A deeper dive into 10 of those health Websites found that even when consent was granted, the sites' privacy policies were unclear about what data would be shared with third parties and how that data would be used.

This is troubling, because the FT subsequently found, for example, that drug names entered into Drugs.com were shared with Google-owned DoubleClick. It gets worse: symptoms entered into WebMD's symptom checker, plus the resulting diagnoses, and terms including 'drug overdose' were shared with Facebook. In eight cases, unique identifiers that could tally information with a specific individual were shared with third parties.

Under GDPR, it is against the law to share information about someone's health and sexual orientation without first obtaining their explicit consent, and without explaining exactly who it is shared with and what they will use that data for.

None of the Websites checked out by the FT requested this type of explicit consent.