Cookies are small text files that attach themselves to our browsers when we open web pages, and are the main technology used to gather data for targeted and behavioural advertising.
Many cookies are essential and are used for things such as audience measurement, hosting and website design, in order to improve the browsing experience.
Consent for these sorts of essential cookies is not necessary.
Third party advertising cookies, however, help companies deliver ads that are relevant to your browsing habits and require consent from the user.
Across two days in October, the BBC’s Shared Data Unit scanned 405 council homepages and 368 council benefits pages in the UK.
No definite advertising cookies were found on St Helens Council’s website.
However, a small number of cookies linked to advertising from a third party company based in Denmark were found.
“Although we do not run the advertising cookies mentioned in the BBC report, we will look to review and update the necessary consent on our website as soon as possible.”
The wider BBC investigation found that more than 950 third party advertising cookies embedded in council benefits pages.
Investigators discovered that some of the cookies used on council websites had included adverts for high interest credit cards and Black Friday deals.
Just under half of advertising cookies found came from Google’s advertising arm, DoubleClick.
Google has previously said it would phase out third party cookies within the next two years on websites accessed via its Chrome browser, in response to calls for greater privacy controls.
The Information Commissioner’s Office (ICO), an independent body set up to uphold information rights, said the setting of non-essential cookies without consent would be illegal. It said it would look into the findings.
Since the General Data Protection Regulation (GDPR) came into force in 2018, rules around handling and sharing data have been much stricter.
Sitting alongside GDPR are the Privacy and Electronic Communications Regulations, which demand full active consent from users before tracking cookies are embedded on browsers.
This means the user must be offered an active decision to accept or decline cookies when they first land on a website.
“At this point a final day of reckoning has yet to come, but laws like GDPR may be setting the stage for a fundamental realignment whereby the digital world will have to comply with the moral and ethical standards we’ve developed over centuries in the pre-digital era,” said Prof Tim Libert, a computer scientist at Carnegie Mellon University and creator of the webXray tool used in the BBC investigation.
Prof Libert said any evidence of deeper integration between the civil and commercial realms is “cause for grave concern”.
“First and foremost, it is important to note that there is no way for a tracker to force their code onto a site short of hacking it – the site itself must place the code there,” he said.
“So the biggest party of responsibility is the website owner without question.
“In my view, targeting residents through benefits pages is utterly reprehensible as the most protections should be extended to those most in need.”
Responding to the findings, the Local Government Association (LGA) said councils take legal compliance “seriously”.