A group of academics and privacy campaigners are calling on charities to remove advertising trackers from their most sensitive pages amid concerns they could be liable to fines running into hundreds of millions of pounds.
A report published in September by ProPrivacy, which describes itself as a privacy education and review site, found that charities were allowing advertising technology companies access to data on pages with sensitive content.
The study, ‘Exposing the hidden data ecosystem of the UK’s most trusted charities’, said this would enable companies to profile vulnerable users based on the topic of each page.
The research revealed that 92 of the top 100 UK charities by annual income failed to meet some element of the GDPR, while 84 per cent loaded marketing cookies and other non-essential trackers onto a user’s device before consent was given.
ProPrivacy estimated that combined fines for these data protection breaches could reach between £707m and £1.4bn.
In addition, research found that just over one-fifth were sharing data directly with data brokers, and 31 per cent contained trackers belonging to real-time bidding platforms.
The report described this as a critical issue for the sector that is morally opaque at best, and harmful to users and breaking the law at worst.
Yesterday ProPrivacy – along with 38 academics and privacy campaigners – wrote an open letter calling for charities to remove adtech trackers from their most sensitive pages.
The letter has been sent to some of the biggest UK charities, including the Alzheimer’s Society and the British Heart Foundation, to make them aware of the issue and ask them to remove the trackers from their support pages to protect their users from profiling.
The letter states: “When a mother with a drinking problem visits a charity site for help, is it reasonable for her to expect that this information might form some part of an advertising profile that can be sold on to hundreds of third parties including alcohol retailers?
“When a teenager seeks advice about their mental health, should they assume this data could eventually form part of their digital DNA?
“Of course, the answer is ‘no’.”
ProPrivacy said it would contact the Charity Commission should its letter not bring about a response from the sector, and was preparing to submit its data as evidence to the Information Commissioner’s Office.