Ad tech companies are extensively tracking EU citizens on government websites, potentially exposing highly sensitive user data to third parties in breach of the GDPR, according to a new report.
Privacy compliance firm Cookiebot scanned 184,683 pages on all EU main government websites to compile its report, Ad Tech Surveillance on the Public Sector Web.
It found a shocking 25 out of 28 official government sites (89%) harbored ad tech trackers, despite these sites being non-ad funded. The largest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments. The UK was one of eight countries with just one tracking company present, although only Spanish, German and Dutch sites had no commercial trackers.
Health information can be particularly sensitive and there are strict requirements in the GDPR to keep it safe. However, over half (52%) of landing pages with health information were found to harbor ad trackers.
The worst offender was the Irish health service, with 73% of landing pages containing trackers. Information on HIV, abortions, alcoholism and mental illness was being tracked, according to the report.
In total, 112 companies were identified using trackers that send data to a total of 131 third-party tracking domains. Worryingly, 10 of these companies actively mask their identity.
Cookiebot claimed that third-party JavaScript technologies are often used on government sites to power functionality like video players and social sharing widgets. However, it warned that these can also act as a trojan horse “opening backdoors to the website code through which ad tech companies can silently insert their trackers.
“More than nine months into the GDPR, a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” said Cookiebot founder, Daniel Johannsen.
“Public sector bodies now have the opportunity to lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites.”