Ad Trackers Monitor Citizens on 89% of All EU Government Websites

Trackers collect data about Internet users virtually everywhere across the web – mostly to use this information for commercial purposes, i.e. advertising. They also do not stop at government websites, as a study by Cookiebot shows. According to this analysis, 89% of official government websites of EU member states contain third-party ad trackers.

The highest number of tracking companies were present on websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments. In total, 25 out of 28 official government websites in the EU contained at least one adtech tracker. Only the websites of the German, Dutch and Spanish governments had no commercial trackers.

The Cookiebot results are largely the same as those of a previous study by WhoTracks.me. This had shown that US government websites contained an average of more than 2.4 third-party trackers in September 2018. WhoTracks.me also found at least one tracker each on French, UK and EU government websites.

Tracking on government websites is particularly insidious because the use of these websites is sometimes mandatory. Citizens often have no choice but to access these government sites – for example, to submit tax or visa information – and are therefore forced to hand over data to third-party companies by their governments. The presence of tracking on these pages is enough to leak valuable metadata about citizens to third parties. When this metadata is coupled with other information, people can be easily identified to create comprehensive user profiles.

It is no surprise that Google’s trackers (Google.com, YouTube.com, Doubleclick.net) are most prevalent on government websites, according to Cookiebot’s analysis. After all, the Internet giant is by far the largest data collector ahead of Facebook. With its tracking scripts, Google monitors more than 80 percent of the Internet traffic worldwide. The company also tracks website visits to 82% of the EU’s main government websites.

The Cookiebot researchers also found that while many governments mentioned Google Analytics cookies, which are used to monitor and analyze website visits, in their privacy policies, they did not disclose any advertising-related cookies from ad trackers such as Doubleclick. This is a clear violation of the EU General Data Protection Regulation (GDPR).

Even public health service sites that provide information on HIV, cancer, pregnancy, mental illness or alcoholism were found to harbor ad trackers. People who seek official health advice on these sites must expect to be monitored by adtech companies like Google. These companies can therefore easily draw conclusions about their health condition and life situation. The collected data is likely to be used for targeted ads, and potentially affect economic outcomes, such as insurance risk scores.

Third-party trackers were found on 52% of the examined landing pages with health information. The Irish health service ranked worst, with 73% of landing pages containing trackers. It is followed by UK (60%), Spain (53%), France (47%), and Italy (47%). Germany ranked lowest, yet one third (33%) of their pages held trackers. A French health service webpage about abortion was monitored by 21 different companies. No less than 63 companies were tracking visitors of a single German webpage about maternity leave.

Even some EU data protection authorities seem to be very careless with third-party trackers. For example, the official website of the British Information Commissioner’s Office contains several Google trackers.

The results of the Cookiebot study show how easy it is for adtech companies to place their tracking scripts even on websites that do not rely on ad revenue and actually need to be GDPR compliant. Some trackers even smuggle in their scripts via free third-party services such as video plug-ins or social sharing buttons. Obviously, the tracking ecosystem is out of control.

Daniel Johannsen, founder and chief executive of Cookiebot, says:

We found a lot of adtech trackers were smuggling in other third parties through these plug-ins, without the consent of users or knowledge of the governments themselves. Although the governments presumably do not control or benefit from the documented data collection, they still allow the safety and privacy of their citizens to be compromised within the confines of their digital domains – in violation of the laws that they have themselves put in place.

If you want to better protect your privacy on the web, you should take action yourself. We recommend anti-tracking tools such as Ghostery or Cliqz, which reliably prevent personal data from being sent to third parties when visiting a website.