In-depth technical and legal analysis of Web tracking on health related websites with Ernie extension

International audience; Searching for doctors online has become an increasingly common practice among Web users. However, when health websites owned by doctors and hospitals integrate third-party trackers, they expose their potential patients' medical secrets to third parties, thereby violating the GDPR which only allows the processing of sensitive health data with the explicit consent of a user. While previous works detected sophisticated forms of cookie syncing at scale, no tool exists as of today that would allow owners of health websites detecting complex tracking practices and ensure legal compliance. In this paper, we develop Ernie-a browser extension that visualises six tracking and complex cookie syncing state of the art techniques. We report on the analysis with Ernie on 176 websites of medical doctors and hospitals that users would visit when searching for doctors in France and Germany. At least one form of tracking or cookie syncing occurs on 64% websites before interacting with the consent banner, and 76% of these websites fail to comply with the GDPR requirements on a valid explicit consent. Furthermore, an in-depth analysis of case study websites allowed us to provide comprehensive general explanations of why tracking is embedded: for example, in all 45 webpages, where doctors include a Google map to help locating their office, tracking occurs due to the Google's cookie already present in the user's browser which is attached to a request that fetched the Google map useful content.