To Whom It May Concern,
We are extremely concerned with the UK charity sector’s use of tracking technologies, specifically those belonging to data brokers and programmatic advertising platforms, and we are calling for its removal from sensitive web pages.
On September 10, 2020, ProPrivacy published a report highlighting the widespread use of programmatic advertising in the charity sector and the potential impact this could be having on the privacy of users of charity websites.
While we understand that charities do commendable work to help society's most vulnerable in an often financially challenging environment, we’d like to make you aware that by using this technology, you could be inadvertently compromising the privacy of your users.
Our research found that many charity pages dealing with extremely sensitive issues such as mental health, debt, end-of-life care, and disability contained various trackers belonging to AdTech services, including data brokers. You are probably using these trackers to run legitimate advertising campaigns, but in doing this you are also allowing AdTech companies to profile your users based on these topics.
AdTech companies have built an entire business model around harvesting human data on a massive scale. By allowing AdTech companies access to data on these sensitive pages, you are inadvertently enabling them to profile often vulnerable users based on the topic of the page.
Furthermore, you are failing to meet your obligations under the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) because these third-party elements load before the user is able to consent to them.
When a mother with a drinking problem visits a charity site for help, is it reasonable for her to expect that this information might form some part of an advertising profile that can be sold on to hundreds of third parties including alcohol retailers? When a teenager seeks advice about their mental health, should they assume this data could eventually form part of their digital DNA?
Of course, the answer is ‘no’.
We can see no good reason why you, as a trusted charity, should offer up user data to companies who are in the business of profiting from such data. This is particularly true on pages handling sensitive topics.
It is perfectly possible to continue digital advertising activity without placing third-party tracking technologies on support pages that deal with intimate subjects.
We’re calling on top charities in the UK to conduct audits of their websites for third-party elements belonging to those in the AdTech space and to exclude them entirely from any support or advice pages dealing with sensitive topics.
We urge you to protect your most vulnerable users from online profiling.
Sean McGrath - Editor, ProPrivacy
Professor Arosha K. Bandara- Professor of Software Engineering, The Open University
Dr Muhammad Ahmad Bashir - Postdoctoral Research Fellow, International Computer Science Institute (ICSI)
Dr Subhajit Basu - School of Law, University of Leeds
Dr Paul Bernal - Associate Professor in IT, IP and Media Law, UEA Law School
Paul Bradshaw - Head of MA in Data, Multiplatform and Mobile Journalism at Birmingham City University, co-founder of Help Me Investigate
Professor Bill Buchanan - Centre for Cybersecurity and Cryptography, Edinburgh Napier University
Professor David Chadwick - CEO, Verifiable Credentials Ltd
Silkie Carlo - Director, Big Brother Watch
Professor Sylvie Delacroix - Professor in Law and Ethics, University of Birmingham
Dr Pooya Farshim - Department of Computer Science, University of York
Dr Virginia Franqueira - Kent Interdisciplinary Research Centre in Cyber Security, University of Kent
Dr David Galindo - School of Computer Science, University of Birmingham
Dr Geoffrey Goodell - Department of Computer Science, University College London
Dr Audrey Guinchard - School of Law, University of Essex
Dr Tristan Henderson - School of Computer Science, University of St Andrews
Julia Hörnle - Professor of Internet Law, Queen Mary University London
Dr Julian Huppert - Jesus College, Cambridge
Professor Michael Huth - Department of Computing, Imperial College London
Professor Marina Jirotka - Department of Computer Science, University of Oxford
Dr Mohamed Khamis - School of Computing Science, University of Glasgow
Dr Markulf Kohlweiss - School of Informatics, University of Edinburgh
Professor Stephan Lewandowsky - School of Psychological Science, University of Bristol
Professor Shujun Li - Kent Interdisciplinary Research Centre in Cyber Security, University of Kent
Professor Carsten Maple- Professor of Cyber Systems Engineering, WMG, University of Warwick
Dr Nóra Ni Loideain - Information Law & Policy Centre, Institute of Advanced Legal Studies, University of London
Professor Nir Oren - Head of Computing Science, University of Aberdeen
Professor Bashar Nuseibeh - Head of Software Engineering & Design, The Open University.
Dr Elvira Perez Vallejos - School of Medicine, The University of Nottingham
Dr Henry Pearce - School of Law, University of Portsmouth
Dr Felipe Romero-Moreno - Department of Law, University of Hertfordshire
Professor Mark Ryan - School of Computer Science, University of Birmingham
Dr Siamak F. Shahandashti - School of Computer Science, University of York
Professor Steve Schneider - Surrey Centre for Cyber Security, University of Surrey
Dr Avelie Stuart - Research Fellow, Department of Psychology, University of Exeter
Professor Burkhard Schafer - School of Law, University of Edinburgh
Dr Isabel Wagner - Cyber Technology Institute, De Montfort University
Professor Karen Yeung - Birmingham Law School and School of Computer Science, University of Birmingham