What Chiva got wrong?
Chiva is a charity for children with HIV
Their site includes three integrations that have received identifiable data about children or parents using their site.
PayPal and Twitter integrations were loading on what appeared to be every page, with Twitter's api intentionally capturing which page was being visited.
Where the site loads videos, like the page WHAT’S IT LIKE? , YouTube captures identifiable data for its advertising system to use to target content and personalise ads based on a child having HIV.
The YouTube embed is inappropriate for children with HIV, not just because of the generic online harms risks to children if they click through to YouTube, but because the way in which it is promoted is encouraging the child to leave the safety of the charity's site and engage on YouTube with this very sensitive topic - potentially revealing even more information about their condition to YouTube's personalisation systems.
The Twitter feed embeeded in the pages poses similar risks
Advertising and social media personalisation systems from YouTube and Twitter should never be told of a child with HIV's interest in support content given the significant risks of discrimination in personalised content - these are black boxes that the charity can offer no assurances of appropriate mitigations to protect against the risks.
Furthermore, the children's privacy relies heavily on these systems not to be hacked or leak data - a risk a child should not have to think about. A risk that some social media companies have suffered in the past.
Raising the complaint
10th January 2023
A complaint was sent to the charity and ICO, including screenshot evidence of cookie tracking.
24th January 2023
Further details provided regarding cookie banner not being appropriate for YouTube consent and their videos not marked as Made for Kids.
Response So Far
11th January 2023
Thank you for your email and for bringing these issues to our attention.
I can confirm that I have addressed this and those technical issues have been resolved and now function correctly.
Ongoing we will be sure to check technical issues regularly.
I have spoken with the ICO today to receive further advice from them in respect to the concerns raised in your email.
I have also contacted the Charity Commission as our regulator to share this information.
Thank you for raising these concerns with us and I hope that this helps to reassure we are paying attention to the issues raised in your email ongoing
Is it fixed?
Not when last checked.
The YouTube videos are now barred from showing until a child consents to:
To consent to that phrase, is not to meaningfully consent to data collection into Paypal, Twitter and YouTube's systems - and a child should not have to consent to that to watch a video on the charity's website.