Councils are sharing information about users of their websites – including when they seek help with a benefit claim, or with a disability or alcoholism – with dozens of private companies.
More than 400 local authorities allowed at least one third-party company to track individuals who visit their sites, an investigation has revealed.
Some councils were found to be letting companies track use of sensitive sections of their sites, such as when people were seeking financial help or support for substance abuse.
Data obtained from cookies tracking where users go online can be sold by data brokers for profit.
Critics have argued that council websites serve a public purpose and should not let outside firms monitor their users’ activity, especially given the sensitive nature of some visits.
Wolfie Christl, a technologist and researcher who has been investigating the ad-tech industry, said: “Public sector websites and apps should not use invasive third-party tracking at all.”
Johnny Ryan, the chief policy officer at the anonymous web browser Brave, who analysed council websites and shared the findings with the Guardian, said: “Private companies embedded on council websites learn about you. This happens even on the most sensitive occasions, when you might be seeking help from your council.”
Brave used open-source tools to see what companies were present on certain webpages. They found 409 council websites in the UK allowed private companies to receive data about their visitors.
Twenty-three councils let data brokers – businesses that collect personal information about consumers and sell that information to other organisations – learn when someone visited their site.
On Enfield borough council’s site, a page for people who need financial support for accommodation and food allowed 21 companies, including Google, to see who was visiting.
A page on Sheffield city council’s website for people seeking help for substance abuse shared data about visitors with at least 20 companies, including seven data brokers.
Ealing’s special educational needs and disability page allowed at least 21 firms to access data about visitors.
Almost 7 million people are served by councils that allow one data broker, LiveRamp, to track people on their sites. The company used to be part of Acxiom, a group that sold electoral profiles to Cambridge Analytica.
Companies track online activity through cookies, pixels and other trackers. When embedded in a browser, these bits of code can let users be traced around the web. While they don’t identify personal details such as name or address, they identify a user’s viewing habits – such as which page was loaded at a specific time.
While many websites including the Guardian use cookies, Ravi Naik, a data lawyer at AWO, suggested that their use on council websites was problematic because of the nature of the details being shared. He said: “We have most of our conversations with the state through local authorities and because of that involve more sensitive and personal information.”
It is now prohibited for companies to share data on protected categories without explicit consent. This means before information on health, sexual orientation, race and political opinions is collected, the user must agree to the specific sharing of their “special category” data.
Companies say they have consent via people accepting cookies. However, Brave’s report found that while some websites may have stated they used cookies, no users clicked on any buttons to accept or opt out of this process.
The law states consent must be informed and based on an explicit affirmative action. The Information Commissioner’s Office (ICO) said: “To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent.”
Ryan said: “We used an automatic system to load each council’s webpage. All it does is load the site. It is not able to click buttons. All of the tracking revealed in our research happened without consent.”
Mark Gannon, the director of business change and information solutions at Sheffield city council, said cookies were used on its website, “and we require the consent of all customers to store or retrieve any data on a computer, laptop, smartphone or tablet”.
The report states that when the Sheffield council website was loaded, companies could track someone without clicking on anything.
Sheffield council said it used an Internet Advertising Bureau (IAB) transparency and consent framework tool provided by the Council Advertising Network. The network said: “No cookies whatsoever are installed for data brokerage purposes – this suggests that data collected from the website is being sold on, and it is not.”
Ealing council said it believed its approach was “compliant with the requirements of GDPR”. However, it noted: “This is a complex and ever-evolving area which needs to be kept under review.”
Enfield borough council in north London did not provide a comment.
LiveRamp said it was no longer a part of Acxiom and it had never “sold UK electoral profile information to Cambridge Analytica”. It said it operated in compliance with jurisdictional laws and worked “diligently to detect and prevent the misuse of data”.
A further 198 councils use real-time bidding (RTB) – when a web user loads a page, thousands of potential advertisers bid to serve them an advert in the blink of an eye. It means people’s data is being broadcast all over the internet to hundreds of companies. The ICO has been investigating the practice.
Naik said there were two main issues. “The micro issue is: are councils really informing people about what is going on? The macro thing is the real-time bidding ad industry. There is an ongoing complaint to the Information Commissioner’s Office about this practice. They have already said they consider the practice unlawful.”
Naik said it was hard to tell whether councils were making money from it. “But I imagine to councils it seems like a win-win situation.”
A Google spokesperson said it did not build advertising profiles “from sensitive interest categories, including from sites offering help to address personal hardships, and we have strict policies preventing advertisers from using such data to target ads”.
They told the Guardian that third-party cookies could be used to better enable basic site functions or to serve and measure advertising.
