Mark Alan Richards

NHS’s Covid-19 website includes advertiser tracking

security privacy data-protection

https://covid19.nhs.uk/ is the primary website for the NHS's Covid-19 app.

It is referenced in the Android app source code.

The website has a cookie banner asking if you want to accept or decline cookies.

However, without any interaction, advertiser cookies are already being used and you are being tracked

What does it load?

It loads a Youtube video, that in turn loads Google Doubleclick content.

What does this mean?

The site enrols users into advertiser tracking by Youtube and Doubleclick.

Advertiser tracking is typically used to recommend adverts based on your browsing habits.

Google demands websites do not include Youtube videos on sites without first getting cookie consent or using appropriate privacy features.

Youtube demands its typical service is not provided to users under the age of 13.

Which laws are broken?

Is this excusable?

No, video is easy on websites without Youtube.

Also, not only does Youtube have options to reduce tracking which have not been set, but the NHS can self host their content or use services from video content hosters that are not famous for breaching privacy.

This seems familiar?

Yes, similar privacy failures regarding Youtube were found in recent posts here.

Video demo

Video showing Youtube and Doubleclick cookies

Har data.