Sending visitor data to YouTube
If you visit Papyrus today (23rd July 2023), be cautious which page you visit.
Papyrus is a charity to support children and young people at risk of suicide.
Their site includes videos regarding this topic.
Not all, but I noticed a few of these are YouTube embeds.
I complained that YouTube embeds by default collect data for behavioural based content recommendation and personalised adverts.
I complained they do not have consent.
Whilst I have seen improvement with the website using YouTube privacy enhanced mode, it still includes at least one video ( https://www.papyrus-uk.org/musics-healing-power/ ) that does not.
It also seems that the video embed is not actually linked to their cookie banner, so data is sent regardless of any consent interaction.
Their usage of YouTube Privacy Enhanced Mode continues to breach data protection law, sending analytics data from visitors without consent.
Sending visitor data to Google
Not only does YouTube receive identifiable data that a visitor is interested in Papyrus, but the charity's website integrations also share data with
- Google Translate
- Google Recaptcha
- Google Doubleclick
- Google Ads
Not only Google
The website (23rd July 2023) includes Spotify embeds for their HOPECAST podcast, without consent.
The website also included Vimeo videos sharing identifiable data with Vimeo (it appears to have been removed since)
The website also included Hotjar analytics (it appears to have been removed since)
Regarding the suicide topic: "Watch on YouTube"
If you operate a charity to support suicidal young people, where would you like visitors to go?
Papyrus use multiple video hosting solutions, but on at least a few pages their pages recommend
HOPELINE247: "Watch on YouTube"
Bedtime Stories campaign: "Watch on YouTube"
Sinking Feeling animation: "Watch on YouTube"
Regarding Music's Healing Power: "Watch on YouTube"
What is YouTube?
- YouTube is an advertising platform designed to learn of visitors interests and provide content that helps advertisers get clicks
- YouTube is a social media system designed to learn of visitors interests and improve engagement by recommending related content
- YouTube is a public space that encourages visitors to publicly react to videos they watch
- a personalised advertising system be active as a child or young person browse the suicide topic
- a content recommendation system, as far as I know not professionally qualified, attempt a recommendation to a child or young person who has just watched a video regarding the suicide topic
- children and young people engage in a public forum regarding their interest in the suicide topic. I hope Papyrus moderate the comments on their videos, but what control do they have for the recommended videos children may see.
If a child or young person decides to use a social media platform, independent of Papyrus, with regard to the suicide topic; then that is their choice.
Does that mean that Papyrus's website should promote visitors to a social media and advertising system?
Is this consent?
The cookie banner (checked 23rd July 2023) states
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
If you clicked accept, do you believe that indicates that Google will be receiving data for their purposes?
In my opinion, the only recipient mentioned is Papyrus ("we") according to that statement
Is it fixed?
No, although last checked (23rd July 2023) it had improved with removal of some embeds, including at least an instance of the Vimeo embed, YouTube swapped to YouTube Privacy Enhanced Mode (still problematic) and Hotjar.
Raising the complaint
13th June 2023: Complaint raised regarding various Google integrations and analytics from Hojar and Oracle RightNow CX
20th June 2023: Acknowledgement received
21st June 2023: Vimeo added to the complaint.
19th July 2023: The following response.
RE: Alleged Data Breach
We are writing in response to your email, dated 14th June, where you allege a personal data breach. You specifically allege that “personal data being shared with adtech and analytics companies without consent, in a sensitive category scenario”.
PAPYRUS take any allegations concerning the effect of its services on its users, very seriously, and have therefore conducted an internal investigation drawing upon external experts as appropriate.
To assure you that we have considered fully your allegations, we address each of the same in turn below.
Oracle RightNow CX
This embed is used as part of the toolset used by Papyrus to monitor how our website is used. Specifically, this embedded software does not use or store any personal information. This can be clarified by visiting the rnengage.com website where it states:
“…Visits to domains owned or operated by different entities are not correlated. All personally identifiable information, including IP addresses, are removed or mangled so that collected data does not point back to any given individual. This information is important for the functioning of the software and is not used for advertising, personalization, or individual user tracking and identification.
Google Recaptcha This is used to detect the differences between a human and a ‘bot’ browsing the website. We use Google Recaptcha for Legitimate Interests to ensure that our website remains secure and that our limited resources are focused on those that need it most and not ‘bots’ that can make false form entries etc. Unless the user accepts our Cookie consent Google Recaptcha is not used. Google Translate We use Google Translate in order to translate our website content into a specific language required by our users. During this translation no data that can be used to identify any individual person us used or transferred. As with our other cookies no personal identifiable data is transmitted to any third party. Google Tag Manager / DoubleClick Google Tag Manage and Doubleclick are associated with our marketing strategy and are used to track conversions of adverts from a source website. For example, if a user clicked on a digital advert on a website and were passed through to our website these two plugins would track the user’s progression though our website but would not contain any information that could personally identify that user. Again, as with other plugins analytics is only active once the user has accepted the cookie consent. Google Analytics We use Google Analytics to anonymously analyse how our website is used. We operate Google Analytics in a configuration that does not store, process or transfer any data that can be used to identify any individual person. Again, as with other plugins, analytics is only active once the user has accepted our cookie consent. HotJar You have made reference to HotJar however this plugin is not utilised within our site.
We should point out that the same would be true for any other video material hosted on video services similar to YouTube.
We have also reviewed the two news articles that you provided links for, and it is clear from the article referencing the NHS that this involved the sharing of sensitive medical information with a third party without the knowledge or consent of the individual using the service. It is not for us to comment on those issues as the situation is quite different to the one at hand and it is for the organisations involved in the issues raised by those articles to comment. The plug ins used by PAPYRUS effectively operate in anonymous mode. We do not, therefore, share any personally identifiable information with any third parties.
In relation to the second article, PAPYRUS does not utilise Facebook pixel technology within our website and therefore the specific content of the article would not apply. Looking at the broader aspect of the article we also do not share information with third parties for the purpose of targeting adverts to any one identifiable individual.
You have mentioned in your correspondence that you were not presented with a consent banner when first entering the site. In all the tests we have had conducted on the website we failed to replicate any scenario where the consent banner was not presented when accessing the website for the first time. We have also further assessed the interactions between the website, web browser and computer equipment and we have observed that the plugins and/or cookies were not loaded until after the user had accepted the GDPR and consent banner.
Based on the above, there has been no demonstrable breach of either GDPR or PECR regulations and guidance. Any data that is necessarily tracked is anonymised and therefore cannot be traced to an identifiable individual thus ensuring the user’s anonymity and confidentiality.
Our technical advisors have also reviewed the screenshot that you provided, and they are unable to see where your personal data has been shared within the body of data. We also note that your screenshot does not show an HTTP GET request for the PAPYRUS website. It does show a request for a Google page but there is not any personal identifiable data with the request.
We note that you have set out your expectations in the email. There has been no data breach by us and therefore the action you have stated is not relevant. Any information necessarily shared with us is not shared with any third party in a way which a user could be personally identifiable.
Whilst it is your prerogative to raise complaints with individual service providers, posting any information on your website or any other public space in relation to PAPYRUS that is incorrect and harmful to the reputation of PAPYRUS is defamatory.
Currently, your website states that “a complaint of a similar nature to the NSPCC concern has been registered with Papyrus UK". We cannot comment or opine on the complaint made to the NSPCC by you. We do not have the full factual matrix to be able to comment upon whether your statement is factually correct. We trust that you will appreciate that each complaint is dealt with on its own merit. Likening the complaint, you have made against us to NSPCC may be defamatory. Please remove any reference to similarities between PAPYRUS and NSPCC.
Now that your concerns have been allayed, please remove all references to PAPYRUS on your website. In the alternative, we trust that only comments of a factual nature will appear on your website, to state nothing more than “a complaint has been raised with PAPYRUS and PAPYRUS have considered the complaint carefully and the complaint is unfounded.”
Considering the charitable and sensitive nature of the support that PAPYRUS provides, any harm to PAPYRUS as an organisation is directly depriving or dissuading its users and potential users of valuable services that may help in times of crisis.
I am not happy with this response.
I believe I did not see a cookie banner, but is it very difficult to show that you have not seen something.
I encourage readers to do their own research to understand whether the above claims are likely accurate or not.
20th July 2023: I have complained that their response is not appropriate and explained which parts I am not happy with.
23rd July 2023: I've supplied details of how they are sharing data with Spotify without consent and continue to have a failings with YouTube.