Counseling programs share information about users of their sites - including those seeking help with disability or alcoholism - with dozens of private companies.
More than 400 local authorities have allowed at least one third company to track people who visit their websites, the survey revealed.
The data obtained from tracking cookies for which users browse online can be sold by the "data resellers" for profit.
Critics have argued that municipal councils' websites serve a public purpose and should not allow outside businesses to monitor the activity of their users, especially because of the sensitive nature of some visits.
Wolfie Christl, a technologist and researcher in the ad-tech industry, said: "Websites and applications that serve a public domain should not use any third-party invasive monitoring."
Johnny Ryan, head of the anonymous browser policy group Brave, who analyzed the council's websites and shared the findings with the Guardian, said: “Private companies embedded in board sites are learning about you. This is the case even in the most sensitive cases, where you can ask your board for help. ”
The brave ones used open source tools to see which companies existed on certain websites. They found that 409 council websites in the UK allowed private companies to obtain data about their visitors.
Research has shown:
- Twenty-three boards allow data brokers - businesses that collect personal information about consumers and sell this information to other organizations - to know when they visited one of their websites.
- On the Enfield municipality website, a page for people in need of financial support for accommodation and food allowed 21 companies, including Google, to see who visited the site.
- A Sheffield council page for people seeking help with substance abuse shared data on visitors with at least 20 companies, including seven companies that buy data.
- The Ealing Training Needs and Disabilities website has enabled at least 21 businesses to access visitor data.
- Nearly 7 million people are served by boards that allow a data broker like LiveRamp to track people on their sites. The company was part of Acxiom, a group that sold election profiles to Cambridge Analytica.
Companies monitor online activity through cookies, pixels and other trackers. When embedded in a browser, these pieces of code can allow users to find themselves on the web. Although they do not identify personal information such as name or address, determine a user's viewing habits - such as the page loaded at a specific time.
Companies are now prohibited from sharing data on protected categories without explicit consent. This means that before gathering information about health, sexual orientation, nationality and political views, the user must agree to the specific sharing of "special category" data.
Companies say they have a consensus through people who accept cookies. However, Brave's report found that while some websites may have stated that they were using cookies, no users clicked the accept button.
The law states that consent must be informed and based on explicit affirmative action. The Information Commissioner (ICO) stated: “To be valid, consent must be freely given, specific and up to date. It must include some form of explicit positive action - for example, clicking on a link - and the person must fully understand that he or she is giving you consent. "
Ryan said: “We used an automated system to load each board's website. All it does is load the site. Unable to click on buttons. All the surveillance revealed in our investigation happened without consent. "
Mark Gannon, manager of business change and IT solutions at Sheffield City Council, said cookies were used on his site "and we require the consent of all customers to store or retrieve data on a desktop, laptop, smartphone or tablet ”.
The report states that when the Sheffield council website was loaded, companies could follow someone without doing anything.
Sheffield Counseling said they were using an online advertising tool provided by the Council Advertising Network. The network said: "No cookies are installed for spying and reselling purposes - this means that the data collected from the site is for sale, while this is not the case."
The Ealing Consulting Center said it believed its approach was "in line with GDPR requirements". However, he noted: "This is a complex and constantly evolving area that must be constantly monitored."
LiveRamp said it was no longer part of Acxiom and had never "sold UK election profile information to Cambridge Analytica». He said it was operating in accordance with jurisdictional laws and worked "diligently to detect and prevent misuse of data".
Another 198 consulting centers use Real Time Bidding (RTB) - when an internet user loads a page, thousands of potential advertisers offer to serve them an ad. It means that people's data is transmitted across hundreds of companies across the Internet.
Naik said it was difficult to say if the boards had made any money from it. "But I imagine in counseling centers it seems to be a profitable situation."
A representative of her Google stated that no promotional profiles were created “from sensitive interest categories, including from websites offering aid for personal difficulties, and we have strict policies that prevent advertisers from using such data to target ads. "
They told the Guardian that third-party cookies could be used to better serve the basic functionality of the site or to display and measure ads.