When “Help” Websites Get Data Protection Wrong: An EMCAT Review

Introduction

Reaching out for addiction help isn’t easy. For many, visiting a website or picking up the phone happens in a moment of real crisis - they’re dealing with health, family, work, and a heavy load of shame. How these sites handle personal data isn’t just a technical box to tick; it’s about ethics and trust.

That’s why we took a close look at a range of UK-based patient-brokerage, referral, and home-detox websites. We focused on privacy policies, who’s actually controlling the data, and what these sites say about how they handle people’s information. What we have found gives rise to significant concern.

A pattern of problems, not just the odd mistake In reviewing a number of patient-brokerage and home-detox referral websites, EMCAT identified recurring problems including outdated or inaccurate privacy policies, unclear or misleading identification of the data controller, reliance on implied “consent” in a healthcare context, and cookie and tracking practices that fall short of UK GDPR standards.

These issues matter because addiction treatment enquiries frequently involve sensitive health data and moments of acute vulnerability. Transparency and lawful data handling are not technicalities here - they are ethical fundamentals.

EMCAT has previously worked with the Information Commissioner’s Office on data-protection concerns in this sector, and this review forms part of our ongoing effort to raise standards and protect patients and families at the point of first contact.

We’re not here to single anyone out, but across the board, the same issues kept popping up:

- Privacy policies still mention old laws or ignore current UK GDPR rules entirely.

- Many sites name data controllers that don’t exist, have been dissolved, or are just plain unclear.

- They lean too much on “implied” or automatic consent, which is a big problem in healthcare.

- Some statements about data sharing are flat-out misleading - especially when it comes to health data.

- Cookie and tracking disclosures don’t meet the standards set by UK GDPR and PECR.

- Users aren’t properly told what their rights are, or how to use them.

Maybe you could write off one or two of these as carelessness. But together, they point to something bigger - a real, ongoing problem in parts of addiction marketing.

Why this hits harder in addiction treatment

Addiction treatment is different. The stakes are higher. People reaching out are often sharing highly sensitive health details, sometimes at the urging of family or an employer, and they’re usually making tough decisions under serious stress.

So when data protection fails here, it’s not just a technicality. It breaks trust. It undermines real, informed consent. It puts vulnerable people at risk. You can’t call your service “neutral” or “supportive” if you’re hiding who’s behind the scenes, where the data ends up, or what your legal grounds are. Even if the rules are fuzzy, it’s still not right.

Regulatory context

We’ve worked with the Information Commissioner’s Office (ICO) before on these kinds of issues. We know what UK GDPR expects - transparency, accountability, up-to-date privacy info, clear legal bases for processing, and special care with sensitive health data. The problems we found raise serious questions under all of these points.

What EMCAT does

Our job is to shine a light on these problems, get people talking, and push for real fixes. If an operator can put things right, they should. But if dangerous or misleading practices stick around - especially when these sites act as the first stop for people seeking treatment - then regulators need to step in. Protecting patients and families always matters more than an operator’s convenience.

What good looks like

At the very least, any group working in this space should:

- Clearly name a real, active data controller

- Use privacy info that’s up to date with UK law - not copied from an old template

- Make consent clear, informed, and suitable for the situation

- Be upfront about data sharing and referral partners

- Follow cookie and tracking rules under UK GDPR and PECR

- Make sure people know their rights and how to use them

If operators can’t meet these basics, they’re eating away at public trust - something this field can’t afford to lose.

Next steps

We’ll keep a close eye on this area and work with operators, regulators, and policymakers to raise standards. If we have to, we’ll push for tougher action to protect people and keep addiction treatment marketing ethical.

Getting this right isn’t optional. Trust in the whole sector starts with that first click.