NL Times broke the story that 113 Zelfmoordpreventie was transmitting visitor data to third-party tech companies without consent. Their reporting frames this as a clear violation, noting that visitors to a suicide prevention service have an expectation of privacy that was breached by embedded tracking scripts silently exfiltrating sensitive data.
Submitted the story to Hacker News where it garnered significant attention (133 points), signaling the community views this as a serious privacy violation worth amplifying. The high engagement suggests widespread agreement that a suicide hotline sharing visitor data crosses a fundamental ethical line.
The editorial draws a direct line between this incident and the 2022-2024 US healthcare tracking pixel scandals documented by The Markup. It argues the failure mode is structural — organizations embed third-party JavaScript like Meta Pixel and Google Analytics without understanding that these scripts silently collect page URLs, form interactions, and device fingerprints, which on a crisis site constitute health-related personal data under GDPR Article 9.
The editorial makes the legal argument that a visit to a page titled 'I'm thinking about suicide' — combined with an IP address, device fingerprint, and timestamp — unambiguously constitutes health-related personal data under GDPR Article 9. It emphasizes that this data falls into the regulation's most protected territory, requiring explicit consent that was never obtained from crisis visitors.
Dutch suicide prevention organization 113 Zelfmoordpreventie — the Netherlands' primary crisis line and online mental health resource — has been caught sharing website visitor data with tech companies without obtaining user consent. The story, first reported by NL Times on May 13, 2026, reveals that the organization's website was transmitting visitor information to third-party companies, likely through embedded tracking scripts and advertising pixels.
The specifics follow a pattern that will be grimly familiar to anyone who tracked the US healthcare tracking pixel scandals: organizations embed third-party JavaScript — typically Meta Pixel, Google Analytics, TikTok Pixel, or similar ad-tech SDKs — on their websites. These scripts silently collect and transmit page URLs, click events, form interactions, IP addresses, and device fingerprints to third-party servers, regardless of how sensitive the page content is. When the website in question is a suicide prevention service, the data being exfiltrated includes implicit signals that a visitor is experiencing a mental health crisis.
This isn't a theoretical privacy concern. A visit to a page titled "I'm thinking about suicide" or "Help me now" — combined with an IP address, device fingerprint, and timestamp — constitutes health-related personal data under any reasonable interpretation of European data protection law.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) enforces GDPR in the Netherlands, and this case sits squarely in the regulation's most protected territory. Article 9 of the GDPR designates health data as a "special category" requiring explicit consent or another narrow legal basis before processing. A visitor to a suicide prevention website has not consented to their crisis being monetized as a data point in an advertising profile.
This is not a novel failure mode. Between 2022 and 2024, The Markup and other investigative outlets documented how major US hospital systems — including Advocate Aurora Health, Novant Health, and dozens of others — had embedded Meta Pixel on patient portals, appointment scheduling pages, and even inside authenticated health records. The data transmitted included symptoms searched, doctors viewed, and appointments booked. Meta received this data and, by its own admission, could not guarantee it wasn't used for ad targeting. The fallout included class-action lawsuits, HHS guidance, and FTC enforcement actions.
The Dutch case is arguably worse. Hospital websites serve a broad population for routine care. A suicide prevention website serves people in acute psychological distress — a population that is, by definition, vulnerable. The reputational harm alone could deter people from seeking help, which in the context of suicide prevention is not a metaphor for damage — it is literal life-and-death impact.
The technical root cause is almost certainly banal. Most tracking pixel incidents aren't the result of a deliberate decision to share sensitive data — they're the result of a marketing team installing a snippet without understanding what it does, and an engineering team that never audited it. The JavaScript runs on every page. It doesn't know or care whether the page is a blog post or a crisis intervention form. It just fires.
This is where the story becomes directly relevant to practitioners. If you build or maintain websites that handle any sensitive context — healthcare, mental health, financial distress, legal aid, domestic violence resources, addiction services — the default posture of modern web development is actively hostile to your users' privacy.
Consider what a typical "just add analytics" workflow looks like:
1. Marketing requests Google Analytics and Meta Pixel for campaign attribution. 2. A developer adds the snippets to the global `
` tag or GTM container. 3. The scripts load on every page, including sensitive ones. 4. No one audits what data is transmitted or to whom. 5. Months or years pass. The scripts quietly exfiltrate data.The fix is not complicated, but it requires treating tracking scripts as third-party code execution with the same rigor you'd apply to any dependency. Concretely:
- Audit your third-party scripts. Use browser DevTools Network tab or a tool like `webpagetest.org` to see every outbound request your pages make. If you see requests to `facebook.com`, `google-analytics.com`, `tiktok.com`, or similar domains on sensitive pages, you have a problem. - Implement consent-gated loading. Don't load tracking scripts until the user has given informed, specific consent via a GDPR-compliant consent management platform. "Legitimate interest" does not apply to special-category data. - Use page-level exclusions. Even with consent, consider whether tracking belongs on crisis or health-related pages at all. A blanket GTM container that fires everywhere is a liability. - Content Security Policy headers. CSP `connect-src` and `script-src` directives can enforce which domains your page is allowed to contact, providing a server-side backstop against rogue scripts. - Regular audits. Third-party scripts update themselves. A pixel that was benign six months ago may now collect additional data. Automate outbound request monitoring in CI/CD if possible.
This incident is part of a broader pattern that the tech industry has been slow to address. The fundamental problem is an architectural one: the web's default model allows any JavaScript with page access to read the DOM, intercept form inputs, and make arbitrary network requests. Third-party tracking scripts operate with the same privileges as your own application code, and most developers treat them as fire-and-forget additions rather than the supply-chain risk they actually are.
The regulatory response is tightening. The EU's Digital Services Act, ePrivacy Regulation (still in negotiation), and aggressive GDPR enforcement by authorities in France (CNIL), Ireland (DPC), and the Netherlands (AP) have made tracking pixel compliance a board-level concern. Fines in the tens of millions of euros are now routine for large organizations. For a nonprofit like 113 Zelfmoordpreventie, even a modest fine could be devastating — but the real damage is to the trust of people who need help most.
In the US, the HHS Office for Civil Rights issued formal guidance in 2022 warning that tracking technologies on healthcare sites likely violate HIPAA. Several hospital systems paid multi-million-dollar settlements. The FTC has pursued similar cases under its unfair practices authority.
The lesson for developers is straightforward but uncomfortable: you are the last line of defense. Product managers won't audit JavaScript snippets. Marketing teams won't read GDPR Article 9. Legal departments won't inspect network waterfalls. If you add a tracking script to a sensitive website without understanding its data flows, you are the proximate cause of the resulting privacy violation. The Dutch case is a reminder that this isn't just a compliance checkbox — for crisis services, it's an ethical obligation that outweighs whatever attribution data the marketing team thinks it needs.
This kind of thing is why I wouldn't touch a site like that. Websites, service providers, and internet-connected software that collects data from you can't be trusted even a little, so I avoid them to the greatest degree I can. The rule of thumb is that anything you tell to them, or any da
"Dutch suicide prevention hotline shares visitor data with tech companies" is certainly one way of saying "Dutch suicide prevention hotline website uses Google Analytics".
I thought Europe was more careful about things like this. This is pretty bad, these people are vulnerable and they're just mining they're data for profit.
If nto illegal, it seems clear that is inappropriate.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
It's telling, IMO, that Western cultures deals with suicidality with hotlines you can call. It's like some joke from gonzo journalism come to fruition. I don't know what the answer is, but as a person who's been suicidal, for me it wasn't a hotline. It's even more fitti