Too many cookies: European news sites include higher volumes of trackers

15 May 2018

Could cookies create a problem for media companies? Image: Florian Bott/Shutterstock

New research shows European news sites have some privacy issues ahead of them.

Research from the Reuters Institute for the Study of Journalism has found that news sites load four times as many third-party domains and set close to eight times as many third-party cookies than popular sites on average.

With the General Data Protection Regulation (GDPR) just around the corner, this could pose problems.

The analysis of 500 news sites across Europe also noted variations between different news outlets and countries. UK tabloid the Daily Mirror has 246 third-party cookies and 78 third-party domains, while German paper Bild has 47 third-party cookies and 29 third-party domains. Researchers also noted multiple variations between outlets due to different business models and revenue streams.

News websites driven by advertising

The large quantity of third-party content driven by advertising and marketing is, of course, prevalent on news sites that rely on advertising revenues to remain in business.

Reuters found that some of the practices news sites are involved in could potentially be in conflict with the impending GDPR, particularly around user consent and the sharing and processing of personal data.

News sites in the countries examined averaged 81 third-party cookies per page, compared to an average of 12 for the top websites in those territories. In terms of domains, there were 40 on average for news sites compared to 10 on other popular addresses.

Researchers compared all the third-party requests made on a selection of news sites based on relative reach and prominence in their respective countries, along with the 500 overall most popular sites in Finland, France, Germany, Italy, Poland, Spain and the UK.

To do this, they used an open source tool called webXray, which records third-party content that loads on a page in the Chrome browser. 400 different services are identifiable by webXray and Reuters researchers found 270 of those during the course of their analysis, many of which were from Google and Facebook.

Potential GDPR issues

The report noted some issues in terms of GDPR that could lie ahead. “First, third-party content exposes IP addresses and often results in the transmission of cookie data, potentially putting it within the law’s scope.

“Second, because browsers download third-party content without user interaction, it is often not transparent to users what is happening, raising the need for clear notification whenever data is collected, shared and stored.

“Third, for user data to be processed lawfully, consent may be needed.”

A myriad of third-party features

From Google Analytics to Facebook Share widgets, there are a myriad of third-party features on many news websites.

Reuters researchers Timothy Libert and Rasmus Kleis Nielsen categorised the privacy risks of types of third-party content from low to high, as well as the effort required to replace these types of content.

Simple improvements could be made in terms of privacy improvements by examining the low-risk and low-effort items, the pair noted. “For sites focused on improving privacy, especially in light of the GDPR, content which ranks low on the effort scale could be prioritised for migration. Hosted JavaScript files, fonts and images all have low-to-medium privacy risk and, in some cases, changing a single line of code may provide immediate privacy gains.

“Similarly, social media buttons frequently set cookies and may link browsing data directly to users’ profiles, representing a high privacy risk. While social media companies provide code to enable sharing, it is possible to implement widgets on a first-party basis which facilitate social sharing. Even if social media companies would prefer sharing to happen with their widgets, they have no interest in preventing sharing.”

It is clear from this research, as well as anecdotal evidence, that bringing online marketing practices in line with GDPR will require some basic changes of approach by media companies in particular.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects