NHS’s Covid-19 website includes advertiser tracking
security privacy data-protectionhttps://covid19.nhs.uk/ is the primary website for the NHS's Covid-19 app.
It is referenced in the Android app source code.
It has a disfunctional cookie banner #
The website has a cookie banner asking if you want to accept or decline cookies.
However, without any interaction, advertiser cookies are already being used and you are being tracked
What does it load? #
It loads a Youtube video, that in turn loads Google Doubleclick content.
What does this mean? #
The site enrols users into advertiser tracking by Youtube and Doubleclick.
Advertiser tracking is typically used to recommend adverts based on your browsing habits.
Google demands websites do not include Youtube videos on sites without first getting cookie consent or using appropriate privacy features.
Youtube demands its typical service is not provided to users under the age of 13.
Which laws are broken? #
- ePrivacy/PECR: (the cookie law) which includes the demand that data unnecessarily collected from users devices requires consent.
- DPA/GDPR: Google uses tracking cookies, typically associated with Google accounts and so the data is not just associated with a device, but a user and is therefore personal data and must be obtained with consent.
Is this excusable? #
No, video is easy on websites without Youtube.
Also, not only does Youtube have options to reduce tracking which have not been set, but the NHS can self host their content or use services from video content hosters that are not famous for breaching privacy.
This seems familiar? #
Yes, similar privacy failures regarding Youtube were found in recent posts here.
Video demo #
Video showing Youtube and Doubleclick cookies