An investigation has shown that over 400 UK councils and local authorities are sharing information about their websites’ visitors, prompting its authors to call for greater enforcement of the General Data Protection Regulation (GDPR).
The ‘Surveillance on UK council websites’ report was compiled by browser and software company Brave, and claims that councils are allowing third parties to track visitors, including potentially vulnerable groups such as people with disabilities and addictions.
An appendix table shows that almost all local authorities permitted tracking by at least one third-party. The most common of these is Google and its RTB system, used by 196 council websites, which the report says collects data and shares it with “hundreds of companies”, with little transparency over who these companies are and what they are doing with the information.
Perhaps even more concerning is that 23 of the councils were found to allow data brokers, who sell information on to private companies, to track visits. A notable example of this is Sheffield City Council, which the report says allowed seven data brokers to collect information from a page to help people struggling with substance abuse. Sheffield City was found to be sharing online data with 25 third parties companies in total, the joint highest number in the country along with Ealing.
In a summary, Brave calls upon UK Information Commissioner Elizabeth Denham to “finally enforce the GDPR”, which came into effect more than a year and a half ago.
At Engage Web, we’re pleased to see that our council Cheshire West and Chester put in a comparatively respectable showing, with just three examples of Google systems tracking visitors. Nearby Wirral Council, on the other hand, was one of the worst offenders in the country. In total, 22 third parties have access to Wirral’s data, the fourth-most in the UK, including seven data brokers.
A major criticism of the GDPR, argued by whistleblower and online security expert Edward Snowden among others, is that the legislation is too heavily focused on data protection, rather than asking why this data is being collected in the first place. However, under GDPR, organisations large and small have to be able to explain why they are collecting and holding any data they have. If you’re unsure whether your site is GDPR compliant, why not speak to us today?