Here are breaches of trust, safeguarding, privacy and law. They expose kids to risks of online harm and discrimination.

Charities and public services must not share kids or encourage kids to share their troubles with social media and ad systems.

Social media only allow sites to use their embeds if sites respect terms regarding age limits, parental consent and data collection.

Had these organisations paid attention to the terms, they may have realised that what they were doing was wrong.

If you are distressed by any content, please seek support. The Samaritans are available on 116 123.


What Chiva got wrong?

Chiva is a charity for children with HIV

Their site includes three integrations that have received identifiable data about children or parents using their site.

PayPal and Twitter integrations were loading on what appeared to be every page, with Twitter's api intentionally capturing which page was being visited.

Where the site loads videos, like the page WHAT’S IT LIKE? , YouTube captures identifiable data for its advertising system to use to target content and personalise ads based on a child having HIV.

The YouTube embed is inappropriate for children with HIV, not just because of the generic online harms risks to children if they click through to YouTube, but because the way in which it is promoted is encouraging the child to leave the safety of the charity's site and engage on YouTube with this very sensitive topic - potentially revealing even more information about their condition to YouTube's personalisation systems.

The Twitter feed embeeded in the pages poses similar risks

Advertising and social media personalisation systems from YouTube and Twitter should never be told of a child with HIV's interest in support content given the significant risks of discrimination in personalised content - these are black boxes that the charity can offer no assurances of appropriate mitigations to protect against the risks.

Furthermore, the children's privacy relies heavily on these systems not to be hacked or leak data - a risk a child should not have to think about. A risk that some social media companies have suffered in the past.

Raising the complaint

10th January 2023

A complaint was sent to the charity and ICO, including screenshot evidence of cookie tracking.

24th January 2023

Further details provided regarding cookie banner not being appropriate for YouTube consent and their videos not marked as Made for Kids.

Response So Far

11th January 2023

Thank you for your email and for bringing these issues to our attention.
I have noted the issues you raise and thank you for highlighting that the cookie banner and email contact in our privacy policy were not working.
I can confirm that I have addressed this and those technical issues have been resolved and now function correctly.
Ongoing we will be sure to check technical issues regularly.

In relation to third parties on our website, including embedding You Tube videos which we produce as information resources for young people and professionals we shall review the settings used, ensure enhanced privacy mode is applied and make amends to our Privacy Policy accordingly if advised to do so.
In relation to points concerning our Privacy Policy we will also ensure that this is given independent review as Chiva are fully committed to ensure complete adherence to all GDPR regulations in this respect.

I have spoken with the ICO today to receive further advice from them in respect to the concerns raised in your email.
I have also contacted the Charity Commission as our regulator to share this information.

Thank you for raising these concerns with us and I hope that this helps to reassure we are paying attention to the issues raised in your email ongoing

Is it fixed?

Not when last checked.

The YouTube videos are now barred from showing until a child consents to:

"We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies."

To consent to that phrase, is not to meaningfully consent to data collection into Paypal, Twitter and YouTube's systems - and a child should not have to consent to that to watch a video on the charity's website.