The Children's Trust
Brain Injury Hub
A resource for families, teachers and anyone who would like to know more about acquired brain injury in children.
A resource that also appears to be pretty valuable for the child with the injury too.
However, when I visited the site I discovered that it was sharing identifiable data on user visits with Google and Facebook.
A brain injury is a health condition and the Brain Injury Hub has a lot of content on the topic.
it seems unlikely that most children visiting and reading through the material are there for fun.
Where Facebook and co are collecting data from other organisations about a child or parent's habits online this added context in a profile enables algorithms to join together the dots:
- A parent or chlid is seeking NHS services
- And now... the parent or chlid is reading heavily into brain injuries
You don't even need AI in an ad or recommendation engine reading that data to work out the likelihood the child involved has a brain injury.
Children's health data is a sensitive subject and The Children's Trust have breached the trust they are supposed to have from those they support.
When it comes to YouTube, they have an odd problem still on their site; that they include tracking but do not show the video.
Is it fixed?
No, but it is better than it was.
When I first looked Facebook tracked users regardless of any cookie consent.
The charity responded completely inappropriately, effectively claiming I was lying, when in truth it is the other way around.
However, at some point their site did move Facebook tracking behind a cookie banner that only tracks children if they consent, but there's a problem with that consent.
Misleading consent
Their cookie banner states the following
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.
If you then click to "Manage Cookies" to get more details and fine grained controls, it states regarding Targeting Cookies
They do not store directly personal information, but are based on uniquely identifying your browser and internet device.
Targeting cookies are typically your Google or Facebook account identifier... they are tied exactly with your identity and Google and Facebook know exactly who you are when they track your visit.
The clue is in the other name for targeting ads: "personalised" ads - they cannot be personal unless they track you as a person.
So despite asking for consent, the consent is unlawfully obtained through deceit.
When it comes to kids giving consent, under UK law it can be only be asked if it is in the best interests of the child for the data to be shared.
Do you think it is in the best interests for a child's brain injury condition to become the commerical property of an ad system and social media recommendation engine?
Raising the complaint
20th January 2023: Email sent with screenshot evidence to the charity and the ICO regarding Facebook and Google tracking myself and children.
20th January 2023: Acknowledgement of email receieved.
17th February 2023: The charity fails to fix the issue, but responds with:
Thank you for your recent email regarding the content on our website and integration with third party data controllers such as Google and Facebook.
As an organisation that supports children and young people with brain injury and neurodisability, we take our responsibilities concerning safeguarding extremely seriously. We are always looking for ways to improve the quality and safety of the user experience for those accessing our content. This means ensuring we are compliant with all the relevant statutory requirements, as well as exploring additional measures that reflect the constantly changing digital landscape. This means listening to experts and being reactive to advice and guidance when we receive it. As such, we are grateful to you for getting in touch, and will certainly consider your feedback and suggestions for mitigating potential safeguarding risks in the future.
In terms of the points you raise about compliance with the UK GDPR and PECR on the use of social media plug-ins and cookies, it is not the case that we are sharing sensitive data about children with social media companies. We comply with the key regulatory requirements of transparency and consent through our published privacy policies and via our cookie preference centre. Our privacy policies also include links to the websites of social media companies, such as Google and Facebook, where data subjects can find out how to configure their privacy settings with these other data controllers. Our cookie preference centre is hosted by OneTrust, a market leader in privacy management software. OneTrust have just conducted a cookie audit of our website (February 2023), and we will in due course be launching an updated preference centre to reflect the results of this audit. We will continue to monitor and carry out further audits in the future in line with guidance from the ICO.
Once again, we would like to thank you for taking the time to email us.
17th February 2023; I respond back explaining why their response is a lie and how they are still breaking the law.
No response received; the site continues to break the law.