have said ‘mea culpa’ and changed their practices. But the industry as a whole remains untrustworthy.


Update: Calm, one of the most popular meditation apps now allows all users to access and delete their data, effective June 16, 2022.

What’s the price for using mental health and prayer apps? Data, data, and some more data.

The latest edition of Mozilla’s *Privacy Not Included consumer tech guide revealed how spectacularly mental health and prayer apps neglect users' privacy, harvest sensitive personal data, and capitalize on it as a business asset.

Following the publication of the report on May 2, 2022, five of the 28 apps that received a privacy warning label, for failing to meet Mozilla’s privacy and security standards, have responded by updating their privacy policies, revising third-party data sharing practices, and making changes to password requirements and screening. Some apps such as Breathe, Think, Do by Sesame, hadn’t publicly updated their privacy policy since 2013!

The six apps implementing these changes are Recovery Record; Hallow; Breathe, Think, Do by Sesame; Modern Health; Woebot, and recently Calm.

We applaud the companies that have made changes in response to our *Privacy Not Included buyer’s guide and we hope others will follow. Mental health apps provide a vital service to millions of people, particularly at this challenging time. Unfortunately, the changes we are witnessing show how these apps were, and sometimes still do, fail to protect their users. Offering mental health services should not come at the expense of users’ personal information. We are glad that this crucial research is eliciting interest and real-time change.

Ashley Boyd, Vice President Advocacy and Engagement Mozilla


Here’s a round-up of the notable changes:

Data sharing with third parties. Recovery Record now clearly states that it won’t sell or share data with third parties for direct marketing purposes. This follows a review of their policy dated May 2, 2022 where they removed vague consent caveats, such as: “unless we have your permission” and “for any purpose” referring to the use of aggregate data - data gathered from multiple sources.

Now requiring strong passwords. Hallow and Recovery Record apps have also changed their password requirements to at least eight characters and will flag weak, repetitive/sequential passwords. Before; Mozilla’s review noted that eight apps did not require strong passwords, ranging from “1” to “1111111”. Moodfit app still accepts a single-digit password.

Monitoring and responding to privacy concerns: After a series of conversations between Mozilla and Calm, the company has updated its privacy policies and now grants all its users the right to access and delete their data, regardless of their location. Modern Health and Breathe, Think, Do by Sesame apps acknowledged that they hadn’t been monitoring their email hotline for privacy-related questions, but have started to do so. Woebot also referenced Mozilla’s findings and has worked to help clarify some of the confusing language in their privacy policy. They also now state in their privacy policy that all users have the same rights to data access and deletion.

Mozilla

Mozilla

*Privacidad no incluida