A BBC investigation into 400 council websites across the UK has found that more than two-thirds did not appear to ask for the correct form of consent under GDPR.
The investigation, carried out by the BBC Shared Data Unit, also found that more than half of the local authority websites probed had third-party advertising cookies on their benefits pages.
In some cases, this allowed adverts for high-interest rate credit cards to be targeted at site users who were seeking information on benefits.
According to the ICO’s Executive Director for Technology Policy and Innovation, Simon McDougall, “the ICO has made looking at the use of adtech a priority. This investigation by the BBC further highlights our concerns about the lack of transparency and consent when adtech is used.
“While the ICO is keen to promote innovative uses of technology, that cannot be at the expense of people’s fundamental legal rights. We will be assessing the information provided by the BBC.”
In October of last year, the CJEU ruled that a pre-ticked consent box is not a sufficient degree of consent - instead, “active consent” is needed.
Just under half of the third-party advertising cookies found by the BBC Shared Data Unit were from Google’s advertising division, DoubleClick. Services like DoubleClick allow sites to sell advertising space to third-parties easily.
According to DoubleClick’s site, the software also allows websites to understand individual user behaviour and infer how much value different users create by recording a user’s activity on the site.