Dutch suicide hotline 113.nl shared visitor location, browser, device, referrer, and screen recordings with Google and Microsoft without GDPR-required consent.
Key Takeaways
Ethical hacker Mick Beer (Hackedemia.nl) found 113.nl sent data to Google regardless of cookie consent; Microsoft received data only with consent accepted.
Shared data included the referring URL before visiting 113.nl, enabling profiling of likely-vulnerable users by Google and Microsoft.
GDPR classifies contact with an anonymous suicide hotline as sensitive medical data, requiring stricter protections than standard analytics.
Stichting 113 suspended all measurement and analysis tools after disclosure; it has not confirmed whether trackers will be re-enabled.
The foundation described the leaked data as “technical metadata,” not conversation content, but researchers note even a page visit is sensitive.
Hacker News Comment Review
Core technical reality: this is standard Google Analytics added by a non-technical nonprofit team, not deliberate data brokering – but commenters note that intent does not change GDPR liability or real-world risk.
Commenters split on framing: some call it criminal negligence by institutions handling medical data; others argue the headline overstates a routine analytics mistake common across nonprofits.
A subset of commenters pointed to hotline efficacy research as context, noting the 988 US hotline reduced suicide rates 11%, pushing back on dismissals of the hotline model itself.
Notable Comments
@simonw: “Dutch suicide prevention hotline website uses Google Analytics” – flags headline framing as misleading.
@bondarchuk: frames this as criminal negligence rather than malice; government medical-data handlers still deploying GA after 20 years reflects systemic enforcement failure.
