Harrogate Council found to use third-party advertising cookies on website without asking for consent
An investigation by the BBC Shared Data Unit has found third-party advertising cookies on Harrogate council's website.
The investigation revealed more than 950 advertising cookies - small text files that track people on the internet - embedded in home pages and benefits pages for councils around the UK.
On Harrogate Council's website, six of these cookies - all hosted by websites in the US - were detected on Harrogate Council's homepage and benefits page.
The BBC's Shared Data Unit used open source software webXray and took a snapshot over two days in October 2019 of more then 400 council benefit pages
The investigation also looked at if council's were asking for the correct form of consent for these cookies under privacy laws and found Harrogate Council did not directly ask users for their consent.
Experts have said the use of third-party advertising cookies on benefits' pages was 'unexpected'.
Professor Tim Libert of Carnegie Mellon University, creator of the Webxray programme, said: “I’ve been a web developer since the late 1990s and a privacy researcher for the past seven years and this may be the most unexpected place I’ve seen an ad online.
“First and foremost, it is important to note that there is no way for a tracker to force their code onto a site short of hacking it - the site itself must place the code there. So the biggest party of responsibility is the website owner [councils] without question.
“In my view, targeting residents through benefits pages is utterly reprehensible as the most protections should be extended to those most in need.”
Lloyd Clark, managing director of the Council Advertising Network (CAN), which works with public bodies including around 50 UK councils, said: "We do not specifically target vulnerable people via council advertising. In addition, we automatically block all categories of advertising that could be used to target vulnerable groups. This includes ads for payday loans, gambling and alcohol.
“What’s been built up is for the purpose that relevant information goes towards serving individuals’ relevant advertisements.
“People appreciate relevant advertising. People don’t like irrelevant adverts."
The Information Commissioner's Office (ICO), an independent body set up to uphold information rights, said the setting of non-essential cookies without consent would be illegal and is looking into the findings of the BBCs investigation.
ICO executive director for technology policy and innovation Simon McDougall said: "This investigation by the BBC further highlights our concerns about the lack of transparency and consent when adtech is used.
"While the ICO is keen to promote innovative uses of technology, that cannot be at the expense of people's fundamental legal rights. We will be assessing the information provided by the BBC."
"We are working with our website provider to have unnecessary cookies removed from the site.
"All information we collect is completely anonymous."
The national picture
Cookies help companies deliver ads that are relevant to people's habits on the internet.
Across England, 56 per cent of councils hosted third party advertisers on benefits pages with an average of five cookies found on each.
More than two-thirds did not appear to ask for the correct form of consent under privacy laws.
The investigation also found examples of targeted ads on benefits pages around the country included high-interest credit cards, Black Friday deals, sports cars with features for disabled people and private funeral care plans.
What are cookies?
Cookies are small text files that track internet users and collect data on them.
Many cookies - such as those for audience measurement and web design - are essential and used to improve the browsing experience.
Third-party advertising cookies help companies deliver ads relevant to a user's browsing habits.
What does the law say about consent?
British and EU law has banned the sharing of personal data to third parties without freely given, informed and explicit consent.
The General Data Protection Regulation (GDPR) came into force in 2018, and brought in stricter rules around handling and sharing data that could identify people.
As well as GDPR, the Privacy and Electronic Communications Regulations, demand full active consent from users before tracking cookies are embedded.
Consent for tracking technology must be freely given, specific and informed, and involve “unambiguous, positive action” - such as ticking a box or clicking a link.