How to protect your privacy while signing up for a COVID-19 vaccine online

A surprising number of state COVID vaccine sites include tracking cookies and pixels.

Click here to see all of PopSci’s COVID-19 coverage.

With vaccination availability rapidly expanding to all Americans, the last thing anyone needs is a reason to distrust our states’ registration processes. Unfortunately, recent data shows that some states take the privacy and security of their vaccine websites much more seriously than others. A jaw-dropping number of ad trackers and cookies appear on 29 US state vaccine websites. These little tag-alongs follow you after you leave the site and report your clicks and views (and more) to ad peddlers like Facebook.

This information comes from The Markup’s data analysis of usability and privacy for every US state, Puerto Rico, and Washington, DC, using Google’s Lighthouse tool and The Markup’s own (brilliant) privacy tool, Blacklight. The key takeaway:  While each state has handled its vaccination distribution web presence on its own, less than half have placed user privacy on a pedestal and have zero trackers. The majority are doing some data dealing at the expense of their residents.

How much tracking does your state’s vaccine site do?

California, New York, Texas, Kansas, and several more don’t involve trackers at all. Nevada, Hawaii, Utah, New Jersey are among the worst offenders.

Nevada is responsible for some of the most egregious offenses. Its site “is run through a partnership with a nonprofit organization, Immunize Nevada,” The Markup explained, and “[it] contained 24 ad trackers and 45 third-party cookies. Ranking states by number of cookies, Nevada has more than the lowest 46 states combined.”

That means Nevada’s site has three times the ad trackers and more than 10 times the third-party cookies found on most popular websites. The companies collecting the data include familiar names like Facebook, Oracle, and Verizon Media, as well as big tech firms like Neustar.

In fairness to Immunize Nevada, some of the site’s invasive tracking is happening thanks to embedded social media widgets on the site. Facebook’s widget subjects visitors to its Facebook Pixel tracker, which runs afoul of California’s digital privacy laws, as well as the EU’s tough data protection and privacy law, the General Data Protection Regulation. With it, “Facebook is able to link your browser (and its activity) to your Facebook account, which gives it valuable data about you as an individual as well any categories it has placed you in — things like your location, age, gender, and interests,” wrote Vox.

Unfortunately, Immunize Nevada’s Privacy Policy page only reads “coming soon.”

How to protect your privacy while using vaccine sites

It may seem exhausting to encounter yet another thing we need to protect ourselves from, but don’t give up just yet — on privacy, or getting vaccinated. Here’s what you can do, even if you’ve already visited your state’s website. 

Look up your state’s vaccination website on Blacklight. Don’t panic if the results are more than you expected.

Check your browser’s privacy settings. Make sure it is clearing your history and browsing data/cookies. Toggle on anything that blocks trackers and cookies, and turn on anything that opts you out of tracking and ads. It’s a chore, but it’s worth it. Firefox has a great, simple guide for slightly more aggressive steps you can take.

Keep in mind that if you use Brave, Firefox, or Safari, these browsers block third-party cookies by default. That’s great. Chrome will do the same in April, when Google is expected to release Chrome 90 (a beta is available now).

Add privacy-protecting extensions to your browser to block as many of the baddies as possible. We recommend uBlock Origin, but you can also consider Privacy Badger, Ghostery, Blur, and Disconnect. Think of them like a mask you can put on and forget about.

Any privacy disasters at the intersection of websites and public health are not the public’s fault. But, the situation is so messy right now that we need to protect ourselves by controlling what we can and raising awareness that it’s happening in the first place. Those actions won’t stop the tracking completely on their own, but it will improve your personal safety while reducing the overall incentive for companies to continue these kinds of privacy invasions in the future.