An open letter signed by 38 privacy campaigners and academics is asking the UK charity sector to consider the potential harm that can come to users of their websites by allowing advertising companies to build profiles based on highly sensitive information.
The letter is signed by campaigners and academics from organisations such as Big Brother Watch, Oxford University and UCL. It comes on the back of a report published by ProPrivacy in September, highlighting the widespread use of AdTech trackers amongst UK charities.
ProPrivacy found that charities, like many other businesses, often utilise third party advertising companies to assist in their marketing, and that many charities have these trackers embedded on pages covering highly sensitive and personal topics.
Over time, it says, this could mean that the topics of these pages might be used by data brokers and other AdTech companies to build profiles of users. For example, an AdTech company might infer that a user has a drinking problem, mental health issues or is terminally ill based on the pages that a user visits.
Looking at the top 100 UK charities (based on YouGov data), ProPrivacy identified which third-party trackers charities were using and whether they complied with GDPR AND PECR guidance by not tracking users until consent was given.
It developed an in-house tool to detect third-party HTTP requests and cookies on domains. The tool, which it plans to make publicly available, inspects the loading process of the given URL and looks for external links and other references that possibly belong to user tracking. It also manually accepted cookies on each page of the Top 100 charities’ sites to understand exactly which trackers were loading for each one.
It also analysed cookie consent processes, noting whether elements loaded before or after consent was given and whether revoking consent had any technical impact on trackers. The content of each website was also explored with ProPrivacy logging those with potentially sensitive subjects that could potentially be used for granular profiling and again verified the presence of trackers on those pages.
- 21% are sharing data directly with data brokers – These companies build detailed profiles of people that their partners and customers can later use for targeted advertising.
- 31% contain trackers belonging to real-time-bidding platforms – Real-time bidding raises privacy concerns because data is broadcast to hundreds or thousands of partners and there is no technical way to understand where this data ends up and what they might use it for.
- 92% of the top 100 UK charities failed to meet some element of GDPR. 84% of them loaded marketing cookies and other non-essential trackers on a user’s device before consent was given. ProPrivacy estimates that the aggregate fines for these charities alone could be anywhere from £707m to more than £1.41bn.
More information on the technology, as well as examples on charity sites can be seen in its report.
Sean McGrath, lead researcher on the project, commented:
“Charities perform a vital role in society. Given recent events around the world, we are reminded just how important they really are. Unfortunately, by allowing data brokers and other AdTech companies to gather user data on charity pages dealing with profoundly sensitive topics, charities are inadvertently misplacing the trust that their users place in them when visiting their website for help and advice.
“The AdTech industry is deeply complex and it is almost impossible to say where user data ends up or what it might eventually be used for. We call on all UK charities to properly audit their websites to understand which third-party elements are loading on each page and remove potentially invasive elements from pages that handle sensitive topics.”
Get free email updates
Keep up to date with fundraising news, ideas and inspiration with a weekly or daily email. [Privacy]