US Election 2020: Which Candidates Track You Most Online?

In a reversal of our expectations, our testing shows Donald Trump tracks visitors to his campaign site to a lesser degree than 75% of Democrats, including frontrunner Bernie Sanders, who also shares the most personal data with Facebook.
Header image for SuperTuesday Campaign
Simon Migliano

Key Findings

  • 75% of Democrat campaign websites set more tracking cookies and pass data to more ad/marketing platforms than Donald Trump
  • Tracking cookies: Almost four times as many set on Democrat candidate sites than Republican
  • Joe Biden has the most intrusive site (75 cookies, 44 platforms), followed by Bernie Sanders (38 cookies, 24 platforms)
  • Sharing personal info with Facebook: Seven candidates share user info such as email, phone number or ZIP code. Sanders shares the most data points (four)
  • Facebook and Google: 100% of candidate sites pass data to the tech giants for marketing purposes
  • Weak privacy policies: Three Democrats have sites with weaker policies than Trump, including Michael Bloomberg

UPDATE: 26 Feb 2020 14:30 GMT Following the initial publication of this report, the candidate campaigns were made aware of our findings. Further testing today of Facebook data-sharing practices by the campaign front-runners reveals that while Joe Biden has now stopped passing supporters’ personal info to Facebook, Bernie Sanders continues to do so.

Introduction

This investigation into US presidential campaign website privacy analyzed how much each candidate’s site tracks visitors and passes data to Facebook and other advertising and marketing companies. It also includes a detailed assessment of each site’s privacy policy.

We monitored candidate websites in the lead-up to the primaries and recorded all third-party cookies set by each site, along with any server requests to third-party domains. We also observed browser activity when visitors left each candidate site and browsed other sites.

We analyzed tens of thousands of HTTP requests, focusing on those made to third parties, to allow us to identify to which advertising and marketing companies the election candidates are passing data from their campaign sites.

We also reviewed every third-party cookie set to identify which were used to track users for advertising and marketing purposes.

We also sifted through the request headers to see whether personally identifiable information (PII) was being shared.

We found that the websites of the Democrat candidates set an average of 23 third-party tracking cookies from advertising and marketing companies.

This is almost four times as many as the six such cookies set on average by the sites of the Republican candidates, including President Donald Trump’s campaign website.

Why did we use Trump’s site as the benchmark for comparison?

Given the president’s poor record on digital privacy since taking office, it feels reasonable to expect the Democrat hopeful’s sites to perform better, especially given how high-profile candidates, such as front-runner Bernie Sanders position themselves on consumer privacy issues.

The Democrat sites passed data to an average of 16 advertising and marketing companies, many of whom trumpet their ability to target people based on their interests and behavior. This was three times as many as the Republican candidate sites.

Jump straight to headline findings by candidate and party

Former Vice-President Joe Biden has the most aggressive implementation of advertising technology on his campaign website. Biden’s site sets over 10 times as many third-party ad tracking cookies as Trump’s for example.

What’s perhaps most surprising given Bernie Sanders’ progressive platform and combative public stance against Facebook’s privacy incursions is that his website passes more personal data points to Facebook (email, ZIP Code, phone and first name) than any other candidate’s site.

After Biden, Sanders also has the site that most aggressively tracks its users for marketing purposes.

Jump straight to our candidate-by-candidate analysis

Facebook’s public reputation may well be in tatters on Capitol Hill but that hasn’t prompted even a single candidate to remove Facebook integrations from their campaign sites. We found 100% of sites we tested passed data to Facebook, and to Google also.

All but three candidates shared personal information submitted on their sites with Facebook. While this personal data was hashed, a one-way encryption process that can’t be directly decrypted, it was shared in such a way that it would be simple for Facebook to match the hashed data with its own user data to indirectly identify individuals.

Jump straight to our Facebook data-sharing findings

During our investigation, the field of candidates thinned from 16 to 10. An interesting trend to observe was that the drop-outs had campaign websites that were very much at the lower end of the scale in terms of how they tracked users.

This suggests an uncomfortable reality, that candidates who avoid intruding on user privacy simply fail to get their message across to potential supporters. However if, as privacy advocates, we accept this trade-off, an important question remains:

Where do we the draw the line in terms of how much intrusion by political hopefuls is acceptable?

Unless we have an informed public debate on this issue, we can expect the candidates for 2024 and beyond to continue to sacrifice our privacy in their pursuit of office.

Summary Findings

By Party

The following bar chart compares the average number of ad & marketing platforms receiving HTTP requests from candidate sites by political party. It does the same for third-party ad tracking cookies.

It excludes any non-tracking cookies set by HTTP requests to domains operated by ad & marketing platforms. Requests to multiple domains operated by the same platform were single-counted only to avoid inflating the figures.

Chart showing the average number of third-party tracking cookies and marketing domains contacted by the democrats and the republicans on their campaign websites.

Candidate Party Tracking Cookies (Avg) Ad/Mktg Platforms (Avg)
Democrat 23 16
Republican 6 6

By Candidate

The following bar chart illustrates all third-party advertising and marketing tracking taking place on each candidate website during a typical visit.

For each candidate, the left-hand bar shows how many third-party tracking cookies are set. The right-hand bar indicates how many different ad marketing platforms are subject to HTTP requests.

The bars are segmented by the type of advertising and marketing platform.

Chart showing the number of third-party tracking cookies and domains contacted per U.S. presidential candidate campaign website

The difference is stark in the sheer volume of third-party tracking between Biden, Sanders and Gabbard’s sites and the other presidential candidates.

While it may be surprising how much third-party tracking takes place for marketing purposes on berniesanders.com, it’s inarguably concerning that visitors to joebiden.com can expect their devices to be riddled with well over twice as many tracking cookies.

It’s also interesting to compare the mix of marketing platforms encountered on each site due to the insight it provides into each candidate’s campaign strategy.

Biden is clearly betting the ranch on ad tech while Sanders is taking a more balanced approach. Gabbard leans on Customer Relationship Management (CRM) and Trump, social media.

The underlying data for the chart above follows. Scroll or swipe to see all the columns to the right.

Onward Tracking

The following chart indicates how many third-party advertising and marketing platforms identified that we had visited the candidate’s site prior to browsing highly-partisan news-based sites Breitbart, Infowars and The American Independent.

Chart showing how many advertisers track users after leaving a U.S. presidential candidate's website

Notable findings include:

  • Biden’s intense use of ad tech on his site is certainly effective at tracking users after they leave his site.
  • The highly-interconnected ad tech ecosystem means that cookies set by one platform can be recognized by others even when they did not set the original cookie.
  • Example

    A HTTP request from americanindependent.com to taboola.com synced the value of the uuid2 cookie that had been set previously on berniesanders.com by Xandr, despite there being no HTTP requests made to or cookies set by native ad platform Taboola during the original visit.

  • Visitors to Sanders, Buttigieg and Gabbard’s sites are most affected by this phenomenon.

The underlying data for the chart above follows.

Candidate Instances of Onward Tracking
Biden (D) 21
Sanders (D) 13
Gabbard (D) 11
Buttigieg (D) 6
Bloomberg (D) 5
Warren (D) 4
Steyer (D) 2
Klobuchar (D) 2
Trump (R) 3
Weld (R) 2

Facebook Data Sharing

The following chart indicates how many items of personally identifiable information (PII) are shared with Facebook by each candidate site.

The “Items” column indicates how much PII is shared when visitors sign up to support or donate to a candidate’s campaign. The “additional requests” column shows what PII was shared from the online store section of candidate sites.

Table of personal data shared with Facebook by each U.S. presidential candidate campaign website

We observed PII passed to Facebook using the official Facebook parameters for user data. While the data was hashed, we were able to reverse engineer the hashing process and confirm what data was being passed by encrypting the data we submitted in our testing process using the SHA-256 hash and determining whether the results matched with what we found in the HTTP headers.

It would be trivial for Facebook to compare hashed PII received in this way from the candidate sites and match it with its own similarly hashed personal data, thus combining the two data sets.

Democrat frontrunners Sanders and Buttigieg shared the most data with Facebook in this way.

It should be noted that Warren did not share PII in quite the same way, instead passing the amount of any donation to Facebook via URL parameters. Her site also passed purchase information from its online store to Facebook.

The table below details the specific items of PII each candidate sites passes to Facebook

UPDATE: 26 Feb 2020 14:30 GMT Following the initial publication of this report, the candidate campaigns were made aware of our findings. Further testing today of Facebook data-sharing practices by the campaign front-runners reveals that while Joe Biden has now stopped passing supporters’ personal info to Facebook, Sanders continues to do so. We will continue to monitor the situation and update our report accordingly.

Ad Platforms

The following chart shows the percentage of candidate campaign websites that was observed to pass data to each advertising and marketing platform in our tests.

Chart showing most popular advertising platforms present on the U.S. presidential candidate campaign websites

Despite dragging the tech giants over the coals on Capitol Hill last year, no candidate has been prepared to blacklist Google and Facebook and deny themselves their marketing reach.

It’s clear that in their current form, the two companies utterly dominate their online marketing channels. However other notable platforms include:

  • Twitter: While still very popular, the social network doesn’t quite reach the same levels of coverage as its rivals. Ironically, this is in part due to it being omitted from the site of notorious Twitter user Trump.
  • The Trade Desk: A real-time-bidding programmatic ad platform based in California. As well as the 60% direct coverage of candidate sites, its integrations with other platforms extends its ability to track users across the internet.
  • Xandr: The parent company of App Nexus, another programmatic ad platform. Like The Trade Desk, its reach is extended through integrations with other platforms, including those in adjacent digital channels, such as native ads.

Privacy Policies

Privacy Policy Risk Scores

The following chart compares the summary results of our detailed assessment of each candidate’s campaign website privacy policy.

Higher scores indicate a greater risk to user privacy.

Chart showing the scores each U.S. presidential candidate received for their privacy policies

Notable findings include:

  • Sanders’s site has one of the best privacy policies, despite being among the most aggressive trackers of its visitors and sharers of data with Facebook.
  • mikebloomberg.com really falls down on how it fails to commit to data protection, however it’s also joint-worst on how it treats personally identifiable information (PII).
  • Gabbard has the most privacy-friendly policy thanks to her relative restraint with regards to behavioral tracking and strong commitment to data protection. However, this should be considered in context of her site’s observably intrusive user tracking.

The following table shows the underlying data for the chart above.

The scores were derived by first breaking down the key privacy points across all of the candidates’ privacy policies into a comprehensive list of single attributes onto a table.

You can see this table immediately below or download the full data sheet.

The attributes were each given a score (out of 5), then separated out into five different categories (PII, Device Information, Behavioral Tracking, Data Transfers, Data Protection) to provide a clearer basis for comparison.

The higher the score (max. 100), the less privacy conscious the policy is (e.g. tracking of exact location would score highly). Jump to methodology for more detail on scoring process.

Privacy Policy Detailed Comparison

This table shows the full results of our assessment of each campaign website privacy policy.

NB: green results are privacy-positive.

  • All candidates scored poorly for behavioral tracking due to extensive use of web beacons/tracking pixels, collation of data from outside sources, and for ignoring “Do Not Track” requests.
  • All but one candidate (Gabbard) either derive a user’s approximate location through their IP address, or their exact location via GPS tracking.
  • All candidates explicitly share user data with groups with “similar political viewpoints”.
  • All but one candidate (Klobuchar) use an understated, yet legally expansive, statement enabling any data usage that the campaign deems necessary. This is often found embedded in a list of justifications for invasive collection and sale of user data.
  • Many candidates were found to have policy gaps relating to specific practices, indicated by the number of “Not Stated” results.

Joseph Biden

Campaign Site Analysis

Campaign website: joebiden.com

The following table shows the total number of third-party domains subject to HTTP requests from joebiden.com, along with all third-party cookies set. This includes non-tracking cookies and domains used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Joseph Biden

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Biden’s website. Credit: http://requestmap.webperf.tools/

Biden’s campaign site is extremely aggressive in its use of ad tech. This is largely due to working with programmatic advertiser Media Math. In our test session, the HTTP request from joebiden.com to the mathtag.com domain initiated a series of browser redirects to 33 additional domains owned by other ad tech companies, many of which dropped tracking cookies.

This would suggest Biden is relying heavily on programmatic advertising, ie automated, highly-targeted ads that can appear anywhere online.

Unusually, the number of third-party domain requests and cookies detected by our scans of joebiden.com varied significantly from day to day, suggesting Biden’s team were actively finessing the ad tech set-up of the site. This makes it harder to entertain the possibility that they were oblivious to the extent that requests to mathtag.com spawn additional tracking.

Visitors to Biden’s site should expect to be heavily tracked when they continue browsing after leaving it. In our test session, HTTP requests to 21 ad tech platforms contained references to cookie values set on joebiden.com, indicating that we had previously visited that domain. Many of these cookies only expire after a year.

Anyone signing up to Biden’s campaign should expect their email, phone number and ZIP code to be shared with Facebook in hashed form. The only candidate we found to sharing more data points with Facebook than Biden was Sanders. Jump to our Facebook data sharing analysis.

Privacy Policy Analysis

Policy URL: https://joebiden.com/privacy-policy

Score: 79/100

Highlights

  • Does contain a privacy commitment statement: “[…] we strive to protect the information we maintain”.

Lowlights

  • Openly admits to transferring user data overseas where data privacy laws may be less protective than the user’s home state.
  • The website tracks all donation transaction locations, ignores “Do Not Track” requests made by users, and when enabled, collects all of your device’s contacts details.
  • Makes no mention of any protocol to notify users in the case of a security breach.

Bottom Line

Biden’s privacy policy does display a degree of transparency through its comprehensive disclosure of what data is collected, how it is used and why. However, it does reveal how invasive the website’s tracking practices are, making Biden the worst-performing candidate for behavioral tracking.

Back to list of candidates

Michael Bloomberg

Campaign Site Analysis

Campaign website: mikebloomberg.com

The following table shows the total number of third-party platforms subject to HTTP requests from mikebloomberg.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Michael Bloomberg

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Bloomberg’s website. Credit: http://requestmap.webperf.tools/

Bloomberg’s site is one of three Democrat candidate sites that tracks users more than Trump’s does but is significantly less intrusive than Biden, Sanders and Gabbard’s sites.

Despite being middle-of-the-road in terms of the number of trackers, mikebloomberg.com passes data to some unusual advertising and marketing-related domains. For example, it passes data to bbhub.io, a domain operated by Bloomberg Professional Services, the data vendor arm of Bloomberg’s own firm that offers subscriptions costing as much as $2,000 per month.

We also observed requests to another Bloomberg-operated domain, bwbx.io, but could not determine its purpose.

mikebloomberg.com also passes data to Amobee, a mobile ad tech company promising to track users across their devices that’s owned by Singapore telco Singtel, as part of its ad tech empire.

In our onward browsing, native ad platform Taboola and ad tech platform Xandr both tracked us as having visited mikebloomberg.com, based on the uuid2 cookie set by adnxs.com.

Bloomberg’s site was not observed to share any personal data to Facebook when users signed up, although it did set Facebook cookies and generally passed data to the social network.

Privacy Policy

Policy URL: https://www.mikebloomberg.com/privacy

Score: 79/100

Highlights

  • N/A

Lowlights

  • Fails to notify users of the Federal Electoral Commission (FEC) requirement to disclose the full name, address, occupation and employer of all individuals whose donations exceed $200 per election cycle.
    • This leaves his supporters unaware of the extent of PII that would be made public, especially in a personally sensitive subject matter.
  • Has an apparent lack of safeguards in place in the case of a security breach, implied from the absence of any mention of such procedures in his privacy policy.
  • Along with high levels of behavioral tracking and PII collection, the policy is highly ambiguous about how this information might be used. The policy opaquely states the freedom of use of your information “for any lawful purpose”.

Bottom Line

Our view is that Bloomberg has the worst campaign site privacy policy of all of the 2020 presidential candidates. His policy sidesteps any sort of specificity and instead clearly prioritizes his campaign’s needs above the privacy of his supporters.

Back to list of candidates

Pete Buttigieg

Campaign Site Analysis

Campaign website: peteforamerica.com

The following table shows the total number of third-party platforms subject to HTTP requests from peteforamerica.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Pete Buttigieg

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Buttigieg’s website. Credit: http://requestmap.webperf.tools/

Buttigieg’s site is one of three Democrat candidate sites that tracks users more than Trump’s does but is significantly less intrusive than Biden, Sanders and Gabbard’s sites.

Two-thirds of the cookies set on peteforamerica.com are from NGP VAN, the Democrat-affiliated CRM tool used to personalize the floods of emails pestering potential supporters for donations.

While peteforamerica.com is lighter on the ad tech, it does set cookies from major programmatic ad platforms Xandr and The Trade Desk.

The site also sent data to native advertising platform Outbrain, one of a handful of companies responsible for the endless feed of typically low-quality clickbait articles often found masquerading as related content below genuine editorial.

Visitors who sign up to peteforamerica.com can expect the site to share their first name, surname and email address with Facebook in hashed form. Only Sanders shares more personal info with Facebook.

Privacy Policy

Policy URL: https://peteforamerica.com/privacy-policy

Score: 83/100

Highlights

  • Does not transfer user data overseas.

Lowlights

  • Fails to give any commitment to data protection statement.
  • Similar to many other candidate policies, it attempts to absolve the campaign of any responsibility for genuine user privacy by including a clause claiming the right use your data as the campaign sees fit.
  • Tracks your location upon any monetary transaction on the website.
  • The campaign’s response to “Do Not Track” signals is not stated anywhere in the policy and it does not appear to notify users of any data or security breaches.

Bottom Line

Buttigieg’s policy is one of the worst we assessed, tied in second-last place with Steyer’s document.

The policy performs so poorly mainly due to extensive of behavioral tracking, a large number of stakeholders with whom they can share your data and a general lack of reassurance for privacy-conscious users.

Back to list of candidates

Tulsi Gabbard

Campaign Site Analysis

Campaign website: tulsi2020.com

The following table shows the total number of third-party platforms subject to HTTP requests from tulsi2020.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Tulsi Gabbard

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Gabbard’s website. Credit: http://requestmap.webperf.tools/

Along with Sanders and Biden’s sites, Gabbard’s tulsi2020.com forms a cohort that intrudes on users’ privacy significantly more than those of their rivals.

As well as tracking users to better target them via major programmatic ad platforms like Media Math, Xandr and OpenX, our analysis shows Gabbard also hopes to retarget them using services such as Perfect Audience and a range of Customer Relationship Management (CRM) tools.

These CRM tools alone set 16 tracking cookies during our test session to enable highly-personalized emails and other messaging canvassing for donations and other support.

Her site was also notable for being the only one to track users via the Wistia video marketing platform, which touts how you can send its user data to Facebook and Google for greater reach.

Visitors who sign up at tulsi2020.com can expect their email address to be sent in hashed form to Facebook. However, this was the only personal info shared, placing the site at the lower end of the spectrum in this area.

Privacy Policy

Policy URL: https://www.tulsi2020.com/privacy-policy

Score: 70/100

Highlights

  • Tulsi Gabbard uniquely approaches her privacy policy by outlining the relevant legislation with which the website strives to be in compliance.
  • Notifies her users when there is a security concern.

Lowlights

  • Contains many ambiguities and fails to comprehensively inform the user about what type of personal info the website collects and for what reasons.
  • Specifically, the policy fails to mention whether or not the site collects your IP address, device information, network connection or location information.
  • Does not address whether they use web beacons/tracking pixels, website analytics.
  • Fails to inform users about where their data is processed and stored.

Bottom Line

Gabbard’s policy received the best score of all the candidates due to her pro-digital rights approach.

However, the policy contains many omissions about her site’s specific practices. This means that anyone reading her privacy policy will leave without fully understanding the privacy implications of using her website.

Back to list of candidates

Amy Klobuchar

Campaign Site Analysis

Campaign website: amyklobuchar.com

The following table shows the total number of third-party platforms subject to HTTP requests from amyklobuchar.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Amy Klobuchar

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Klobuchar’s website. Credit: http://requestmap.webperf.tools/

amyklobuchar.com sets the least number of tracking cookies of any campaign site and is one of two Democrat sites less intrusive of privacy than Trump’s.

Aside from Facebook, Twitter and Google, including the latter’s pervasive targeting platform DoubleClick, the only other marketing-related domain subject to a HTTP request was Moat, an ad analytics platform.

Nor does Klobuchar’s site share user sign up data with Facebook, unlike the majority of other candidates.

Privacy Policy

Policy URL: https://amyklobuchar.com/privacy-policy

Score: 74/100

Highlights

  • Amy Klobuchar is the only candidate that does not claim the right to use the data collected on her website for “any purpose”.

Lowlights

  • Does not notify her users of any data or security breaches.
  • Fails to mention key privacy considerations:
    • Collection of browser data
    • Device information
    • Network connection
    • Location information
    • Use of web beacons
    • Response to “Do Not Track” requests
    • Data transfers overseas

Bottom Line

As well as scoring poorly for leniency in data sharing practices, Klobuchar’s policy also omits much important information on data collection and usage, leaving a lot of room for ambiguity.

Back to list of candidates

Bernie Sanders

Campaign Site Analysis

Campaign website: berniesanders.com/

The following table shows the total number of third-party platforms subject to HTTP requests from berniesanders.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Bernie Sanders

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Sanders’ website. Credit: http://requestmap.webperf.tools/

Sanders’ campaign site may only set half as many third-party ad and marketing tracking cookies as joebiden.com but it was still much more intrusive of user privacy than the majority of other candidates’ sites, with not only heavy use of ad tech but also other types of marketing platforms.
berniesanders.com is notable for making HTTP requests to several third-party domains that generate multiple redirects. Among these was the Democrat fundraising platform actblue.com that initiated redirects to adsrvr.org, doubleclick.net, dstillery.com, facebook.com and bing.com, all domains operated by ad platforms. As this behavior was not observed with other candidate sites, it would appear that this is a deliberate decision by Sanders’ team.

These redirects – and the cookies set as a result – significantly increase Sanders’ reach as the only direct HTTP request from berniesanders.com in our test session that related to a programmatic ad platform was to adsrvr.org, a domain used by The Trade Desk.

Among the more concerning domains contacted belonged to MaxMind, a company which provides location data for IP addresses, and Skimlinks, typically used to monetize online content by automatically adding affiliate links to potentially commercial words and phrases in articles.

As well as setting tracking cookies from a broad range of social media networks (Facebook, Twitter and Snapchat),

Sanders shares more personally identifiable data than any other candidate with Facebook.

Visitors to berniesanders.com who sign up to his campaign can expect their first name, email, phone number and ZIP code to be shared in hashed form.

Jump to our Facebook data sharing analysis

Privacy Policy

Policy URL: https://berniesanders.com/privacy-policy

Score: 75/100

Highlights

  • While lengthy, Sanders’ privacy policy does provide useful information on key terms and processes that users may not be aware of.
  • Acknowledges a number of privacy concerns and explains measures that they take to mitigate risk.
  • Does not track the webpage you visited prior to his website.

Lowlights

  • Tries to justify supposedly “necessary” purposes for data collection to offset any impression of excessive data collection practices.
  • Fails to clarify whether or not the site:
    • Tracks user location
    • Responds to “Do Not Track” requests
    • Transfers user data overseas to potentially less regulated jurisdictions

Bottom Line

While Sanders’ policy shows levels of concern for data security and privacy, it also gives the impression of high levels of behavioral tracking and data sharing amongst affiliates, making for an unconvincing “privacy first” policy.

Back to list of candidates

Tom Steyer

Campaign Site Analysis

Campaign website: tomsteyer.com

The following table shows the total number of third-party platforms subject to HTTP requests from tomsteyer.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Tom Steyer

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Steyer’s website. Credit: http://requestmap.webperf.tools/

tomsteyer.com is among the least intrusive of the Democrat sites and one of only two that were more respectful of user privacy than Trump.

While the only ad tech cookie set was the ubiquitous Google DoubleClick cookie IDE, the site did pass data to Browser/IP logger DataDog during our test session.

The only other cookies set were for Facebook and Twitter.

tomsteyer.com was one of the few sites not to pass personal info to Facebook when users signed up or donated.

Privacy Policy

Policy URL: https://www.tomsteyer.com/privacy/

Score: 83/100

Highlights

  • Does offer security breach alerts to their users.

Lowlights

  • Fails to disclose how the site responds to “Do Not Track” requests.
  • Elusive about whether the site allows third parties to track and serve targeted ads on his campaign website and whether they transfer your data overseas.
  • Under section “How and When Information Is Used”, the policy includes a very ambiguous statement claiming to “Carry out any other purpose for which the information was collected”.
  • Fails to notify their users of the FEC’s requirement to disclose PII of donors who contribute in excess of $200 per election cycle.

Bottom Line

While Steyer’s privacy policy is not the very worst we looked at, we awarded it a high risk score due to a lack of specificity and clarity over crucial privacy concerns.

Back to list of candidates

Elizabeth Warren

Campaign Site Analysis

Campaign website: elizabethwarren.com

The following table shows the total number of third-party platforms subject to HTTP requests from elizabethwarren.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Elizabeth Warren

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Warren’s website. Credit: http://requestmap.webperf.tools/

elizabethwarren.com is among a group of three Democrat sites that tracks users more than Trump’s does, but is significantly less intrusive than Biden, Sanders and Gabbard’s sites.

The site uses fairly minimal ad tech, although it does set cookies TDID and TDCPM from programmatic ad platform The Trade Desk domain adsrvr.org. This means visitors to elizabethwarren.com are very effectively tracked once they leave the site due to the ubiquity of that platform.

Other notable observations included a tracking cookie for Snapchat ads and requests to clickbait network Outbrain, shining a light on aspects of Warren’s campaign strategy.

Despite being a highly outspoken critic of Facebook, Warren’s site passes the amount of any donation made to her campaign to Facebook via URL parameters. It also shares data with Facebook from the online store part of the site, such as items added to the basket and their value.

Privacy Policy

URL: https://elizabethwarren.com/privacy-policy

Score: 73/100

Highlights

  • Does not transfer any of your data outside of the jurisdiction of the U.S.
  • Notifies users of any data breaches or security alerts.
  • Transferal of your data to current or future affiliates is done so, ‘With your consent or at your direction’.

Lowlights

  • Claims to collect a very extensive list of diverse types of information, as outlined in the sections on data collection.
  • Makes no mention of how the site responds to ‘Do Not Track’ requests.
  • Uses open-ended statement claiming your data can be used for “any purpose”. While far from offsetting this risk, the policy does commit to the “purpose being disclosed at the time of collection”, which gives users the opportunity to cease interaction.

Bottom Line

Warren’s policy is among the more privacy conscious in terms of language, accessibility and the use of clear statements that address a wide array of data security concerns.

However, her behavioral tracking is more invasive than is ideal, leaving her with a moderate score of 73. Along with Republican candidate Weld, Warren has the second-strongest policy.

Back to list of candidates

Donald Trump

Campaign Site Analysis

Campaign website: donaldjtrump.com

The following table shows the total number of third-party platforms subject to HTTP requests from donaldjtrump.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate Donald Trump

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Trump’s website. Credit: http://requestmap.webperf.tools/

Despite having no reputation as a privacy advocate, Trump’s campaign website is less intrusive than all but two of his Democrat rivals.

Largely eschewing ad tech, Trump instead doubles down on tracking users for social media advertising. donaldjtrump.com sets cookies for Facebook, Reddit and Snapchat. Ironically given his prominent presence on the platform, we did not observe any HTTP requests to Twitter domains.

Visitors who sign up to donaldjtrump.com can expect the site to share their email address and ZIP code with Facebook in hashed form.

Privacy Policy

Policy URL: https://www.donaldjtrump.com/privacy-policy

Score: 79/100

Highlights

  • Does not transfer data outside the jurisdiction of the U.S. to undisclosed locations.

Lowlights

  • With GPS tracking enabled:
    • Users’ exact location, along with other PII, is explicitly collected and used “for any lawful purpose” that the campaign deems fit.
    • GPS location information is also collected by the site’s “service providers”.
  • The site ignores “Do Not Track” requests.
  • The policy claims the, “right to use, share, exchange and/or disclose to DJTFP affiliated committee and third parties any of your information for any lawful purpose.”

Bottom Line

Whilst the policy does firmly declare that it, “takes privacy and security very seriously”, it also contains statements which indicate extensive data collection and sharing. The contradictory nature of the policy may either leave readers confused or feeling a false sense of security.

Back to list of candidates

William Weld

Campaign Site Analysis

Campaign website: weld2020.org

The following table shows the total number of third-party platforms subject to HTTP requests from weld2020.org, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Preview of chart of all third-party domain requests for U.S. presidential election candidate William Weld

Click the image to see the full flow map showing all of the third-party requests that are generated when you visit Weld’s website. Credit: http://requestmap.webperf.tools/

weld2020.org intrudes slightly less on user privacy than Weld’s Republican nomination rival Trump’s site and significantly less so than the majority of Democrats, including the frontrunners.

The only notable find beyond ubiquitous Facebook and DoubleClick cookies was that the majority of tracking cookies were from Hubspot, with Weld being the only candidate to use the multi-purpose CRM platform.

Weld’s site does however share in hashed form with Facebook the email address and phone number of anyone who signs up to his campaign.

Privacy Policy

Policy URL: https://weld2020.org/privacy-policy

Score: 78/100

Highlights

  • Does not transfer or process any user data overseas, where privacy laws may be less protective.
  • Indicates that users are alerted of any security breaches.

Lowlights

  • Lacks any statement reassuring users of any commitment to data security.
  • Explicitly ignores “Do Not Track” requests.
  • Explicitly collects users’ GPS locations upon any monetary transaction on the website.

Bottom Line

Weld 2020’s privacy policy does comprehensively cover the extent and type of data collected however, alongside Biden, his policy received the worst possible score for behavioral tracking (24/24).

Back to list of candidates

Supporting Data

Cookie Index

Methodology

Website Analysis

We scanned each candidate’s campaign website over a period of two weeks in January/February 2020 for third-party domain requests and cookies using the WebXray tool.

We conducted test sessions using HTTP Toolkit. For each candidate, we logged into Facebook, visited their campaign site and performed any expected interactions and then navigated on to Breitbart, Infowars and The American Independent sites. Each candidate test was conducted over its own single, unique session.

Some candidates had WebXray results that varied over the course of our data collection. In these cases, we included in our dataset any domains and cookies recorded by WebXray that were not observable in our test session, flagged accordingly as additional data. However, we were unable to perform a full HTTP header analysis.

For the purposes of our overall analysis of the dataset, we focused on third-party advertising and marketing domains and tracking cookies rather than those third-party services required for creation and operation of the websites.

View full data for all candidates (Google Sheet).

Privacy Policy Analysis

A first pass scan of each candidate’s website privacy policy was undertaken, identifying the types of data collected, key privacy issues and patterns in legal jargon.

Breaking down this information into a detailed table, a second scan of the policies was undertaken to confirm the presence/omission of each attribute for each candidate. View full table for all privacy policies (Google Sheet).

Each data point on the table was given a privacy score (out of 5) whereby a lower score meant privacy-positive results (e.g. evidence of notifying users of any data breaches, was given a score of -2 as good practice).

These data points were combined into five different categories (PII, Device Information, Behavioral Tracking, Data Transfers, Data Protection) to provide a clearer basis for comparison.

The scores were then added up for each category to understand the strengths and weaker areas of each privacy policy.

Finally, the scores were totaled across all of the categories, giving a total privacy policy risk score out of a maximum possible score of 100.


About Us

Top10VPN.com is a leading VPN review website. We recommend the best VPN services to help protect consumers’ privacy online. We also aim to educate the general public about digital privacy and cybersecurity risks through our free online resources and research.

For more original security and privacy research, check out The Global Cost of Internet Shutdowns 2019, Global Mobile VPN Report, or our Free VPN App Investigation.

Additional research by Christine O’Donnell