Collection of Sensitive Health and Mental Health Information

What it is

Headspace collects detailed health information including mental health history, medications, emotional state, and stress levels that you provide directly when using its services.

Why it matters (compliance & governance perspective)

This is among the most sensitive categories of personal data, and its collection by a consumer app with both clinical and non-clinical features means different parts of the same dataset may be subject to materially different legal protections depending on how they were generated.

Consumer impact (what this means for users)

When you provide information about your mental health history, medications, or emotional state through Headspace, this data is collected and may be used for service delivery, personalization, and potentially analytics purposes; clinical health data collected through therapy or psychiatry features is protected by HIPAA, while similar data collected through coaching or wellness features may be subject to broader sharing permissions under the general privacy policy.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Collection of mental health and medical data implicates HIPAA for clinical contexts, GDPR Article 9 (explicit consent required for special category health data) for EU users, CPRA's sensitive personal information framework for California users (which includes mental health data and requires a specific notice and opt-out right for use beyond necessary purposes), and state consumer health data laws. The FTC's health breach notification rule may apply if health information collected by a personal health record application is disclosed without authorization. GOVERNANCE EXPOSURE: High. The collection of mental health data including medications, emotional state, and mental health history in a consumer app context creates significant regulatory exposure because the same categories of data may be governed by different regimes depending on the feature through which they were collected. Data minimization requirements under GDPR and the sensitivity-based restrictions under CPRA require careful scoping of collection purposes and retention limits. JURISDICTION FLAGS: EU and UK users have the strongest protections via GDPR Article 9, which requires explicit consent for health data processing. California users are protected by CPRA's sensitive personal information rules. Washington State users may have rights under the My Health MY Data Act for health data collected outside HIPAA contexts. Healthcare-adjacent mental health data may also engage state mental health confidentiality statutes in various US jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Any vendor receiving this category of data must be assessed for appropriate data processing agreements under GDPR and HIPAA BAA requirements where applicable. Vendors providing analytics or advertising services should not receive mental health or medication data, and data minimization controls should be verified in vendor contracts. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that consent mechanisms for collection of mental health and health data are differentiated by service context (clinical vs. non-clinical), that data retention periods for this category are defined and implemented, and that cross-border transfers of health data to non-adequate countries have appropriate safeguards under GDPR Chapter V. A data protection impact assessment may be warranted for large-scale processing of special category health data under GDPR Article 35.

Applicable agencies

Provision details

Other risks in this policy

• HIPAA Business Associate Status and Clinical Health Data Governance medium
• Consumer Health Data and Separate Health Data Privacy Policy medium
• Third-Party Advertising and Analytics Data Sharing high
• Children's Privacy Age Restriction medium
• User Privacy Rights and Data Subject Requests medium
• English Version Prevails Over Translations low