image of Google logo

Nearly all councils hand user tracking data to marketing companies

Image credit: Dreamstime, E&T

A comprehensive scan for hidden advertising trackers on council websites in England and Wales revealed that 96 per cent track users, frequently without their knowledge, and are often breaching EU and UK privacy law. Tech giants Google and Facebook were found to be heavily involved.

In collaboration with the Danish privacy and analytics company Cybot, E&T ran a large-scale analysis by sifting through nearly 1.3 million pages across 408 council websites. This found that 96 per cent of websites were deploying marketing trackers and cookies, many of them without the users’ knowledge. 

Forty-one councils deployed more than 100 open and hidden trackers on their websites. On average, councils deployed 36 trackers, with an average of 14 commercial companies constantly monitoring users' behaviour on each site.

Distribution of councils and ad trackers

Image credit: E&T, Cybot

Daniel Johannsen, CEO of Cybot, explains the problems with having so many, often illegal, ad trackers on public service websites: “It is a gigantic data breach that is clearly not aligned with the legal requirements on some very basic things, that can be easily tested. The websites put citizens at risk and expose [councils] to legal risks both on the GDPR and in regards to the e-privacy directive, which requires consent and transparency for this kind of tracking. Most of them are not even close to complying. In general, it is quite a sad picture."

Are councils breaking the law?

Three of the councils most aggressively tracking users portray the predatory nature of ad-tech companies on these public service websites. One privacy consultant comments that they also show how to break UK and EU privacy laws. 

For Wrexham County Borough Council,

269 marketing trackers were located via 113 domains and 112 companies. Many of these ad-tech firms that the public may have never heard of. Their practice would not honour privacy law, according to Jamal Ahmed, a privacy consultant at Kazient.

Ahmed’s assessment is based on the fact that the site would "automatically deploy marketing cookies" and that it "should offer users the option to consent to marketing cookies. This option should not be pre-ticked”. Also, it fails to offer users the option to opt-out of accepting analytics cookies.

Similarly, the Enfield Council website, with 238 ad-trackers, features an extensive data privacy notice on its site. Ahmed says due to marketing cookies being pre-ticked, it would breach EU and UK privacy law in a similar fashion.

The website of North Somerset Council, following the user via 225 trackers, has a similar extensive privacy statement.

Ahmed says it breaks privacy law because it also automatically deploys marketing cookies. It should, but does not, offer users the option to consent to marketing cookies and fails to offer users an option for accepting analytics cookies.

“It is profoundly shocking and appalling to learn that local government websites are illegally facilitating and deploying marketing trackers with such aggression,” he adds. 

Behavioural monitoring trackers for targeted adverting, can be very intrusive and, and is a total violation of an individual’s human right to privacy

Jamal Ahmed, a data privacy consultant

Ahmed explains that both the Information Commissioner's Office (ICO) guidance and recent case law make it very clear that the deployment of such cookies without the necessary fair processing notice and obtaining valid consent is deemed illegal. E&T's findings provide clear evidence that local councils are in violation of privacy legislation and therefore exposed to potentially significant fines.

The reason for finding so many trackers, Johannsen explains, is that many are hidden. He says some site owners are probably not aware of their tracking. "There are many sites embedding different services that function as a backdoor or a trojan horse. Plugins or scripts that website owners can easily plug into their websites that provide social sharing buttons, for instance, are often to blame. Once installed, they hand over the control of their website to these plugins”.

Johannsen adds that the technology to spot hidden trackers used by local authorities, researchers and universities currently lacks sophistication and would fail to reveal the real picture. “That is because they look for a certain type of cookies. But there is a whole range of other types of cookies.”

For instance, the cookie policy on Wrexham County Borough Council, a local government principal area in North Wales, mentions only a fraction of the cookies that are actually in use on the site”, Johannsen explains.  It declares three advertising cookies while there are in fact 269 marketing cookies from 112 commercial ad-tech companies. In total, they list 27 cookies where the real figure is 376.

Jan Penfrat, senior policy advisor at the international advocacy group European Digital Rights (EDRi), reviewed the results obtained by E&T and Cybot. He expressed surprise that public authorities such as city councils seem to be ignoring the online protection of citizens at such a large scale. 

"It is a depressingly common practice. Implementing third-party code into a public service website and missing a tracking function is careless. But embedding over 200 third-party marketing trackers that collect information about every step citizens take is even worse". 

Councils are tracking members of the public visiting their websites to a shocking level, according to Silkie Carlo, director at human right think tank Big Brother Watch, a civil liberties and privacy campaigning organisation. Speaking to E&T, she said: "We visit these sites to access vital public information, find essential services and pay bills. But councils are exploiting the public need for basic information to take notes on us and sell them to marketers. This raises serious legal and ethical questions".

What we are seeing here is that [councils] monitor which pages you are using and how much time you are spending on each site, Johannsen adds. Also if there are online forms, they typically register the purpose of the form and sometimes the fields on the form, to understand what the form is about. It is different for each tracking company. They monitor your unique user ID and follow your browser history and create a profile. 

Mark Alan Richards, a software engineer and online privacy researcher, says that if we walked into a council office and asked a member of staff for information about funerals, hospice care, adoption, paying penalties, and other things, we would be horrified if that conversation was recorded and shared with advertisers in a fashion in which they could identify us. "But for some, when they use their web browser to have this same conversation, to ask for information from their council, this is obviously happening".

Johannsen argues that "when you allow these commercial companies to track users, it tells them a lot of things that can be used in different contexts. For example, if you are applying for insurance, the insurance company can buy your data. Should you have some kind of illness, your own data will be turned against you. The same applies for applying for a job or a loan, you might find yourself in a less privileged situation, all based on you visiting the council’s website". 

Richards sees two major risks with so many trackers on UK public councils’ websites. "When data is being tracked by marketing companies, that can go against you. You may not want to be harassed by legal services during a time when a child is being taken away from you". 

Wokingham’s council website was found to share data on visitors' looking to organise funerals. The advertising page reveals that this data is shared with advertising companies for a profit, Richards spotted.

The other risk involves the question "what happens when one of these tracking companies leak and lose data". Previous examples including Facebook–Cambridge Analytica data scandal and the Equifax data breach show that the risk is very real, he says. “We don't know the risks on how secure these advertising companies are". 

Google and Facebook involved

Google and Facebook remain adamant in their claims that they take data privacy seriously. Not only are they the largest players in the marketing tracking business but also they are the ones that make the largest claims about data privacy, Richards adds.  

But Google, Facebook and Twitter all have a very significant presence on these public service council websites, E&T found. Among the 408 council websites, trackers by Google were found on 384, or 94 per cent. Facebook was found in 117 instances or 29 per cent.

It enables them to combine the data they already have on you. If you seek help on a specific subject on councils’ sites, they can combine this information with other activities on other websites, Johannsen adds. 

Richards says that councils using tracking by Twitter or Facebook, is typically not anonymous. People who work in the industry would be well aware of that fact, but how is this being regulated? Data protection laws have been around since 1998.

Johannsen says he hopes that councils are not selling the data. "After all, these [council] sites should not be dependent on income from online ads". 

But there are signs that is exactly what is happening, E&T found. Many councils would be involved in schemes to help supplement their income by selling users’ data.  

E&T interviewed Lloyd Clark, the managing director of the Council Advertising Network (CAN), a company working for and with UK councils to implement digital adverting within the public sector. CAN is currently working with 50 UK councils to generate income via data from users arriving on council websites, he told E&T.

North Somerset is one of CAN’s "partners". When asked about the statement made by Jamal Ahmed that the North Somerset council website would legally breach privacy law, he says" “It could be that North Somerset is in the state of deploying a tool. I don't know the particulars of North Somerset.” 

Asked whether his organisation's business of online tracking people on councils websites is a lucrative stream of income, he says: “It is trying to take advantage of a public asset, an asset taxpayers pay for to generate income. It really depends on the council or the public sector body".   

When E&T contacted North Somerset council and ask about whether they would be aware that income is generated via marketing tracker and cookies, a representative claimed she would be unconscious of it. 

Last March, Cybot launched a study that revealed many government and public sector health websites in the EU use commercial ad-tech trackers pervasively. Johannsen thinks the findings on councils are even graver compared to those on EU public websites: "I think it is worse because there are so many companies operating. There is such a high percentage. It really looks like a structural problem". 

[Councils] are extraordinarily careless in letting their system suppliers deploy these trackers, which in the majority of cases simply shouldn’t be there, Ross Anderson, professor of security engineering at the University of Cambridge told E&T. "It happens all the time and it shouldn’t be happening. The Information Commissioner should have cracked down on it years ago".

What should local authorities do now? Ahmed advises that councils which are not gaining the explicit consent of the users should immediately cease and desist the deployment of such cookies on their websites. Data protection officers with little understanding of privacy compliance in practice should seek assistance. "Local government is not above the law and has a duty to comply with privacy legislation”, he says. 

E&T recently revealed how UK charity Crimestoppers was found to breach privacy law


Data methodology: 

5,000 pages on each council of the 408 council domain were scanned - in total 1,297,741 pages, 3,180 pages on average per site in the period 25-30 October 2019.
The sites set between 0 and 377 cookies and other types of trackers. Not all of them are used for marketing purposes, but those were found to be the most intrusive ones in terms of privacy, according to Cybot. In this study, all cookies and other trackers were catalogued but the focus was on the marketing-trackers.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles