The Bitter Pill: Tracking and Remarketing on EU Pharmacy Websites
摘要
We investigate online tracking and remarketing practices on 50 pharmacy websites in five European countries, focusing on information shared with third parties. By manually shopping for pregnancy tests and automatically analyzing the HTTP traffic data captured in HAR files, we find that users’ personal data and shopping activities are routinely collected by third parties. Many pharmacy websites share product names, email addresses and phone numbers with third parties even when consent was declined. Investigating novel forms of online tracking, we find several cases of server-side tagging and CNAME-based tracking, which can be used to circumvent tracking protections offered by adblockers and modern browsers. Monitoring the advertisements targeted to our shopping profiles on several news websites and large online platform apps, we find re-targeted advertisements of the pregnancy tests we had shopped for. We further find that while declining consent reduces third-party data sharing, it does not eliminate it, and deceptive designs often discourage users from opting out. Through GDPR data access requests we reveal that companies vary in the completeness of the personal data they disclose, with none providing a full list. Overall, our study reveals widespread potential legal violations and adoption of evasive tracking technologies on websites that handle users’ most sensitive personal data.