European Union governments are likely to default to more than 100 advertising agencies, including Google and Facebook, secretly tracking citizens' information on sensitive public sector websites, according to a study published by Cookiebot, a Danish browser analytics firm. It is now certain that this was not the government's initiative, but it also exposes their lax regulation of the site, in clear violation of their own EU data protection regulations.

Cookiebots found ad trackers that record user locations, devices and advertisers' browsing behavior on official government websites in the 28-nation European Union, with the largest number of ad trackers on French government websites and no commercial trackers detected on government websites in Germany, Spain and the Netherlands. This means that 89 per cent of EU government websites are infiltrated by ad-tracking scripts.

Google, YouTube and Google advertising platform DoubleClick occupy three of the top five ad trackers on the 22 major EU government websites. The researchers also looked at the websites of various public health services in the European Union, in addition to government websites, and found that more than half of them had commercial advertising trackers tracking people's private information, with users seeking health advice on sensitive issues such as abortion, HIV and mental illness the most concerned.

Apparently these ad technology trackers are infiltrated by third-party plug-ins that provide features such as video players, social sharing widgets, web analytics, libraries, and comment areas.

Nearly three-quarters of the 15 pages on the Irish Health Service website contain ad trackers. The French government's website on abortion services is monitored by 21 different companies, and 63 ad trackers monitor a Page on maternity leave in Germany. On a number of health pages, researchers found Google's ShareDoubleClick tracker, which provides information about HIV symptoms, schizophrenia and alcoholism.

To make matters worse, 10 advertising technology companies that track EU citizens are also struggling to cover up their tracks, their websites are not hosted on their tracking domain names, and their domain name ownership (WHOIS) records are hidden by the domain name privacy service. Facebook, for example, did not try to cover up its activities, but did so in the "anti-tracking privacy protocols" used on health landing pages in Ireland and the United Kingdom.

Eliot Bendinelli, chief technology specialist at Privacy International, said:

The researchers also found that while many EU governments refer to Google's analytics cookies in their privacy policies, they do not disclose any advertising-related cookies. Many ad trackers use these plug-ins to access public websites without the user's consent or the government's knowledge. While EU governments may not be involved in or benefit from these data collection activities, they still violate their citizens' privacy, in violation of their own laws.

The researchers say advertising technology companies may combine personal data they obtain from visitors to EU government websites with data from other sources to compile detailed portraits of each user, which can be sold to other companies that need the sensitive information, such as product marketing companies.

Cookiebot's findings raise questions about the public websites' law enforcement violations, in clear violation of the General Data Protection Regulation (GDPR), which came into force in the European Union last year. Let's keep an eye on the next steps and triggers.