Interviews, insight & analysis on digital media & marketing

Our Diagnosis on the Special Category “Data Breach”

Behind the Curtain is a monthly column from Chloe Grutchfield of Redbud, digging deep each month to discover what’s really going on buried deep in the adtech ecosystem

Since the Financial Times article “How top health websites are sharing sensitive data with advertisers” was published, a plethora of other publications have followed suit, with sometimes apocalyptic headlines on how UK publishers are monetising their readers’ health problems. A few worried clients of ours got in touch with us to understand if they were inadvertently allowing special category data – derived from their users’ browsing behaviour – to be sold to advertisers. 

The simple answer? No.

In 99.9% of cases, publishers are not knowingly or intentionally selling a user’s personal health data, and most vendors are not trying to build audiences off of special category data. Why? The risk is too high versus the benefits. Hello, GDPR?! 

The way the web was built, and the current programmatic advertising ecosystem has created a landscape full of cracks. The industry is working hard (believe me, we have attended countless meetings to understand how we can help to improve) but we need to be better. That’s undeniable. 

But in order to be better, we need to decipher fact from fiction. 

Let’s take a look at the Special Category data breach and what happened.

Website Search Capabilities

Most websites have a search capability that allows users to find articles that match their particular interest. So, for testing purposes, I decided to search for “fertility problems” across a range of websites – not just health-related websites. 

Since the damning article came from the FT, naturally I started there. The irony is that FT is actually a victim of one of the issues that is called out in the article itself. 

Upon entering the keywords “fertility problems”, I land on a page Several things are happening in the background:

  • An ad/bid request is sent to advertising partners (including Google) and the URL is sent as part of the request (that’s standard)
  • Other trackers that are triggered on the site (either through direct implementation or via redirects) also receive the URL (except if they are part of a “safe frame”, which tends to happen with vendors that are involved in the serving and tracking of an ad)

Here is an illustrative screenshot to show the URL with the special category keywords sent within a Google API call as I’m browsing the FT search results:

A screenshot of a social media post

Description automatically generated

This is not restricted to advertising technology by the way. Any tracker implemented on site for whatever purpose (functional, analytics, measurement etc.) will get a “referrer” URL in the HTTP request and therefore access to this URL (unless they are triggered via a safe frame).

This URL doesn’t allow any vendor to single out an individual, unless they are able to drop a cookie that stores an ID which is also saved on the vendor’s database, server side. 

You see where I’m going with this: vendors get the URL (with sensitive information) and in some instances drop a cookie that singles out the individual. Nefarious vendors may be extracting keywords to build audience profiles based off of the search term, therefore putting my cookie in the bucket of “fertility problems”. 

The inevitable question then follows; Who are they going to monetise this to? 

Privacy health companies? I would imagine they have rigorous processes to vet vendors and those vendors wouldn’t pass their privacy checklist. Perhaps they are going through a data aggregator? Yes, that’s also possible. But most have strict privacy vetting processes too. 

I do think that there’s a big risk here, but I like to think that with GDPR, most businesses have strict processes in place to ensure that only data with the appropriate consent is used. There’s just too much to lose. And therefore, I don’t know if we can really talk about a “breach”.

There will always be criminals – with or without cookies — throughout programmatic advertising. The key is in keeping a very close eye on them.

What Can We do? 

There are a few things that can be done by publishers to limit the risk:

  • Change the way that URLs are built in the CMS to obfuscate special category-related keywords contained in articles
  • Change the search functionality so that search terms aren’t passed onto the URL
  • Javascript triggered on page can scan for the content of a particular page – understand which scripts are triggered directly and from who and whether they are triggered via a safe frame 

The industry as a whole need to revisit things to bring risk as close to 0 as possible. I can’t help but see parallels with the accounting world pre-Sarbanes Oxley Act.  The Sarbanes-Oxley Act of 2002 was setup to prevent fraudulent activity by implementing rules and procedures for corporate governance and accountability. I think we need to introduce more audits in our industry to understand where the cracks are and sort them. 


More posts from ->


Being on the outside  – be considerate in communications

It has been a pretty rough year / 18 months for the industry – with that very buoyant employment market suddenly taking a turn for the worse, and a succession of significant layoffs across the market, on the demand and supply side.

It can be a jarring experience for those that lost their roles, and for some even their own sense of self. I know, because I experienced it this year after 15+ years of continuous employment


Emma Newman: how do you drive media performance with sustainability in mind?

The UK is in dire need of concrete climate action. Unfortunately, instead of decisive steps, we’re witnessing hesitancy and delay from the government, which puts us on the brink of missing our crucial emission reduction targets. It’s high time the industry prioritise short- and long-term initiatives to reduce emissions today and in the future thus providing future generations with greater environmental security.


Related articles


My Digital Hero: Marco Ricci, Global CEO at Takumi

Marco’s background in adtech pans over 20 years He has led technology teams at WPP GroupM and Microsoft, before moving to Google to lead Sales Teams both in New York and London. As CCO of Condé Nast he transformed the business into a digital-first company, delivering profitable growth for the first time in 12 years. He joins as Takumi’s Global CEO at a pivotal time for the Influencer Marketing sector.


My Digital Hero: Meena Miles, Director of Global Ad Ops, The Independent

Meena Miles is Director of Global Ad Ops at The Independent. She is responsible for the delivery of all digital media campaigns (video and display) for The Independent, Indy100 and Evening Standard, programmatic revenue and optimisation of all programmatic partners.