A new report by privacy browser Brave found that over 400 councils in the UK have allowed at least one private company to track visitors to its websites, and mine their browsing activity for profit.

Sites run by local councils also provide advice for people struggling with disabilities, poverty, and drug addiction. Brave found that 23 council websites allow data broker companies to learn about what Internet users do when they visit their site, and sell that tracking information—collected through cookies—to third parties. All this happens without users’ consent.

Brave found that 6.9 million people in the UK are served by councils that let one data broker, LiveRamp, track people on their sites. LiveRamp used to be part of the Acxiom Group, which sold data to Cambridge Analytica, the company at the center of the 2016 US election scandal.

“Because of the nature of these sites, this can reveal very sensitive characteristics about a person’s financial circumstances, and health,” Dr. Johnny Ryan, Chief Policy Officer at Brave, told Decrypt. “It is inexcusable that people seeking help for addiction, disability, and poverty on council websites can be profiled by private companies,” he said.

Brave’s browser, a competitor to Google Chrome, doesn’t collect such information. Instead, it leverages the Ethereum blockchain to offer a new type of advertising. Instead of selling data to advertisers, it rewards viewers for (voluntarily) watching advertisements in the Basic Attention Token (BAT), the browser’s native cryptocurrency.

Brave notes in its report that Google "owns all five of the top embedded elements loaded by UK council websites," which gives the tech giant "the power to know what virtually anyone in the UK views on council sites."

This level of surveillance is alarming, according to Damien Mason, an expert of digital privacy at ProPrivacy, a privacy publication. “This is particularly concerning for vulnerable people, such as those in a financial crisis looking for help," he told Decrypt. "Could this lead to them being targeted by online ads for payday loan companies, for example?”

“Councils across the country are setting a bad precedent on privacy. This kind of ignorance towards personal data is already unacceptable for private companies but the public sector has a greater responsibility to uphold the basic human right of privacy whether it is the real world or online,” he said.

Ryan first contacted the UK Information Commissioner in January 2018 about the incident. In June 2019, the ICO said that the wider issue, Real Time Bidding, is currently unlawful, and gave the industry six months to get into shape. In 2020, it said it would not take immediate action to stop RTB data breaches.