Surveillance on UK council websites

Brave’s report on surveillance of UK citizens by private companies embedded on council websites
Big data Fair trading regulation Data collection Data collection platforms Internet Cyber security Local government Online privacy Consumer protection United Kingdom

In this report, Brave reveals that people are extensively tracked by third party data collecting companies on their local councils websites. This applies with varying degrees of severity across the United Kingdom. The UK map (page 4) and tables (pages 17-21) show the number of third party data collectors in each council area. At its most dangerous, data brokers learn directly from council sites when individuals read about alcoholism and substance abuse assistance, as shown on page 13.

Key insights:

  • Nearly all council websites permit at least one company to learn about the behaviour of people who visit them. People seeking information about disability, poverty, drugs and alcoholism services are profiled by data brokers on some council websites.
  • 198 council websites in the UK use the “real-time bidding” (RTB) form of advertising. Realtime bidding is the biggest data breach ever recorded in the UK. Though illegality is not in dispute, the UK Information Commissioner (ICO) has failed to act.
  • Google operates systems used behind the scenes on many Council sites. Google owns all five of the top embedded elements loaded by council websites, giving it the power to know what virtually anyone in the UK views on council sites.
  • Over a quarter of the UK population is served by councils that embed Twitter, Facebook, and others on their sites, leaking the sensitive issues people read about to these companies.
  • 6.9 million people are served by councils that allow data broker LiveRamp to track people on their sites. Until recently it was part of the Acxiom Group, which sold data to Cambridge Analytica.
  • None of the data collecting companies recorded in this study had received consent from the website visitor to lawfully process data.
  • Data leakage from council websites is a "data breach”, under Article 5(1)f of the GDPR


Publication Details
Access Rights Type: