Exposing the hidden data ecosystem of the UK’s most trusted charities

Charities are a cornerstone of society in the UK. They save, protect, sustain, and enrich life in too many ways to count. We trust them to look after our loved ones in their hour of need; we trust them to care for our veterans, our environment, our pets, our mental well-being... the list goes on.

However, our research suggests that some of this trust is being misplaced. By analysing 82,804 charity websites in the UK, we discovered that global for-profit advertising companies could be profiling users of charity websites, often visiting pages related to highly sensitive topics such as mental health, sexual violence, and disability.

Key findings:

21 of the top 100 charities in the UK have shared user data directly with data brokers

We found 21 of the most popular charities in the UK share user data with data brokers. This 'data' includes the specific page being visited as well as other technical attributes, both of which can be used to build highly detailed profiles of UK citizens. This data is then reshared by companies within the AdTech industry and it is almost impossible to understand where personal data ends up or how it might be used. Charities with trackers belonging to data brokers include:

  • British Heart Foundation
  • Marie Curie 
  • Alzheimer's Society
  • NSPCC
  • Salvation Army
  • UNICEF
  • Mencap
  • The Stroke Association
  • Scope
  • Amnesty International
  • Christian Aid

31% of the most popular charities in the country contain trackers belonging to real-time-bidding platforms 

Real-time and headerless bidding raise serious privacy concerns because data is broadcast to hundreds or thousands of partners and it is almost impossible to understand where this data ends up and what they might use it for. We found trackers on charity websites dealing with sensitive topics such as:

  • End of life care
  • Domestic violence
  • Child abuse
  • Physical and mental disabilities
  • Gambling addiction 
  • Life-changing health conditions including cancer and stroke

89% of charities include cookies from DoubleClick, Google’s RTB platform, installed on their site

DoubleClick is a subsidiary of Google (Alphabet) and is the most pervasive of all the RTB trackers, present on 89 of the top 100 charity sites. The data it collects is broadcast to over 2000 partners. The Information Commissioner's Office has called into question the ethical and legal consequences of this practice. 

Google says there are some categories of sites where segments will not be built for users (health and political for example), but it is not clear if these safeguards apply to many of the issues dealt with by charities.

92% of top 100 charities do not fully comply with EU data protection (General Data Protection Regulation) and ePrivacy law (the ePrivacy Directive 2002/58/EC)

Many failed spectacularly with opt-out forms not actually changing tracking behaviour at all. Others placed advertising trackers before users were able to express (or deny) consent. Sites included:

  • Cancer Research UK
  • Great Ormond Street Hospital Children's Charity
  • British Red Cross
  • Royal National Lifeboat Institution
  • Samaritans
  • Save The Children

With charities dealing with highly sensitive subjects, it's vital that charities properly inform users of these data-sharing practices.

 

Introduction

Charities play a unique role and hold a special place in our hearts. They are required, by law, to serve the public interest, but at the same time, they feel many of the commercial pressures of a regular business. Donations remain the most high-profile form of income generation and those with the means are quickly adopting new technologies to maximise that income. Chief amongst these technologies is programmatic advertising. Put simply, programmatic advertising uses machines and algorithms to purchase ad space on websites. This ability to target specific users based on detailed user profiles has presented new opportunities for the charity sector.

But these opportunities have an altogether more sinister side. The AdTech industry relies on highly sophisticated mass-profiling of citizens. From basic information like age, gender, and income to highly personal data like religion, political affiliation, and sexuality, this user data is gathered by dozens of companies and shared with thousands more. The ecosystem has grown so complex that it is almost impossible to say where user data goes and what it might be used for in the future.

Our study also found that the vast majority of charities are failing to meet their obligations under European data protection and privacy laws. All website providers have a responsibility to protect the privacy of their users and comply with existing laws, but this is particularly important for websites that share potentially granular or sensitive data with third parties.

It’s perfectly understandable that charities would use every weapon at their disposal in order to generate income; but allowing companies to collect data about users, often in their darkest hour, without their knowledge or consent is intrusive and according to the Information Commissioner’s Office, ethically questionable

Methodology

  1. We used open datasets provided by the Charity Commission to extract all domains registered on the charity database (July 2020). This data was cleaned to remove subdomains belonging to larger sites (wordpress.com, wix.com etc.) and education sites (.edu and .ac.uk). We also attempted to remove domains we knew to belong to for-profit organisations, even if they had a charitable arm of the business.
  2. We then analysed the remaining 82,804 domains to detect third-party HTTP requests and cookies. Similar to previous investigations, our hope was to use the open-source tool webxray to analyse the URLs; however, the tool was removed from GitHub prior to analysis. To continue the investigation, we developed an in-house tool.
  3. The tool, which we plan to make publicly available, inspects the loading process of the given URL. During the inspection, it looks for external links and other references that possibly belong to user tracking. It cross-references this with datasets provided by disconnect.me and whotracks.me. The tool runs in an AWS Lambda environment and is scalable for large analyses such as this.
  4. Once we had a list of third-party elements loading on each page, the domains they contacted, and the owner of each domain, we categorised them as follows:
    • Data Brokers:
      Lotame, LiveRamp, Quantcast, Eyeota, BlueKai (Oracle), MediaMath

    • Real-Time Bidding:
      ADYOULIKE, The Trade Desk, Avocet, AppNexus, AdRoll, TripleLift, ONE by Aol, Bidswitch, OpenX, PubMatic, Rubicon Project

    • DoubleClick:
      This is Google/Alphabet's programmatic advertising platform and is so pervasive, we felt it best to filter it out from other services

    • Social:
      LinkedIn Ads, Twitter Advertising, Facebook Custom Audience, LinkedIn Analytics, Facebook Connect, Twitter Analytics, Twitter Conversion Tracking, Twitter Button, Twitter Syndication, AddThis, Facebook Social Graph, ShareThis, AddToAny

    • Other AdTech:
      This was everything else that was categorised as advertising by open data sets but did not fit into the three categories above (see appendix for complete list)

  5. Using YouGov’s index of popular UK charities, we selected the top 100 websites for manual analysis. Because our tool was unable to accept cookie consent, this final stage of analysis involved visiting each website in order to carry out manual verification of third-party trackers loading on the page. To expedite this analysis we used HTTP Toolkit to intercept HTTP requests and Ghostery Insights Beta to quickly identify domains.
  6. We manually accepted cookies on each page to understand exactly which trackers were loading for the Top 100.
  7. We conducted a thorough analysis of cookie consent processes, noting whether elements loaded before or after consent was given and whether revoking consent had any technical impact on trackers.
  8. Finally, we explored the content of each website. We logged those with potentially sensitive subjects that could potentially be used for granular profiling and once again verified the presence of trackers on those pages.

Back to basics: What is a tracker?

When a user visits a website, they are in fact, downloading an HTML file from a server. This is a ‘first-party’ request because only two parties are involved in this process: the user and the company that owns the website.

However, webpages almost always include additional elements that are not served up by the owner of the site. Pictures, videos, social buttons, or other types of code not necessarily visible to the user. As soon as this new content is included from other domains, the number of parties involved in the transaction increases from two to three or more, which is why we refer to these as ‘third-party’ requests.

Each time one of these resources or elements is requested from the third-party server, certain pieces of user data are transmitted to the third party company. At a minimum this includes:

There is nothing sinister about any of this; it is simply a function of how the internet works. What is arguably more concerning is what these third parties do with that data. Simply by storing this data across thousands or millions of websites, almost any company can begin to analyse it and see patterns in behaviour. This is tracking and user profiling at its most basic.

However, an entire industry has evolved around the tracking and profiling of internet users. While most users are at least vaguely familiar with the notion of cookies, much of this tracking is now done server-side and so is almost impossible for the average user to understand or stop. It is complex, poorly understood, escapes many of the existing regulatory frameworks, and poses significant threats to the privacy of internet users worldwide.

In this study, we use the term 'tracker' to refer collectively to pixels of any kind, cookies and other forms of code such as JavaScript belonging to data aggregators, service providers in the AdTech ecosystem or social media platforms that profit from advertising through detailed user segmentation.

Privacy Death Stars: The most complex digital ecosystem in existence

Using the basic examples above, an average user might not see a huge reason for concern. They visit a webpage, that information is recorded, tracked, and stored for advertising purposes later on. However, there are several other factors that make AdTech altogether more disturbing when viewed through the lens of privacy. First, is the sheer complexity of the ecosystem. There are companies that most people will never have heard of that profit by scooping up vast amounts of personal data. 

Data brokers like Oracle (BlueKai) and LiveRamp (formerly Axicom) have been described as Privacy Death Stars. They probably know more than Google, Facebook, or any other single entity that gathers human-specific trackable intelligence. They are aggregators of data, not just online, but offline too. Everything from credit card transactions to criminal records is gathered from thousands of partners in order to build detailed dossiers of as many citizens around the world as possible. LiveRamp (which we found on 10 of the top 100 charity sites) boasts on its website that it holds data on more than 45 million UK citizens. That's just shy of 80% of the adult UK population.

What does a data broker know about you?

What a data broker knows about you

Credit: CrackedLabs. Available: CC BY 4.0

So how many of these granular data points could be inferred simply by visiting a charity webpage? The Internet Advertising Bureau provides a ‘content taxonomy’ which is used across the digital advertising industry for the categorisation of website content. It contains fields for the likes of ‘Heart and Cardiovascular Diseases’, ‘Mental Health’, ‘Sexual Health’ and ‘Infectious Diseases’ whilst Google’s publisher verticals include ‘Reproductive Health’, ‘Substance Abuse’, ‘Health Conditions’, ‘Politics’ and ‘Ethnic & Identity Groups’.

Essentially, these are boxes that exist within the industry and the companies involved are listening in wherever possible in order to tick them. The level of detail that these companies strive to obtain leaves absolutely no scope for privacy.

21 of top 100 charities in the UK have shared data directly with data brokers

While we found that only 0.3% of all UK charity websites shared user information with data brokers, when it came to the top 100 most popular charities, this figure jumped to 21%. Charities found to be sharing data with data brokers included:    

  • Alzheimer's Society
  • NSPCC
  • Mind
  • The Prince's Trust
  • Mencap
  • The National Autistic Society
  • The Stroke Association

Social buttons: Watching everything you do

Social buttons allow users to quickly share content and have become commonplace on many private, public, and charity websites. However, their primary purpose is almost always used track and profile users for advertising purposes.

AddThis, a popular social share platform is owned by data broker - Oracle. It's 'Marketing & Data Cloud' is the marketplace where all of this data is used. The AddThis privacy policy clearly states:

"AddThis Data is collected online and may indirectly identify you. It includes, for example:

It goes on to say:

"...this data can be used "to enable AddThis Publishers and Oracle Marketing & Data Cloud customers and partners to market products and services to you". 

We identified 2,745 charities using AddThis across their site including:

  • Alzheimer's Society
  • NSPCC
  • Mind
  • The Prince's Trust
  • Mencap
  • The National Autistic Society
  • The Stroke Association

Disturbing examples of data brokers tracking users on UK charity sites

Marie Curie: Recently diagnosed with a terminal illness

Marie Curie website

Here we can see a tracking pixel belonging to Quantcast loading on Marie Curie's page for those recently diagnosed with a terminal illness. This pixel is added so that Quantcast can begin to model visitors to the site so that the charity can later use this data to target internet users most likely to 'convert' when shown an ad on a different site.

However, we can clearly see in the HTTP header below that Quantcast, a well-known aggregator of data across 100 million web domains, not only has access to the user agent data, which can be used to identify users, but also has access to the complete URL as well as sensitive keywords.

Marie Curie trackers

Alzheimer's Society: Worried about memory problems

Alzheimer's Society website

This page loads a number of different trackers related to AdTech including:

Even for a charity engaging in programmatic advertising, the number of data aggregators and other AdTech companies seems over-reaching and disproportionate.

While not all pixels seem to be firing, they are present on the page.

Mencap: Benefits for people with a learning disability

Mencap website

To its credit, Mencap takes a more technically sophisticated and privacy-focused approach. While there are a number of AdTech trackers on its homepage (DoubleClick, AppNexus, PubMatic, MediaMath, and TradeDesk) these are not included on deeper help pages. 

However, it does include AddThis, which as mentioned above, is explicitly used to provide data to Oracle's marketing platform.

In short, Mencap is allowing the same data broker to profile users on even its most sensitive pages.

Other high profile examples of data broker trackers:

British Heart Foundation: Heart Conditions
https://www.bhf.org.uk/informationsupport/conditions

Broker: LiveRamp, DoubleClick

NSPCC: Spotting signs of child abuse
https://www.nspcc.org.uk/what-is-child-abuse/spotting-signs-child-abuse/

Brokers: Quantcast, DoubleClick

Stroke Association: Are you at risk of stroke?
https://www.stroke.org.uk/what-is-stroke/are-you-at-risk-of-stroke

Brokers: LiveRamp, DoubleClick, AddThis (Oracle)

Real-time-bidding: Why is it a privacy nightmare?

Real-time bidding (RTB) is a practice that is facing scrutiny by regulators and privacy advocates and is particularly concerning when trackers belonging to RTB platforms are found on web pages that are sensitive in nature. RTB's entire ecosystem is in breach of core data protection principles, and regulators have to proceed with a holistic view if they have any hope of bringing it within compliance.

RTB is an automated process that takes place in the fractions of a second that it takes to load a webpage. When a user visits a page that has advertising space available, the user's data is broadcast to hundreds or even thousands of bidders via an ad exchange. This broadcast includes information about the ad space, such as the page it is on, the topic and category, as well as the user's IP address and precise location if available. This all constitutes personal data under GDPR. It's impossible to know who these bidders are, but every single one of them receives the data - whether or not they win the bid.

This is happening billions of times per day. It is, as the Economist puts it, a ‘data-protection free zone’.

How RTB works

Credit: The Economist, recreated by ProPrivacy

It's not just the companies involved in an RTB transaction that have access to this data. The rise of RTB has forced AdTech companies to collaborate closely with one another because without exchanging user data, companies cannot participate in RTB auctions. This ecosystem has become so big and complex that it is impossible to untangle and has been described in the past as the "UK's worst data breach".

Charities seem to be using RTB to retarget their previous visitors elsewhere on the internet. In doing so, they are exposing every one of those visitors to this opaque ecosystem. 

Again, these elements have access to data that is unnecessary for charities to take part in programmatic advertising. As an example, we can see here on Cancer Research UK's support page, not only is the full referrer URL included in this AppNexus request, but a cookie is set with a unique ID as well as time stamps. 

Cancer Research UK referrers

Even if these platforms are being used on a charity's behalf, every visitor to a charity site with one of these trackers installed is giving away, at a minimum, basic user data such as IP and browser type, as well as the full URL they were visiting. This referrer URL often contains potentially sensitive information. 

We identified 344 charity websites across the UK that appear to engage with real-time bidding (RTB) based on the elements we found on the page. Within the top 100, there were 36 charities with trackers belonging to platforms within the RTB ecosystem.

Results

 

Before we looked at the most popular charities in the UK, we wanted to get a sense of how the sector was using AdTech as a whole. We began with 82,804 domains extracted from the Charity Commissioner's database. After removing non-live domains, academic institutions, and publishing companies as well as URLs that were subdomains of larger platforms (wordpress.com), we were left with 64,581.

Of those, we found that 42% contained what we consider to be some form of advertising-related tracking technology.

The majority of these trackers were related to social platforms. 33.8% of the sites analysed contained trackers belonging to: Facebook, Twitter, AddThis, YouTube, Instagram, LinkedIn, or Flickr.

DoubleClick, the Alphabet-owned programmatic advertising (RTB) platform was installed on 10,105 (15.6% of sites).

Outside of the Google advertising ecosystem, we found 330 (0.51%) charities with RTB trackers and 220 (0.34%) with data broker trackers installed.

These numbers demonstrate that the charity sector, at large, is not using the invasive forms of AdTech outlined above. However, once we started to examine well-known charities with significant brand exposure and larger operating budgets, there was a drastic increase in the use of AdTech.

Looking at the 100 most popular charities in the UK (YouGov index) 90% of charities engage in programmatic advertising provided by Google's DoubleClick or another platform.

Removing DoubleClick from the equation, 40% of the most popular charities in the country contained third party elements belonging to either RTB players or data brokers. The following charities were found to include some form of RTB or data broker tracker:

  • British Heart Foundation
  • Macmillan Cancer Support
  • Cancer Research UK
  • St. John Ambulance
  • Marie Curie
  • Alzheimer's Society
  • National Trust
  • RSPCA
  • Royal British Legion
  • Age UK
  • Battersea Dogs and Cats Home
  • Save the Children
  • Salvation Army
  • RSPB
  • London's Air Ambulance
  • Dogs Trust
  • Woodland Trust
  • Shelter
  • WaterAid
  • Arthritis Research UK
  • Bowel Cancer UK
  • Mencap
  • The Stroke Association
  • The Donkey Sanctuary
  • Cats Protection
  • Scope
  • The Blue Cross
  • MS Society
  • Movember
  • Amnesty International
  • GambleAware
  • National Trust for Scotland
  • Canal & River Trust
  • Wood Green, The Animals Charity
  • Sightsavers
  • Leonard Cheshire Disability
  • British Heart Foundation
  • NSPCC
  • UNICEF
  • Christian Aid

We found a total of 21 charities sharing data directly with data brokers with 7 of those are sharing data with more than one. 

 

It’s clear then that AdTech has become a tool used primarily by the larger charities with income typically in the tens of millions of pounds. In fact, 11.53% of all RTB trackers were discovered in the top half of one percent of UK charities.

Charities might not even know it's happening

One of the questions most people want answering is why these so-called trackers exist on charity web pages in the first place. At a basic level, charities want to capture certain data about their users so that they can later be retargeted for advertising. For example, "Charity A" might want to target female visitors in their 60s with an income of £40,000+ that have clicked on the 'donate' button in the past 6 months.

To achieve this level of detail, they might be asked by a digital agency or partner to add a pixel or tag to their pages. However, it is entirely possible for these third-party elements to request additional resources from other AdTech providers. We've witnessed multiple instances of what is known as redirection-based tracking. This occurs when the third-party redirects to additional parties via an HTTP 3XX header, essentially sharing browsing behavior with fourth parties. So while "Charity A" might have knowingly included a pixel on a page, they could be completely unaware that it is acting as a Trojan horse for other companies.

When one considers that the owner of the website might not even be aware that this process is happening, it becomes almost laughable to argue that users can provide any meaningful form of consent.  

The complex nature of the ecosystem means that in our view participants are engaging with it without fully understanding the privacy and ethical issues involved.

Information Commissioner's Office, RTB Update Jun 2019

A disregard for GDPR and PECR

For charities that are engaging in programmatic advertising, it is essential that the website does it’s very best to communicate that information to the user. This is especially true for sites that address sensitive topics. In this section, we address the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) practices of the top 100 most trusted charity websites.

The definition of ‘personal data’ changes depending on who you speak to. The vast majority of the public would be unlikely to consider their IP address a piece of personally identifiable information, but the courts disagree. For the purposes of this report, we used the following definition:

“Any information relating to an identified or identifiable natural person.” (Article 4 (1) of the General Data Protection Regulation)

PECR requires that users or subscribers consent to cookies being placed or used on their device. The definition of consent is as follows: 

"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

According to PECR, this means that:

  • The user must take a clear and positive action to give their consent to non-essential cookies
  • Organisations must clearly inform users about what the cookies are and what they do before they consent to them being set
  • If a company uses any third-party cookies, they must clearly and specifically name who the third parties are and explain what they will do with the information
  • Organisations must not used pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies
  • Organisations must provide users with controls over any non-essential cookies, and still allow users access to your website if they don’t consent to these cookies
  • Organisations must ensure that any non-essential cookies are not placed on their landing pages (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent)

GDPR and PERC set an exceptionally high bar for compliance. The regulations go as far as to say that analytics platforms are not essential to the operation of a website. There are very few web-based businesses that would agree with the sentiment but the regulators are looking at this from the perspective of users, not businesses. For the purposes of this study, we treated analytics platforms as essential. Even then, the vast majority of charities failed to meet the standards set out.

Copyright Policy

Please feel free to copy excerpts, embed our infographics, and use our data for your own stories. All that we ask is that you include a link to the report. Projects like this require a huge amount of resource, time & dedication.

GDPR Results

 

92% of top charity websites were found to be non-compliant according to the criteria above. The primary reason for this was that only 8 of them fully suspended the loading of third-party cookies until after consent was given. At its most simple, this means that user information is potentially being shared with advertising companies (or social platforms that generate revenue through advertising) regardless of whether or not the user consents.

30% of top charities gave users no option to consent, offering no real choice for users – therefore consent is not being “freely given”.

Only 32% of top charity websites offered granular control over cookies for users - letting them select which cookies they wished to consent to. Of that 32, only 13% showed cookies as inactive by default.

GDPR Case Study #1: What 'compliant' looks like (St. John Ambulance)

St. John Ambulance website

Firstly, we want to show what good GDPR compliance looks like. In the case of John Ambulance (SJA), cookies were paused until consent was acquired. Its pop-up box gave information (with more found on their privacy and cookies page), and gave users granular control over the cookies used.

None of the boxes were pre-checked aside from necessary cookies that are essential for the operation of the page and is, therefore, GDPR compliant. Only upon consenting to the use of cookies did they actually start to function.

GDPR Case Study #2: What 'non-compliant' looks like (Mind)

Mind website

We accepted Mind’s default cookie settings (functional, necessary ad performance cookies having consent, but without consent for marketing cookies). Clicking through the website, we noticed that advertising elements were still firing. These included: AddThis (Oracle), DoubleClick (Google), Bing Ads, and Facebook.

After this, there was no clear way to return to cookie settings. We reloaded the page in a fresh environment and this time rejected all cookies options. Buried under 'Strictly Necessary Cookies' was an additional option to 'Allow all' or 'Allow only my choices'. We set this to the latter. Even then, we found AddThis, Facebook Social Graph, and Google Dynamic Remarketing elements were firing on sensitive pages.

Mind appears to be using CookiePro by OneTrust, a well-known consent management platform (CMP), to implement its cookies; however, the banner is failing to stop trackers even at a basic level, while a US data broker tracker grabs data on sensitive pages. 

While CMPs provide a straightforward way for organisations to remain compliant under EU regulations, it's vital that webmasters audit the implementation of such solutions.

Conclusion

Undoubtedly, this research shines a light on a practice that is, at best, morally opaque, and at worst, illegal and harmful. But who is at fault? The AdTech industry, whose reach arguably extends to the majority of the 1.3 billion sites that form the World Wide Web. Or the charities, who are simply using every tool at their disposal to generate the income needed to survive. This is a question we have struggled with since the start of this investigation. Like all difficult questions, the answer isn’t binary.

The industry is in desperate need of further regulation. It is simply impossible to assume self-policing is a practical solution. While there is extensive documentation on the various protocols, none of it was really designed for human consumption and so transparency is almost non-existent. Much of this user-profiling happens server-side, which is to say, we cannot truly understand how data is being used. The data supply chain is muddied at best and there are what can only be described as data protection voids, where user data is both priceless and worthless in equal measure.

...it remains the duty of the site owner to understand what is and isn't loading on any given page

But charities are ultimately the ones responsible for the content on their websites. Unless a site has been hacked, third-party elements load on a page do so at the instruction of the owner of that site. While additional trackers might well be loading without the knowledge of a charity, thanks to redirection chains, it remains the duty of the site owner to understand what is and isn't loading on any given page.

The most trusted charities in the country are engaging programmatic advertising because it allows them to target potential donors with pinpoint accuracy; but in doing so, are they undermining the trust that their visitors and patrons place in them? 

By including third-party elements on their sensitive pages, they open up the potential for these faceless for-profit organisations to profile visitors of charity sites, often in their darkest hour, without their knowledge or properly informed consent. Combined with other data about their interests and habits - this data could be misused to target people when they are at their most vulnerable.

If charities are to engage in programmatic advertising, we'd urge them to remove unnecessary third party elements from pages dealing with sensitive topics; particularly those belonging to data brokers and other companies that operate in the programmatic ecosystem. 

Furthermore, genuine cookie consent and GDPR compliance are clearly not being enforced on charity websites. With 92% of top charities failing in GDPR compliance, this is a dangerous and negligent approach to data privacy that is being undertaken, and completely undermines the vital and life-changing work that these charities do every single day. If trust is to be maintained with users, these charities must audit their cookie consent mechanisms and practices and put the user before the income generated through AdTech.

The aim of this study is not to lay blame at the feet of the charity sector or undermine the incredible work they do. Rather, we'd simply like to pose the question: If charities are going to engage in programmatic advertising and other forms of segmented advertising, can they do it without including third-party elements on their most sensitive pages? We'd argue, both technically and ethically, the answer is yes.

Limitations of this study

Manual consent

The greatest irony of this study was that any charity following the letter of the law with regards to cookie consent would likely not have been flagged in the bulk analysis. Websites within the EU (and the UK) should not load third-party cookies or other trackers until the user takes action. Because our scanner is unable to provide consent, it only detects third-party trackers that load immediately.

It’s safe to assume that there are many charities using AdTech; however, they fell outside the scope of the research simply by complying with EU and UK legislation. That being said, the vast majority of the 100 charities we manually analysed loaded third party trackers before consent was gathered. Based on the assumption that the rest of the charity sector followed the same practice, we anticipate that the data is largely accurate. 

Data cleansing

The database used to extract domains is maintained by the Charity Commission and is, therefore, the closest thing available to an official dataset. However, we noticed several of the domains belonged to organisations that are either not registered charities or had charitable arms such as media organisations. Every effort was made to remove these domains from the analysis as their financial motives and ethical guidelines differ significantly from those of charities.

Analytics as an essential tool

While the ICO says that analytics is not an essential function, we have not been able to find a charity that does not treat it as one. As such, for the purposes of this study, we have included all forms of analytics as essential to the operation of the site.  

References

Bashir, Muhammad Ahmad. On the Privacy Implications of Real Time Bidding. [Web] Northeastern University, August 2019, accessed 28/08/2020.
Available at: https://www.ccs.neu.edu/home/ahmad/publications/bashir-thesis.pdf

Eich, Brendan. ‘Surveillance on UK Council Websites Brave’s Report on Surveillance of UK Citizens by Private Companies Embedded on Council Websites’. [Web] Brave, February 2020, accessed 15/08/2020.
Available at: https://brave.com/wp-content/uploads/2020/02/Surveillance-on-UK-council-websites_compressed_version.pdf

European Data Protection Board. ‘Guidelines 05/2020 on Consent Under Regulation 2016/679 Version 1.1 Adopted on 4 May 2020’. [Web] European Data Protection Board, May 2020, accessed 14/08/2020.
Available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

Ghostery. Ghostery Insights Beta. [Software] Chrome Web Store, September 2020 [current version], accessed 02/09/2020.
Available at: https://chrome.google.com/webstore/detail/ghostery-insights-beta/eafjgfjfiocmniplemahnlhgibaanhch

Gov.UK. ‘Ethnicity Facts and Figures’. [Web] Gov.UK, August 2020, accessed 02/09/2020.
Available at: https://www.ethnicity-facts-figures.service.gov.uk/uk-population-by-ethnicity/demographics/age-groups/latest

Hu, Xuehui, and Nishanth Sastry. ‘What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem’. [Web] WebSci ‘20, July 6–10 2020, Southampton, accessed 18/08/2020.
Available at: https://nms.kcl.ac.uk/nishanth.sastry/pdf/2020/WebSciTangleFactor.pdf 

Information Commissioner’s Office. ‘Update Report into AdTech and Real Time Bidding’. [Web] Information Commissioner’s Office, June 2019, accessed 02/09/2020.
Available at: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf

Interactive Advertising Bureau. AdCOM Specification v1.0. [Web] GitHub, June 2020, accessed 01/09/2020
Available at: https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20v1.0%20FINAL.md

Interactive Advertising Bureau. IAB Tech Lab Content Taxonomy [formerly Quality Assurance Guidelines (QAG) Taxonomy]. [Web] Interactive Advertising Bureau, November 2017, accessed 28/08/2020.
Available at: https://www.iab.com/guidelines/iab-quality-assurance-guidelines-qag-taxonomy/

Li, Tai-Ching, Huy Hang, Michalis Faloutsos, and Petros Efstathopoulos. 2015. ‘Trackadvisor: Taking back browsing privacy from third-party trackers. InIn-ternational Conference on Passive and Active Network Measurement’. Springer, 277–289.
Available at: https://doi.org/10.1007/978-3-319-15509-8_21 

Libert, Tim. WebXray. [Software] GitHub, no longer freely available
Information available at: webxray.org

LiveRamp. ‘Identity Graph: Connecting Data for Better Customer Relationships’. [Web] LiveRamp, date unknown, accessed 08/09/2020.
Available at: https://liveramp.uk/our-platform/identity-graph/

Oracle. ‘AddThis Privacy Policy’. [Web] Oracle, March 2020, accessed 02/09/2020.
Available at: https://www.oracle.com/legal/privacy/addthis-privacy-policy.html

Privacy International. ‘You Mental Health for Sale: How Websites About Depression Share Data with Advertisers and Leak Depression Test Results’. [Web] Privacy International, September 2019, accessed 01/09/2020.
Available at: https://privacyinternational.org/sites/default/files/2019-09/Your%20mental%20health%20for%20sale%20-%20Privacy%20International.pdf

‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016’. Official Journal of the European Union. May 2016. [Web], accessed 18/08/2020.
Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Interested in doing your own research?

Our bulk third-party tracking tool is currently in closed beta and is available to journalists and researchers. If you would like to use the tool for your project, please get in touch.