US Election 2020: Which Candidates Track You Most Online?

By Party

By Candidate

The difference is stark in the sheer volume of third-party tracking between Biden, Sanders and Gabbard’s sites and the other presidential candidates.

While it may be surprising how much third-party tracking takes place for marketing purposes on berniesanders.com, it’s inarguably concerning that visitors to joebiden.com can expect their devices to be riddled with well over twice as many tracking cookies.

It’s also interesting to compare the mix of marketing platforms encountered on each site due to the insight it provides into each candidate’s campaign strategy.

Biden is clearly betting the ranch on ad tech while Sanders is taking a more balanced approach. Gabbard leans on Customer Relationship Management (CRM) and Trump, social media.

The underlying data for the chart above follows. Scroll or swipe to see all the columns to the right.

Onward Tracking

The following chart indicates how many third-party advertising and marketing platforms identified that we had visited the candidate’s site prior to browsing highly-partisan news-based sites Breitbart, Infowars and The American Independent.

Notable findings include:

• Biden’s intense use of ad tech on his site is certainly effective at tracking users after they leave his site.
• The highly-interconnected ad tech ecosystem means that cookies set by one platform can be recognized by others even when they did not set the original cookie.

Example

A HTTP request from americanindependent.com to taboola.com synced the value of the uuid2 cookie that had been set previously on berniesanders.com by Xandr, despite there being no HTTP requests made to or cookies set by native ad platform Taboola during the original visit.

• Visitors to Sanders, Buttigieg and Gabbard’s sites are most affected by this phenomenon.

The underlying data for the chart above follows.

The following chart indicates how many items of personally identifiable information (PII) are shared with Facebook by each candidate site.

The “Items” column indicates how much PII is shared when visitors sign up to support or donate to a candidate’s campaign. The “additional requests” column shows what PII was shared from the online store section of candidate sites.

We observed PII passed to Facebook using the official Facebook parameters for user data. While the data was hashed, we were able to reverse engineer the hashing process and confirm what data was being passed by encrypting the data we submitted in our testing process using the SHA-256 hash and determining whether the results matched with what we found in the HTTP headers.

It would be trivial for Facebook to compare hashed PII received in this way from the candidate sites and match it with its own similarly hashed personal data, thus combining the two data sets.

Democrat frontrunners Sanders and Buttigieg shared the most data with Facebook in this way.

It should be noted that Warren did not share PII in quite the same way, instead passing the amount of any donation to Facebook via URL parameters. Her site also passed purchase information from its online store to Facebook.

The table below details the specific items of PII each candidate sites passes to Facebook

UPDATE: 26 Feb 2020 14:30 GMT Following the initial publication of this report, the candidate campaigns were made aware of our findings. Further testing today of Facebook data-sharing practices by the campaign front-runners reveals that while Joe Biden has now stopped passing supporters’ personal info to Facebook, Sanders continues to do so. We will continue to monitor the situation and update our report accordingly.

Privacy Policy Risk Scores

The following chart compares the summary results of our detailed assessment of each candidate’s campaign website privacy policy.

Higher scores indicate a greater risk to user privacy.

Notable findings include:

• Sanders’s site has one of the best privacy policies, despite being among the most aggressive trackers of its visitors and sharers of data with Facebook.
• mikebloomberg.com really falls down on how it fails to commit to data protection, however it’s also joint-worst on how it treats personally identifiable information (PII).
• Gabbard has the most privacy-friendly policy thanks to her relative restraint with regards to behavioral tracking and strong commitment to data protection. However, this should be considered in context of her site’s observably intrusive user tracking.

The following table shows the underlying data for the chart above.

The scores were derived by first breaking down the key privacy points across all of the candidates’ privacy policies into a comprehensive list of single attributes onto a table.

You can see this table immediately below or download the full data sheet.

The attributes were each given a score (out of 5), then separated out into five different categories (PII, Device Information, Behavioral Tracking, Data Transfers, Data Protection) to provide a clearer basis for comparison.

The higher the score (max. 100), the less privacy conscious the policy is (e.g. tracking of exact location would score highly). Jump to methodology for more detail on scoring process.

Privacy Policy Detailed Comparison

This table shows the full results of our assessment of each campaign website privacy policy.

NB: green results are privacy-positive.

• All candidates scored poorly for behavioral tracking due to extensive use of web beacons/tracking pixels, collation of data from outside sources, and for ignoring “Do Not Track” requests.
• All but one candidate (Gabbard) either derive a user’s approximate location through their IP address, or their exact location via GPS tracking.
• All candidates explicitly share user data with groups with “similar political viewpoints”.
• All but one candidate (Klobuchar) use an understated, yet legally expansive, statement enabling any data usage that the campaign deems necessary. This is often found embedded in a list of justifications for invasive collection and sale of user data.
• Many candidates were found to have policy gaps relating to specific practices, indicated by the number of “Not Stated” results.

Campaign Site Analysis

Campaign website: joebiden.com

The following table shows the total number of third-party domains subject to HTTP requests from joebiden.com, along with all third-party cookies set. This includes non-tracking cookies and domains used for purposes other than advertising and marketing.

Biden’s campaign site is extremely aggressive in its use of ad tech. This is largely due to working with programmatic advertiser Media Math. In our test session, the HTTP request from joebiden.com to the mathtag.com domain initiated a series of browser redirects to 33 additional domains owned by other ad tech companies, many of which dropped tracking cookies.

This would suggest Biden is relying heavily on programmatic advertising, ie automated, highly-targeted ads that can appear anywhere online.

Unusually, the number of third-party domain requests and cookies detected by our scans of joebiden.com varied significantly from day to day, suggesting Biden’s team were actively finessing the ad tech set-up of the site. This makes it harder to entertain the possibility that they were oblivious to the extent that requests to mathtag.com spawn additional tracking.

Visitors to Biden’s site should expect to be heavily tracked when they continue browsing after leaving it. In our test session, HTTP requests to 21 ad tech platforms contained references to cookie values set on joebiden.com, indicating that we had previously visited that domain. Many of these cookies only expire after a year.

Anyone signing up to Biden’s campaign should expect their email, phone number and ZIP code to be shared with Facebook in hashed form. The only candidate we found to sharing more data points with Facebook than Biden was Sanders. Jump to our Facebook data sharing analysis.

Campaign Site Analysis

Campaign website: mikebloomberg.com

The following table shows the total number of third-party platforms subject to HTTP requests from mikebloomberg.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Bloomberg’s site is one of three Democrat candidate sites that tracks users more than Trump’s does but is significantly less intrusive than Biden, Sanders and Gabbard’s sites.

Despite being middle-of-the-road in terms of the number of trackers, mikebloomberg.com passes data to some unusual advertising and marketing-related domains. For example, it passes data to bbhub.io, a domain operated by Bloomberg Professional Services, the data vendor arm of Bloomberg’s own firm that offers subscriptions costing as much as $2,000 per month.

We also observed requests to another Bloomberg-operated domain, bwbx.io, but could not determine its purpose.

mikebloomberg.com also passes data to Amobee, a mobile ad tech company promising to track users across their devices that’s owned by Singapore telco Singtel, as part of its ad tech empire.

In our onward browsing, native ad platform Taboola and ad tech platform Xandr both tracked us as having visited mikebloomberg.com, based on the uuid2 cookie set by adnxs.com.

Bloomberg’s site was not observed to share any personal data to Facebook when users signed up, although it did set Facebook cookies and generally passed data to the social network.

Privacy Policy

Policy URL: https://www.mikebloomberg.com/privacy

Score: 79/100

Highlights

• N/A

Lowlights

• Fails to notify users of the Federal Electoral Commission (FEC) requirement to disclose the full name, address, occupation and employer of all individuals whose donations exceed $200 per election cycle.
• This leaves his supporters unaware of the extent of PII that would be made public, especially in a personally sensitive subject matter.
• Has an apparent lack of safeguards in place in the case of a security breach, implied from the absence of any mention of such procedures in his privacy policy.
• Along with high levels of behavioral tracking and PII collection, the policy is highly ambiguous about how this information might be used. The policy opaquely states the freedom of use of your information “for any lawful purpose”.

Bottom Line

Our view is that Bloomberg has the worst campaign site privacy policy of all of the 2020 presidential candidates. His policy sidesteps any sort of specificity and instead clearly prioritizes his campaign’s needs above the privacy of his supporters.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: peteforamerica.com

The following table shows the total number of third-party platforms subject to HTTP requests from peteforamerica.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Buttigieg’s site is one of three Democrat candidate sites that tracks users more than Trump’s does but is significantly less intrusive than Biden, Sanders and Gabbard’s sites.

Two-thirds of the cookies set on peteforamerica.com are from NGP VAN, the Democrat-affiliated CRM tool used to personalize the floods of emails pestering potential supporters for donations.

While peteforamerica.com is lighter on the ad tech, it does set cookies from major programmatic ad platforms Xandr and The Trade Desk.

The site also sent data to native advertising platform Outbrain, one of a handful of companies responsible for the endless feed of typically low-quality clickbait articles often found masquerading as related content below genuine editorial.

Visitors who sign up to peteforamerica.com can expect the site to share their first name, surname and email address with Facebook in hashed form. Only Sanders shares more personal info with Facebook.

Privacy Policy

Policy URL: https://peteforamerica.com/privacy-policy

Score: 83/100

Highlights

• Does not transfer user data overseas.

Lowlights

• Fails to give any commitment to data protection statement.
• Similar to many other candidate policies, it attempts to absolve the campaign of any responsibility for genuine user privacy by including a clause claiming the right use your data as the campaign sees fit.
• Tracks your location upon any monetary transaction on the website.
• The campaign’s response to “Do Not Track” signals is not stated anywhere in the policy and it does not appear to notify users of any data or security breaches.

Bottom Line

Buttigieg’s policy is one of the worst we assessed, tied in second-last place with Steyer’s document.

The policy performs so poorly mainly due to extensive of behavioral tracking, a large number of stakeholders with whom they can share your data and a general lack of reassurance for privacy-conscious users.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: tulsi2020.com

The following table shows the total number of third-party platforms subject to HTTP requests from tulsi2020.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Along with Sanders and Biden’s sites, Gabbard’s tulsi2020.com forms a cohort that intrudes on users’ privacy significantly more than those of their rivals.

As well as tracking users to better target them via major programmatic ad platforms like Media Math, Xandr and OpenX, our analysis shows Gabbard also hopes to retarget them using services such as Perfect Audience and a range of Customer Relationship Management (CRM) tools.

These CRM tools alone set 16 tracking cookies during our test session to enable highly-personalized emails and other messaging canvassing for donations and other support.

Her site was also notable for being the only one to track users via the Wistia video marketing platform, which touts how you can send its user data to Facebook and Google for greater reach.

Visitors who sign up at tulsi2020.com can expect their email address to be sent in hashed form to Facebook. However, this was the only personal info shared, placing the site at the lower end of the spectrum in this area.

Privacy Policy

Policy URL: https://www.tulsi2020.com/privacy-policy

Score: 70/100

Highlights

• Tulsi Gabbard uniquely approaches her privacy policy by outlining the relevant legislation with which the website strives to be in compliance.
• Notifies her users when there is a security concern.

Lowlights

• Contains many ambiguities and fails to comprehensively inform the user about what type of personal info the website collects and for what reasons.
• Specifically, the policy fails to mention whether or not the site collects your IP address, device information, network connection or location information.
• Does not address whether they use web beacons/tracking pixels, website analytics.
• Fails to inform users about where their data is processed and stored.

Bottom Line

Gabbard’s policy received the best score of all the candidates due to her pro-digital rights approach.

However, the policy contains many omissions about her site’s specific practices. This means that anyone reading her privacy policy will leave without fully understanding the privacy implications of using her website.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: amyklobuchar.com

The following table shows the total number of third-party platforms subject to HTTP requests from amyklobuchar.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

amyklobuchar.com sets the least number of tracking cookies of any campaign site and is one of two Democrat sites less intrusive of privacy than Trump’s.

Aside from Facebook, Twitter and Google, including the latter’s pervasive targeting platform DoubleClick, the only other marketing-related domain subject to a HTTP request was Moat, an ad analytics platform.

Nor does Klobuchar’s site share user sign up data with Facebook, unlike the majority of other candidates.

Privacy Policy

Policy URL: https://amyklobuchar.com/privacy-policy

Score: 74/100

Highlights

• Amy Klobuchar is the only candidate that does not claim the right to use the data collected on her website for “any purpose”.

Lowlights

• Does not notify her users of any data or security breaches.
• Fails to mention key privacy considerations:
  • Collection of browser data
  • Device information
  • Network connection
  • Location information
  • Use of web beacons
  • Response to “Do Not Track” requests
  • Data transfers overseas

Bottom Line

As well as scoring poorly for leniency in data sharing practices, Klobuchar’s policy also omits much important information on data collection and usage, leaving a lot of room for ambiguity.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: berniesanders.com/

The following table shows the total number of third-party platforms subject to HTTP requests from berniesanders.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Sanders’ campaign site may only set half as many third-party ad and marketing tracking cookies as joebiden.com but it was still much more intrusive of user privacy than the majority of other candidates’ sites, with not only heavy use of ad tech but also other types of marketing platforms.
berniesanders.com is notable for making HTTP requests to several third-party domains that generate multiple redirects. Among these was the Democrat fundraising platform actblue.com that initiated redirects to adsrvr.org, doubleclick.net, dstillery.com, facebook.com and bing.com, all domains operated by ad platforms. As this behavior was not observed with other candidate sites, it would appear that this is a deliberate decision by Sanders’ team.

These redirects – and the cookies set as a result – significantly increase Sanders’ reach as the only direct HTTP request from berniesanders.com in our test session that related to a programmatic ad platform was to adsrvr.org, a domain used by The Trade Desk.

Among the more concerning domains contacted belonged to MaxMind, a company which provides location data for IP addresses, and Skimlinks, typically used to monetize online content by automatically adding affiliate links to potentially commercial words and phrases in articles.

As well as setting tracking cookies from a broad range of social media networks (Facebook, Twitter and Snapchat),

Sanders shares more personally identifiable data than any other candidate with Facebook.

Visitors to berniesanders.com who sign up to his campaign can expect their first name, email, phone number and ZIP code to be shared in hashed form.

Jump to our Facebook data sharing analysis

Privacy Policy

Policy URL: https://berniesanders.com/privacy-policy

Score: 75/100

Highlights

• While lengthy, Sanders’ privacy policy does provide useful information on key terms and processes that users may not be aware of.
• Acknowledges a number of privacy concerns and explains measures that they take to mitigate risk.
• Does not track the webpage you visited prior to his website.

Lowlights

• Tries to justify supposedly “necessary” purposes for data collection to offset any impression of excessive data collection practices.
• Fails to clarify whether or not the site:
  • Tracks user location
  • Responds to “Do Not Track” requests
  • Transfers user data overseas to potentially less regulated jurisdictions

Bottom Line

While Sanders’ policy shows levels of concern for data security and privacy, it also gives the impression of high levels of behavioral tracking and data sharing amongst affiliates, making for an unconvincing “privacy first” policy.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: tomsteyer.com

The following table shows the total number of third-party platforms subject to HTTP requests from tomsteyer.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

tomsteyer.com is among the least intrusive of the Democrat sites and one of only two that were more respectful of user privacy than Trump.

While the only ad tech cookie set was the ubiquitous Google DoubleClick cookie IDE, the site did pass data to Browser/IP logger DataDog during our test session.

The only other cookies set were for Facebook and Twitter.

tomsteyer.com was one of the few sites not to pass personal info to Facebook when users signed up or donated.

Privacy Policy

Policy URL: https://www.tomsteyer.com/privacy-policy

Score: 83/100

Highlights

• Does offer security breach alerts to their users.

Lowlights

• Fails to disclose how the site responds to “Do Not Track” requests.
• Elusive about whether the site allows third parties to track and serve targeted ads on his campaign website and whether they transfer your data overseas.
• Under section “How and When Information Is Used”, the policy includes a very ambiguous statement claiming to “Carry out any other purpose for which the information was collected”.
• Fails to notify their users of the FEC’s requirement to disclose PII of donors who contribute in excess of $200 per election cycle.

Bottom Line

While Steyer’s privacy policy is not the very worst we looked at, we awarded it a high risk score due to a lack of specificity and clarity over crucial privacy concerns.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: elizabethwarren.com

The following table shows the total number of third-party platforms subject to HTTP requests from elizabethwarren.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

elizabethwarren.com is among a group of three Democrat sites that tracks users more than Trump’s does, but is significantly less intrusive than Biden, Sanders and Gabbard’s sites.

The site uses fairly minimal ad tech, although it does set cookies TDID and TDCPM from programmatic ad platform The Trade Desk domain adsrvr.org. This means visitors to elizabethwarren.com are very effectively tracked once they leave the site due to the ubiquity of that platform.

Other notable observations included a tracking cookie for Snapchat ads and requests to clickbait network Outbrain, shining a light on aspects of Warren’s campaign strategy.

Despite being a highly outspoken critic of Facebook, Warren’s site passes the amount of any donation made to her campaign to Facebook via URL parameters. It also shares data with Facebook from the online store part of the site, such as items added to the basket and their value.

Privacy Policy

URL: https://elizabethwarren.com/privacy-policy

Score: 73/100

Highlights

• Does not transfer any of your data outside of the jurisdiction of the U.S.
• Notifies users of any data breaches or security alerts.
• Transferal of your data to current or future affiliates is done so, ‘With your consent or at your direction’.

Lowlights

• Claims to collect a very extensive list of diverse types of information, as outlined in the sections on data collection.
• Makes no mention of how the site responds to ‘Do Not Track’ requests.
• Uses open-ended statement claiming your data can be used for “any purpose”. While far from offsetting this risk, the policy does commit to the “purpose being disclosed at the time of collection”, which gives users the opportunity to cease interaction.

Bottom Line

Warren’s policy is among the more privacy conscious in terms of language, accessibility and the use of clear statements that address a wide array of data security concerns.

However, her behavioral tracking is more invasive than is ideal, leaving her with a moderate score of 73. Along with Republican candidate Weld, Warren has the second-strongest policy.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: donaldjtrump.com

The following table shows the total number of third-party platforms subject to HTTP requests from donaldjtrump.com, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

Despite having no reputation as a privacy advocate, Trump’s campaign website is less intrusive than all but two of his Democrat rivals.

Largely eschewing ad tech, Trump instead doubles down on tracking users for social media advertising. donaldjtrump.com sets cookies for Facebook, Reddit and Snapchat. Ironically given his prominent presence on the platform, we did not observe any HTTP requests to Twitter domains.

Visitors who sign up to donaldjtrump.com can expect the site to share their email address and ZIP code with Facebook in hashed form.

Privacy Policy

Policy URL: https://www.donaldjtrump.com/privacy-policy

Score: 79/100

Highlights

• Does not transfer data outside the jurisdiction of the U.S. to undisclosed locations.

Lowlights

• With GPS tracking enabled:
• Users’ exact location, along with other PII, is explicitly collected and used “for any lawful purpose” that the campaign deems fit.
• GPS location information is also collected by the site’s “service providers”.
• The site ignores “Do Not Track” requests.
• The policy claims the, “right to use, share, exchange and/or disclose to DJTFP affiliated committee and third parties any of your information for any lawful purpose.”

Bottom Line

Whilst the policy does firmly declare that it, “takes privacy and security very seriously”, it also contains statements which indicate extensive data collection and sharing. The contradictory nature of the policy may either leave readers confused or feeling a false sense of security.

^{Back to list of candidates}

Campaign Site Analysis

Campaign website: weld2020.org

The following table shows the total number of third-party platforms subject to HTTP requests from weld2020.org, along with all third-party cookies set. This includes non-tracking cookies and platforms used for purposes other than advertising and marketing.

weld2020.org intrudes slightly less on user privacy than Weld’s Republican nomination rival Trump’s site and significantly less so than the majority of Democrats, including the frontrunners.

The only notable find beyond ubiquitous Facebook and DoubleClick cookies was that the majority of tracking cookies were from Hubspot, with Weld being the only candidate to use the multi-purpose CRM platform.

Weld’s site does however share in hashed form with Facebook the email address and phone number of anyone who signs up to his campaign.

Privacy Policy

Policy URL: https://weld2020.org/privacy-policy

Score: 78/100

Highlights

• Does not transfer or process any user data overseas, where privacy laws may be less protective.
• Indicates that users are alerted of any security breaches.

Lowlights

• Lacks any statement reassuring users of any commitment to data security.
• Explicitly ignores “Do Not Track” requests.
• Explicitly collects users’ GPS locations upon any monetary transaction on the website.

Bottom Line

Weld 2020’s privacy policy does comprehensively cover the extent and type of data collected however, alongside Biden, his policy received the worst possible score for behavioral tracking (24/24).

^{Back to list of candidates}

Cookie Index