When EU citizens visit their governments online, or when they access public health service resources about sensitive issues such as pregnancy, sexual health, cancer or mental illness, more than 100 commercial companies are systemically and invisibly tracking them.

The warning comes from a report which used the Cookiebot web scanning technology on 184,683 pages on all EU main government websites, finding advertising technology trackers on 89 per cent of them.

While sensitive information about a person’s health condition belongs to ‘special category data’ that is carefully protected under Article 9 of the GDPR, 52 per cent of EU public health service web pages were found to contain commercial trackers.

The Irish health service ranked worst, with 73 per cent of landing pages containing trackers, while the NHS in the UK had trackers on 60 per cent of landing pages.

The report found that 112 companies track EU citizens across all scanned sites. Of these, 10 companies actively mask their identity, because no website is hosted at their tracking domains, and their domain ownership records are hidden by domain privacy services.

Google controls the top three tracking domains found in the study: YouTube.com, DoubleClick.net and Google.com. Through the combination of these domains, Google tracks website visits to 82 per cent of the EU’s main government websites.

Using DoubleClick and the Google homepage, Google tracks visits to 43 per cent of the scanned health service landing pages.

Meanwhile, on Irish and UK health landing pages featuring information about HIV and mental illness, Facebook is employing anti-tracking countermeasures to track citizens who use the Safari 11 browser’s intelligent tracking prevention.

The report explained that once collected, the tracked data can be resold via data brokers to organisations both in and outside the advertising industry.

“Most probably, it is being circulated in the trillion-dollar industry that is the data economy, where it is combined with other data in order to build dauntingly rich personal profiles, that are resold by data brokers to ad-networks in real-time bidding auctions,” the document read.

Cookiebot founder Daniel Johannsen commented: “The interesting part here is that not only do these websites represent the EU member countries that are enforcing the GDPR, they also are public sites that do not rely on revenue from advertising.

“More than nine months into the GDPR, a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” he continued, adding: “Public sector bodies now have the opportunity to lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites.”

Share Story: