Nijmegen, Netherlands — June 2025 — A recent study conducted by researchers at Radboud University has revealed widespread misuse of personal data by global tech companies Meta (formerly Facebook) and Yandex, the Russian technology conglomerate. The investigation focused on the deployment of website tracking scripts and the extent to which these third parties gain access to sensitive user data without adequate transparency or consent.
The study, led by a team from the Digital Security group, found that embedded trackers from Meta and Yandex were present on over 14,000 government and health-related websites across the European Union. This presence enables the unsolicited collection of user data, including information on visits to public sector platforms, potentially violating both user expectations and the General Data Protection Regulation (GDPR).
The researchers discovered that Meta's “Meta Pixel” and Yandex’s “Metrica” analytics tool were frequently configured in ways that allowed data transfers to servers located outside the EU—primarily in the United States and Russia—without proper safeguards or legal bases. In many cases, the inclusion of these scripts occurred without the explicit knowledge or understanding of the website operators, raising concerns about accountability and due diligence.
Importantly, the data collected by these tracking tools included not only technical identifiers like IP addresses and browser metadata but also detailed interaction logs and behavioral profiles. Such information can be used for cross-site profiling, targeted advertising, and—in the case of authoritarian regimes—potential surveillance.
The researchers emphasized that these practices represent a clear breach of the principle of data minimization and purpose limitation under EU law. They call for urgent regulatory attention and stronger enforcement mechanisms to curb the exploitation of digital infrastructure by non-transparent actors.
This study adds to a growing body of work questioning the role of embedded trackers and their implications for civil liberties and digital autonomy. The authors urge public institutions to conduct thorough audits of their digital services and consider alternative analytics solutions that are GDPR-compliant and hosted within the EU.
The full findings have been submitted to an international conference on privacy and data protection and are expected to influence upcoming policy discussions at both the national and European levels.