All Blog Posts

Cookiebot GDPR compliance report

The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

Updated July 14, 2020.

When EU citizens visit their governments online, or when they access public health service resources about sensitive issues such as pregnancy, sexual health, cancer or mental illness, more than 100 commercial companies are systemically and invisibly tracking them.

Once collected, this data can be resold via data brokers to organizations both in- and outside the advertising industry.

DOWNLOAD REPORT

In doubt whether your website is GDPR compliant? Test for free with Cookiebot consent management platform (CMP).

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Surveillance capitalism, personal data and the GDPR 

I have HIV, now what?”, “I want to terminate my pregnancy”, “Signs of being an alcoholic”, “Insurance for cancer patients”. 

These are queries that vulnerable citizens might pose to their government’s or public sector websites in the search for help and answers.

Speech bubble with the text 'how do I know if I have anxiety?' within it - Cookiebot
Despite the GDPR, EU citizens’ sensitive data is being wormed out by lingering 3rd parties in the online spaces where they should feel most safe: public sector websites in the European Union.

Almost ten months into the enforcement of the GDPR, we scanned the EU governments’ websites with the Cookiebot CMP technology, detecting all cookies and trackers in operation on these sites.

Need to refresh how cookies and the GDPR are connected? Read our blogpost: GDPR & cookies.

We also inserted queries like the ones above into search engines to identify the specific health service landing pages that EU citizens would realistically visit to get official advice.

Then, we scanned these landing pages too. The result is alarming:

The vast majority of the official government websites in the EU harbour data tracking third parties. Over half of the public health sites are unknowingly facilitating tracking.

This means that when vulnerable citizens turn to their governments and public health sector sites to seek information and help on sensitive matters, ad tech companies* are listening in and harvesting the data. 

*In the report, the term “ad tech” is used to jointly describe the commercial tracking of website users and the companies behind this, notwithstanding that some of this tracking may be carried out for commercial purposes other than to directly display advertising.

Infographics from a report on Ad Tech Surveillance on the Public Sector Web. - Cookiebot
Infographics from the report: Ad Tech Surveillance on the Public Sector Web.

What are ad tech companies and how do they make money with my data?

Once the data has been intercepted by the trackers, it could in theory be used for anything by anybody. The data is out of the user’s and even of the website’s control.

Most probably, it is being circulated in the trillion-dollar industry that is the data economy, where it is combined with other data in order to build dauntingly rich personal profiles, that are resold by data brokers to ad-networks in real-time bidding auctions.

Profiling is commonly used to target advertisements, sell you products, propagate ideas, customize everything from user experience to the actual pricings you are shown, and predict future actions. In the wrong hands, it may be used to determine whether or not you are entitled to insurance, and whether or not a potential employer should hire you…

Personal profiling may include…

  • data on your location and movements right down to the street numbers and even floor of the buildings,
  • your habits and interests,
  • your circle of friends, your family and your origin,
  • your profession and your income,
  • political and religious beliefs,
  • your age, gender and sexual orientation,
  • your ailments and your fears,
  • your plans, dreams and hopes.

This knowledge is intricately assembled while you are scrolling and clicking on the internet or moving around in the physical world, device in pocket, by means of invisible and apparently harmless cookies and similar tracking technologies, in place as third parties on websites and apps, and, as our report shows, even on official public websites of the EU countries.

That is, at its essence, the logic of surveillance capitalism. Surveillance capitalism is a term coined to describe the era in which we have inadvertently arrived. In surveillance capitalism, as described by Shoshana Zuboff in “The age of surveillance capitalism”, the more data one has, the more one owns the markets.

Surveillance capitalism is the result of 20 years of a vastly unregulated internet, and the GDPR and the soon-to-come ePrivacy Regulation are reactions to this, attempting to restore rights and online privacy to internet users.

Data knowledge power - Cookiebot
Once intercepted, your personal data is out of your control and can in theory be used for anything. Find out the workings of the ad tech industry and who is in power in our report.

How do the website trackers get in?

In the report, we demonstrate that 89 % of official government websites of EU member states and 52 % of the scanned landing pages on national health services facilitate third party ad tracking.

The interesting part here being, that not only do these websites represent the EU member countries that are enforcing the GDPR, they also are public sites that do not rely on revenue from advertising.

So, what are the trackers even doing there, and how do they get in?

The short answer is that they get in through embedded services such as video players, social sharing widgets, web analytics, galleries and comments sections.

Why? Many free third-party website plugins earn revenue by smuggling in trackers. They can act as Trojan horses, opening backdoors to the website so that ad tech companies can silently insert their trackers.

To sum up, although many of these third-party technologies are supposedly free, they do have a price: users’ privacy.

Advice for website owners

The report proves how widespread tracking is on government and public websites that are not funded by ads.

These results indicate that many other non-ad funded websites probably also are unintentionally serving as platforms for online surveillance.

The good news being: it can be prevented and stopped.

When including third-party components on your website, take these steps to stay compliant and protect the privacy of your users:

  • Gain a detailed overview of the current tracking status on the website.
  • Remove any unwanted trackers from the website’s source code.
  • Offer visitors full transparency and control over trackers on the site – i.e. allow them to turn trackers on/off according to their own wishes.

Worried about the tracking in course on your website? Try our website audit and find out if you are compliant right away.

Example: ShareThis as a Trojan horse

Ireland’s public health service, the Health Service Executive (HSE) have installed the popular social sharing tool ShareThis on their web pages. ShareThis automatically adds buttons to each page to make it easy for visitors to share information across social media platforms.

As a free service, ShareThis may seem like a gift to many website operators, but it is more like a Trojan horse that releases trackers from more than 20 ad tech companies into every webpage it is installed on.

By analysing web pages on HSE.ie, we found that ShareThis loads 25 other trackers, which track users without permission.

This result was confirmed on pages linked from search queries for “mortality rates of cancer patients” and “symptoms of postpartum depression”.

Although website operators like the HSE do control which third-parties they add to their websites, they have no direct control over what additional “4th parties” those third-parties might smuggle in.

ShareThis appears to be installed on every single webpage of www.HSE.ie. This indicates that a broad spectrum of Irish citizens’ health data is being continuously and invisibly leaked to commercial actors.

Although the HSE.ie cookie policy references ShareThis’ own cookie, it makes no reference to the 25 other trackers loaded by ShareThis, indicating that the HSE is not aware of their activities.

Infographic of Ireland’s public health service site ShareThis - Cookiebot
On Ireland’s public health service site, ShareThis acts like a Trojan horse, giving 25 trackers access to highly sensitive personal data.

Who is tracking the website users?

Across both government and health service websites, we found 112 data-tracking companies, sending data to a total of 131 third party tracking domains.

Two aspects are especially worrying:

1. Ten of these companies actively mask their identity, because no website is hosted at their tracking domains, and their domain ownership records are hidden by domain privacy services. Who are these trackers?

Screenshot of anonymous trackers of personal data - Cookiebot
Who is tracking you from behind these masked identities?

2. Google performs more than twice as much tracking as any other company. Google controls the top three trackers found in this study: YouTube, DoubleClick and Google.com.
Through the combination of these services, Google can track website visitors to 82% of the EU’s main government websites and 43% of the scanned health service landing pages.
Given its control of many of the internet’s top platforms such as Google Analytics, Google Maps, YouTube, etc., it is no surprise that Google has greater success at gaining tracking access to more webpages than anyone else.
It is of special concern that Google is capable of cross-referencing its trackers with its first-party account details from popular end-user services such as Google Mail, Google Search, and Android apps (to name a few) to easily associate online actions with the identities of real people.

Figure 1: Top 5 trackers on EU government domains

Bar graph of the top 5 trackers on EU government domains - Cookiebot

Figure 2: Top 5 trackers on public health service landing pages

Bar graph of the top 5 trackers on EU government domains - Cookiebot

Summing up on “Ad Tech Surveillance on the Public Sector Web”

In this blogpost, we have described some of the findings in our report, published March 18, 2019.

DOWNLOAD REPORT

This report was done out of exasperation. With our scanning technology, we can witness the rising epidemic of uncontrolled online surveillance that thrives all across the internet.

For some readers, the findings and conclusions might be shocking news. To others, it might be old news.

To both, our message is that it can be prevented and stopped.

We urge all website owners – public and private alike – to take responsibility for the tracking that is taking place on your websites in line with the requirements of the GDPR and other legislations.

Create transparency – both for yourselves and for the users of your website – and give your users a genuine choice as to how the data generated about them on your website is being used for commercial purposes.

FAQ

What is Cookiebot CMP?

Cookiebot CMP is a plug-and-play consent management platform (CMP) that deep-scans your website to detect and control all cookies and third-party trackers in operation. Cookiebot CMP handles user consents on your website in full GDPR and CCPA compliance.

Try Cookiebot CMP free for 14 days… or forever if you have a small website

What is GDPR?

The General Data Protection Regulation (GDPR) Is an EU law that governs the processing of personal data on individuals inside the European Union. Website, companies or organizations that process personal data inside EU, e.g through cookies and trackers on a website, must comply with the GDPR.

Learn more about GDPR compliance

What cookies does my website use?

Most websites use dozens of cookies, often third-party cookies that are loaded on the website by social media links and analytics tools. To know exactly what kinds of cookies and how many your website uses, use a deep-scanning technology to crawl your domain.

Test for free to see what cookies your website uses

How do I make my website GDPR compliant?

If your website uses cookies and third-party trackers (e.g. by using social media links, analytics tools or marketing plugins), you are required to ask for and obtain the prior and explicit consent of your user.

Learn more about GDPR and cookie consent

Resources

The report: Ad Tech Surveillance on the Public Sector Web

The GDPR official law text

Shoshana Zuboff: The age of surveillance capitalism

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.