Open Letter to the UK Charity Sector

Dated: 18/11/2020

To Whom It May Concern,

We are extremely concerned with the UK charity sector’s use of tracking technologies, specifically those belonging to data brokers and programmatic advertising platforms, and we are calling for its removal from sensitive web pages.

On September 10, 2020, ProPrivacy published a report highlighting the widespread use of programmatic advertising in the charity sector and the potential impact this could be having on the privacy of users of charity websites.

While we understand that charities do commendable work to help society's most vulnerable in an often financially challenging environment, we’d like to make you aware that by using this technology, you could be inadvertently compromising the privacy of your users.

Our research found that many charity pages dealing with extremely sensitive issues such as mental health, debt, end-of-life care, and disability contained various trackers belonging to AdTech services, including data brokers. You are probably using these trackers to run legitimate advertising campaigns, but in doing this you are also allowing AdTech companies to profile your users based on these topics.

AdTech companies have built an entire business model around harvesting human data on a massive scale. By allowing AdTech companies access to data on these sensitive pages, you are inadvertently enabling them to profile often vulnerable users based on the topic of the page.

Furthermore, you are failing to meet your obligations under the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) because these third-party elements load before the user is able to consent to them.

When a mother with a drinking problem visits a charity site for help, is it reasonable for her to expect that this information might form some part of an advertising profile that can be sold on to hundreds of third parties including alcohol retailers? When a teenager seeks advice about their mental health, should they assume this data could eventually form part of their digital DNA?

Of course, the answer is ‘no’.

We can see no good reason why you, as a trusted charity, should offer up user data to companies who are in the business of profiting from such data. This is particularly true on pages handling sensitive topics.

It is perfectly possible to continue digital advertising activity without placing third-party tracking technologies on support pages that deal with intimate subjects.

We’re calling on top charities in the UK to conduct audits of their websites for third-party elements belonging to those in the AdTech space and to exclude them entirely from any support or advice pages dealing with sensitive topics.

We urge you to protect your most vulnerable users from online profiling.

Signed,

Sean McGrath - Editor, ProPrivacy

Professor Arosha K. Bandara- Professor of Software Engineering, The Open University

Dr Muhammad Ahmad Bashir - Postdoctoral Research Fellow, International Computer Science Institute (ICSI)

Dr Subhajit Basu - School of Law, University of Leeds

Dr Paul Bernal - Associate Professor in IT, IP and Media Law, UEA Law School

Paul Bradshaw - Head of MA in Data, Multiplatform and Mobile Journalism at Birmingham City University, co-founder of Help Me Investigate

Professor Bill Buchanan - Centre for Cybersecurity and Cryptography, Edinburgh Napier University

Professor David Chadwick - CEO, Verifiable Credentials Ltd

Silkie Carlo - Director, Big Brother Watch

Professor Sylvie Delacroix - Professor in Law and Ethics, University of Birmingham

Dr Pooya Farshim - Department of Computer Science, University of York

Dr Virginia Franqueira - Kent Interdisciplinary Research Centre in Cyber Security, University of Kent

Dr David Galindo - School of Computer Science, University of Birmingham

Dr Geoffrey Goodell - Department of Computer Science, University College London

Dr Audrey Guinchard - School of Law, University of Essex

Dr Tristan Henderson - School of Computer Science, University of St Andrews

Julia Hörnle - Professor of Internet Law, Queen Mary University London

Dr Julian Huppert - Jesus College, Cambridge

Professor Michael Huth - Department of Computing, Imperial College London

Professor Marina Jirotka - Department of Computer Science, University of Oxford

Dr Mohamed Khamis - School of Computing Science, University of Glasgow

Dr Markulf Kohlweiss - School of Informatics, University of Edinburgh

Professor Stephan Lewandowsky - School of Psychological Science, University of Bristol

Professor Shujun Li - Kent Interdisciplinary Research Centre in Cyber Security, University of Kent

Professor Carsten Maple- Professor of Cyber Systems Engineering, WMG, University of Warwick

Dr Nóra Ni Loideain - Information Law & Policy Centre, Institute of Advanced Legal Studies, University of London

Professor Nir Oren - Head of Computing Science, University of Aberdeen

Professor Bashar Nuseibeh - Head of Software Engineering & Design, The Open University.

Dr Elvira Perez Vallejos - School of Medicine, The University of Nottingham

Dr Henry Pearce - School of Law, University of Portsmouth

Dr Felipe Romero-Moreno - Department of Law, University of Hertfordshire

Professor Mark Ryan - School of Computer Science, University of Birmingham

Dr Siamak F. Shahandashti - School of Computer Science, University of York

Professor Steve Schneider - Surrey Centre for Cyber Security, University of Surrey

Dr Avelie Stuart - Research Fellow, Department of Psychology, University of Exeter

Professor Burkhard Schafer - School of Law, University of Edinburgh

Dr Isabel Wagner - Cyber Technology Institute, De Montfort University

Professor Karen Yeung - Birmingham Law School and School of Computer Science, University of Birmingham

Recommended Reading