In short: An audit of 28 municipal domains revealed a pattern: advertising and analytical tags activate in the resident's browser before they can even click the consent banner. The case has been in progress since November 2025: a notice to UODO with 9 charges, a notice to UKE, a notice to the prosecutor's office, supplements, and an audit of 28 municipal domains that confirmed the pattern. This is not a dispute over a poorly configured banner or cookies, but about an architecture that merges public communication, advertising, and profiling into one difficult-to-account-for mechanism.
Table of Contents
A resident in the snares of monetization
As a resident of Łódź affected by the Local Spatial Development Plan (MPZP) procedure, I have been using the mpu.lodz.pl service for a long time, as well as other municipal services and the Public Information Bulletin (BIP). I log in, check documents, read public displays. The cookie banner here looks like an editorial joke: a single “OK” button, no real choice. Today, knowing what it entails, I don’t click.
However, as I demonstrated in the audit, from the user’s perspective, nothing happens… From the server’s perspective – quite the opposite. In the very first second of the session, before I can even read anything, a signal is sent to Google’s infrastructure stating that “the user has granted full marketing consent.” I did not. I hadn’t even seen the banner yet.
At the same time, I was receiving SMS messages on my phone with pushy advertisements for developer investments. I also had the Łódź Citizen Card, whose regulations explicitly provide for profiling based on age, interests, and how the offer is used. The synchronicity is just a coincidence – but the scale of knowledge that the City of Łódź Office collects and most likely consumes through its companies and vehicles (Associations called the Łódź Tourist Organization), is alarming.
A critical look and analysis is not an attack on Łódź, the city, or its residents – as some try to portray it. The city is us, the residents. We are not decorative elements for business nor commodities to be monetized. I have the knowledge and means to verify certain areas of implementation, so I took a look. The problem concerns Łódź and the way the local government dominates not only the information market but also the advertising market…
What was reported and where the case stands today
I published the first article revealing the tracking architecture in municipal services on May 18, 2025. The material was strong and could have been a ready opening for activists or watchdogs. I hoped someone would take it up. No one did – neither formally nor substantively. It ended with handshakes. That’s when I started procedurally.
November 6, 2025 – I filed the main notice with the President of UODO (Personal Data Protection Office). I grouped the findings into nine systemic charges (details in the supplement).
December 11, 2025 – The District Prosecutor’s Office in Łódź initiated – independently and without my knowledge – an investigation into irregularities in advertising tenders surrounding lodz.pl and municipal festivals (case number 4197-4.Ds.2398.2025). I found out from press publications in February 2026. For me, the case gained a second dimension – financial and structural.
February 25, 2026 – I supplemented the notice to UODO with new circumstances: financial flows, configuration of decision-making roles (including Łukasz Goss – President of Holding Łódź sp. z o.o., Chairman of the ŁOT Program Council, previously Director of the Promotion and New Media Bureau of UMŁ), and the regulations of the Łódź Citizen Card.
March 6–9, 2026 – I prepared a massive technical audit of municipal domains and services along with CMP and Consent specifications. The knowledge contained therein will be presented on the dadalo.pl website in the TECH section.
March 10, 2026 – I submitted the full evidence from the audit to UODO – hard network logs confirming forced marketing consents, while simultaneously publishing them online at dowody.dadalo.pl.
March 13, 2026 – I sent a separate notice to the President of UKE (Office of Electronic Communications) regarding a violation of Article 399 of the Electronic Communications Law (unlawful installation of cookies without consent), providing access to the dowody.dadalo.pl service.
March 27, 2026 – UKE officially confirmed the registration of the case and an analysis for the purpose of initiating an inspection. A few days later, I made the evidence public so that it could be verified by all parties.
April 20, 2026 – I filed a complaint about UODO’s inaction regarding the case from November 6, 2025.
April 23, 2026 – UODO replied that since the proceedings are conducted ex officio, I do not have the status of a party. On the same day, I filed a new notice with UODO regarding systemic violations in the BASE System platform servicing the Łódź Zoo – this is an extension of the main thread, not a new case. The evidence: the same patterns on another municipal service.
Originally, I did not want to be a party to the proceedings. I filed the notice as a citizen signal. Today, I am modifying this strategy. I am in the process of establishing contact with non-governmental organizations dealing with privacy violations and investigative journalism – including European ones.
A highly convoluted architecture of processing and partners
Officially, the administrator of the lodz.pl portal is the City Library in Łódź. However, documents and infrastructure analysis show that the ecosystem also involves the City of Łódź Office, the Łódź Tourist Organization (ŁOT), and its brand, the Łódź Media Group, which offers advertisers access to municipal reach and audience data. One of the primary charges in the notice is not tracking itself, but the lack of transparent disclosure of who actually co-decides on the purposes and means of processing residents’ data.
The lodz.pl portal is monetized through Google AdSense and the Library’s own advertising infrastructure – ads.biblioteka.lodz.pl, a professional Revive Adserver. In other words: a municipal service funded by public money is linked to the commercial flow of data and advertising space, while also being protected by press law as a publisher.
Today I know that as part of a Public-Private Partnership in 2020, for 10 years, UMŁ signed a contract for the operation of the citizen card, the tourist card, as well as the SaaS model and providing IT solutions in exchange for monetizing residents’ data. This inconspicuous fact has colossal significance for the city. The consortium was created by the Łódź Tourist Organization together with the solution provider QB sp. z o.o. However, it is ŁOT that is the problem, because as an Association it is beyond control, and lately questions about the transparency of spending and fueling municipal companies with money have been raised more and more loudly. This is the core of my charge regarding joint administration. Official documents, including the “Description of the Proceedings” from the 2020 tender, state that the total remuneration of the private partner is “the right to collect benefits in connection with the right to operate the system.” The documents show that the private partner, under the agreement, obtained the right to “conduct marketing and advertising activities.”
In the case of Adsense ads, data is transferred to the BID auction system where it undergoes automated processing and profiling, enabling earnings from ads.
But that’s not the only problem, and it doesn’t end with lodz.pl. To the best of my knowledge, the old Universal Analytics identifier UA-25825547-40 – formally retired by Google in 2023 – remains active and injects tags from lodz.pl into other municipal services. The scale of this mechanism and its role in the architecture of the entire ecosystem is the subject of a separate section. The active presence of a Google tool retired two years ago in an infrastructure generating millions of visits – combined with Microsoft Clarity revealed in 2025, whose status in the current audit requires a separate explanation from the administrator – does not reflect well on the city’s approach to resident data, nor most likely on the public-private partnership under which some of these systems are implemented. With such a scale of processing, these systems and processed data should be a matter of particular concern.
Let’s establish one thing. Decision-makers do not have to be experts in technologies; they are supposed to receive technologies and protocols that confirm their appropriate quality.
Explanation of the illustration
The image shows technical details of a session on the lodz.pl portal recorded by Google TagAssistant. We see there:
- Google Ads Tags (AW-11108391222, AW-557285855, AW-665139254): Direct evidence of an extensive advertising infrastructure on a public portal. These tags are used for conversion tracking and remarketing, confirming the charge of commercial use of resident data.
- gcd (13l3l3l2l1l1): A replicated pattern of forced marketing consent (“granted”). The system reports full ad profiling permissions to Google before the user can interact with any consent mechanism on the page.
- tid (AW-557285855): An identifier indicating that data from this specific page view goes directly into the Google ad auction system.
- dt (ŁÓDŹ.PL): Confirmation that the profiling process takes place on the city’s main information portal, linking the consumption of public content with the commercial AdTech ecosystem.
Why BIPs and MPU-type information pages are a separate problem
The most glaring cases are the BIP services and pages that function as actual access to public information (for example, MPU does not have BIP status but is an information channel in planning proceedings). On bip.uml.lodz.pl, bip.zlm.lodz.pl, and mpu.lodz.pl, a citizen has no real alternative to obtain the same information. Speaking here of “voluntary consent” within the meaning of Article 399 of the PKE is, as I have shown, a fiction.
Starting ad tracking before consent on such pages means that the state de facto requires the resident to pay with their data for access to information to which they have a statutory right. This is not a technical detail or a matter that can be dismissed with a reassuring comment from an official. It is a problem of the citizen-authority relationship. A matter of trust.
If entering the website of an office, a BIP, or a planning service triggers advertising and analytical mechanisms before consent, the resident is deprived of real control over their data exactly where they should have it strongest. If, however, the data goes into a system where no sensible “forgetting” mechanism works, in the name of optimizing municipal costs, a solution is created that is ethically questionable at best. A resident browsing planning services or articles about investments is, with high probability, semantically classified along with signals regarding purchases and other browsed services as a valuable object. Such knowledge on a city scale is worth its weight in gold. And we still have the entire HoReCa segment along with the event-tourism combine.
The Łódź citizen card and the deeper dimension of the case
The deeper dimension of the case concerns the Łódź Citizen Card program, used by hundreds of thousands of people, and the related Tourist Card program, which opens a cross-border dimension to the case. The regulations of the Łódź Citizen Card provide for automated profiling based on age, interests, and how the offer is used. At the same time, to verify eligibility, the program collects documents revealing a broad picture of the resident’s financial, professional, and social situation: PITs, certificates from ZUS, from the labor office, and documents related to disability.
I will say it bluntly so there is no misunderstanding. I have no problem with verifying eligibility for a social program. I have a problem with trusting the way UMŁ actually processes this data in the context of the Public-Private Partnership (ŁOT + QB as operators of the Card), in an architecture that combines semantic, behavioral, and demographic targeting, public transport, advertising, profiling, and public money into one difficult-to-account-for mechanism. As we already know, the ŁOT Association is beyond control. And knowledge regarding detailed demographics and social position combined with ad targeting is worth its weight in gold. These resources, inventory, can be monetized and used not only for commercial ads but also for election ads (so-called microtargeting).
I am of the opinion that a configuration in which the decision on the transfer of public funds is made on one side of the contract, and on the other side of the same contract sits the same person in the program body, requires a separate, factual analysis. This is not a suspicion – it is a description of the factual state that I provided in the supplement to the notice of February 25, 2026.
The ŁOT’s position and what to do about it
In March 2026, Tomasz Koralewski, president of the Łódź Tourist Organization, gave a statement to “Gazeta Wyborcza,” in which he stated, among other things, that the Łódź Citizen Card data is not shared with the City Library and vice versa, that the lodz.pl portal is connected to Google Analytics in terms of standard traffic information, and that ŁOT’s business activity is legal and “does not constitute any enigmatic formula in today’s realities.”
These statements describe the state of affairs at the level of organizational and PR declarations. The evidence submitted to UODO and UKE concerns the documentary and network layers: what tags and containers activate in the browser, what identifiers are sent to third parties, at what point in the user session, what they consented to, what the documents declare. Juxtaposing the organizational declaration with observable technical practice – along with an analysis of regulations and policies – is the responsibility of the bodies conducting the proceedings. The lack of transparency of this arrangement led, among other things, to the initiation of an investigation by the District Prosecutor’s Office in Łódź in December 2025 regarding advertising and event tenders, and councilors and the media are increasingly questioning the siphoning of public money to a creation operating in a “gray zone.”
Explanation of the illustration
The image shows the moment of debugging the mpu.lodz.pl page using the Google Tag Assistant tool. We see there:
- gcd (13l3l3l2l1l1): A full marketing consent signal (“granted”) sent to Google in the first second of the session, before the user interacts with the banner.
- UA-25825547-40: An outdated Universal Analytics identifier shared with the
lodz.plportal, used for tracking the user across domains (cross-domain tracking). - G-30F084ZHSL: A GA4 tag common to
mpu.lodz.planduml.lodz.pl, integrating data about citizen activity from different city units into one profile. - dl (Document Location): Registration of entry to a precise URL regarding the MPZP planning procedure (Tuwima and Wodna St. area), allowing for direct attribution of investment interests to a specific user.
- cid: A unique browser identifier, enabling Google to permanently link this visit with the user’s online activity history.
- Sharing identifiers
UA-25825547-40andG-30F084ZHSLalong with the identical forced consent signalgcd=13l3l3l2l1l1on thempu.lodz.plandlodz.pldomains constitutes technical proof of a unified tracking architecture that combines data from information and official services into one commercial advertising profile of the resident.
Technical audit of municipal domains
Between March 6 and 9, 2026, I conducted an automated technical audit of 28 municipal and related domains – in sterile browser sessions, with a clean session without saved cookies, without history, and without any interaction with the consent banner. First manually, then in an automated way, each result subject to verification. Full network logs, HAR and NDJSON exports, snapshots of privacy policies, and request payloads are publicly available at dowody.dadalo.pl/en/lodz-rodo-2025/.
The result: on 28 municipal domains, Google tracking (Analytics + Ads) activated before any user consent. This included lodz.pl, uml.lodz.pl, bip.uml.lodz.pl, mpu.lodz.pl, services of the Łódź Citizen Card, Aquapark Fala, Orientarium, and lodz.travel.
On most, the requests contained the parameter gcd=13l3l3l2l1l1, which in the Google ecosystem means “the user has granted full marketing consent.” The signal was sent before anyone had a chance to express that consent.
What is gcd=13l3l3l2l1l1? It is a parameter of Google Consent Mode v2 – a mechanism intended to inform Google whether the user has consented to various types of processing (analytics, personalized ads, personalization, etc.). The digit “3” means granted. The default value should be denied (1) until the user clicks “I agree.” In the Łódź services, it was the opposite: the system immediately reported full consent – even before the banner even appeared. A full reference table of the GCD format along with the interpretation of subsequent positions and the audit context can be found in the “Decoding the GCD parameter” section at dowody.dadalo.pl/en/lodz-rodo-2025/.
On the network traffic side, connections to google-analytics.com, googletagmanager.com, googleads.g.doubleclick.net, the setting of tracking identifiers, and the transmission of payloads are visible – in a session state in which the user has not expressed any consent. These are facts observable in the browser of any person who repeats this test. Zero magic. It is obviously difficult, but possible to track from the comfort of your home.
The evidence also shows something that is sometimes overlooked: even if some cookies are later deleted when the user clicks “I don’t agree,” the earlier transmission of data to third parties has already occurred. From the user’s perspective, it is irreversible. In the ad auction ecosystem, there is no real “forgetting” procedure for a resource that has already been exposed.
I am not convinced by a potential line of defense that reduces the whole matter to “correctly implemented Advanced Consent Mode” or “cookieless pings.” With a correct implementation, the default state blocks marketing processing and does not set advertising identifiers before consent. Here, tags activated normally, and data – including cookies – went to Google and Meta before the user made any decision. This is not a configuration error of a single service. It is a repeatable pattern. We are talking about a state that has lasted for years.
A deployment pattern, not an accident at work
On the defense side, one can expect four standard responses: “it was an external contractor’s implementation,” “each unit has its own privacy policy,” “we have a certified CMP,” “these are independent entities with separate administrators,” or even a fifth, more brazen one – “it’s common practice and everyone does it.” The evidence repository at dowody.dadalo.pl/en/lodz-rodo-2025/ allows each of these lines of defense to be deconstructed.
First – different hosting, same payload. Municipal domains are maintained in at least three separate infrastructure environments. The core of the administration (uml.lodz.pl, BIPs, mpu.lodz.pl, mosir.lodz.pl) sits in the LODMAN network – the Łódź municipal metropolitan network. The commercial stack (lodz.pl, orientarium.lodz.pl, Library advertising panel) is on German Hetzner hosting. atlasarena.pl (MAKiS sp. z o.o. company, 100% city-owned) runs on IONOS. Three different environments, three different infrastructure decisions, three different probably implementation teams – and the same gcd=13l3l3l2l1l1 payload produced before consent. This rules out the thesis of an accidental configuration error by one contractor.
Second – recurring identifiers on domains of different administrators. The Universal Analytics container UA-25825547-40 activates on six domains formally belonging to at least five different data administrators: the City Library, the City of Łódź Office, the City Urban Planning Studio (MPU), the Municipal Housing Management (ZLM), and the Municipal Sports and Recreation Center (MOSiR). The GA4 property G-30F084ZHSL is shared between the commercial portal lodz.pl (City Library) and the official website of the City Office uml.lodz.pl. Google Ads identifiers AW-10940984035 and AW-665139254 appear simultaneously on uml.lodz.pl, lodz.pl, and orientarium.lodz.pl. This is effectively cross-domain tracking undisclosed in any privacy policy, in any joint administration document within the meaning of Article 26 of the GDPR.
| Domain (administrator) | Hosting | Recurring identifiers |
|---|---|---|
lodz.pl (City Library) | Hetzner | UA-25825547-40, G-30F084ZHSL, AW-665139254, AW-557285855, AW-11108391222 |
uml.lodz.pl (UMŁ) | LODMAN | UA-25825547-40, G-30F084ZHSL, AW-790142032, AW-10940984035 |
bip.uml.lodz.pl (UMŁ) | LODMAN | UA-25825547-40 |
mpu.lodz.pl (MPU) | LODMAN | UA-25825547-40, G-W8F2064SGL |
bip.zlm.lodz.pl (ZLM) | LODMAN | UA-25825547-40 |
mosir.lodz.pl (MOSiR) | LODMAN | UA-25825547-40, GTM-K44FPW9 |
orientarium.lodz.pl (ZOO) | Hetzner | AW-10940984035, AW-665139254, GTM-NVTJSXK |
aquapark.lodz.pl | LODMAN | UA-25825547-40 |
lodz.travel (ŁOT) | Hetzner | UA-25825547-40 |
kartalodzianina.pl (ŁOT) | Hetzner | own CMP, gcd=13p3p3p2p5l1 |
atlasarena.pl (MAKiS sp. z o.o.) | IONOS | G-RJ3LFRYX2R |
ads.biblioteka.lodz.pl (Library, Revive Adserver panel) | Hetzner | commercial infrastructure; no tracking in sterile session |
A full list of 28 domains with violations and 11 clean domains – along with raw logs, payloads, and policy snapshots – is in the repository dowody.dadalo.pl/en/lodz-rodo-2025/.
Third – data recipients are almost identical on every domain with a violation. The list of external entities receiving data in a sterile session repeats with a monotony that is itself evidence: connect.facebook.net, googleads.g.doubleclick.net, region1.analytics.google.com, stats.g.doubleclick.net, www.google-analytics.com, and in some cases www.facebook.com and www.googleadservices.com. Meta receives a signal from the Public Information Bulletin of the City of Łódź Office. From the website of the City Urban Planning Studio. From the BIP of Municipal Housing Management. The IP address plus the page URL plus the moment of the visit go to Meta Platforms before the resident manages to click anything. Anyone who has implemented Google Tag wrapping scripts like META knows that they can be set to activate only at the moment of the CONSENT signal (i.e., clicking YES).
Fourth – CMPs (cookie banners) are decorative in this architecture.
To the best of my knowledge, some domains have implemented consent management mechanisms – from their own banners to commercial provider solutions. Others – bip.uml.lodz.pl, mpu.lodz.pl, bip.zlm.lodz.pl, mosir.lodz.pl – have no advanced CMP, only simple banners like “I click OK.” And all produce the same payload gcd=13l3l3l2l1l1 before any user interaction. Specific implementations per domain are documented in the evidence repository – anyone can check what consent mechanism is visible in the page code and what signal actually goes to Google. This means that the presence of a CMP has no functional significance in this deployment. The granted signal goes regardless of whether a consent mechanism exists or not.
Four lines of defense closed by the same evidence. Hostings differ – payload is similar. Administrators differ – containers are shared. Privacy policies differ – data recipients are the same. CMPs differ – granted goes out the same way. This is not the error of one contractor. This is a replicated configuration model that requires establishing who designed it, who accepted it technically, and who benefited from it for years. I demand an inventory and verification, and in the case of law violations, consequences. The scale is huge.
Cross-border nature and its implications
The case is cross-border within the meaning of the GDPR. In terms of residents of Łódź, UODO remains the leading supervisory authority. However, the documented processing of citizens of other EU countries visiting tourist services (orientarium.lodz.pl, aquapark.lodz.pl, lodz.travel) – taking place exactly according to the same pattern, with the same consent parameters hard-coded before the click – opens a path for cooperation between national data protection authorities in the EU.
The evidence repository is available in multilingual versions not for PR reasons, but because the case should also be evaluated outside the Polish supervisory order. I am also acting in this direction, which I will inform about publicly at the appropriate time.
How to verify this yourself
I don’t want anyone to take my word for it. It’s enough to:
- use a clean browser session in incognito mode,
- open the “Network” tab in the developer tools,
- enter any of the municipal domains without clicking on the banner,
- observe what requests go out to
google-analytics.com,googletagmanager.com,googleads.g.doubleclick.netand with whatgcdparameter values.
You can also use the official Google tool: tagassistant.google.com. The signals in the logs are the same regardless of who records them.
I conducted the audit in March, and full evidence data in the form of HAR files, cookie timelines, request payloads, and session traces are publicly available at dowody.dadalo.pl/en/lodz-rodo-2025/. I encourage verification.
Silence before the true storm?
In times when we talk about digital sovereignty, I now expect from state authorities not general declarations, but specific actions to protect citizens: securing the version history of GTM containers, Consent Mode configurations, Microsoft Clarity activity logs, Revive Adserver configurations, and implementation and acceptance documentation for the tested services. I expect that instead of a substantive answer to questions about data security standards, a narrative about “looking for problems where there are none” or attacking the city’s successes will appear. I hope this line of defense won’t work this time – because there are verifiable facts on the table, not subjective assessments.
I will continue to deconstruct the technical material in separate texts – also for cybersecurity specialists. Because when the consent signal is manipulated – if not to say more strongly, falsified, in the sense that the value of the technical parameter diverges from the actual user decision – as a consequence, the data goes into the ad auction ecosystem. The victims are then not only the residents but also participants in the advertising market who buy falsified resources. This is a topic for a separate text that will appear shortly.
Supplement: Nine charges from the report to UODO
The original notice of November 6, 2025, contains nine systemic charges. It operates on three layers of evidence that complement each other: analysis of privacy policies and information clauses, analysis of program regulations, mapping of infrastructure, and a technical audit of network traffic. Some charges arise mainly from document analysis (citizen card regulations, privacy policies, joint administration structure), some from the technical audit (Consent Mode mechanism, GTM containers, request payloads), and some from a combination of both layers. The audit from March 2026, the evidence of which is an attachment to the supplementary notice of March 10, 2026, is a completion – it does not replace the regulatory analysis but adds a hard measurement layer to it. Full justifications, legal bases, and evidence are in the content of the notice and in supplementary letters. Below is a summary.
1. Hidden joint administration of lodz.pl portal users’ data. Officially, the administrator is the City Library. Analysis of infrastructure, commercial offers, and data flow provides grounds for considering that the purposes and means of processing are actually determined jointly with the Łódź Tourist Organization and the Łódź Media Group brand, the City of Łódź Office, and Google Poland. No formal joint administration agreements have been publicly disclosed. In practice, a citizen wishing to exercise GDPR rights does not know which entity to address the request to.
2. Use of a session recording tool without consent (2025 charge, 2026 status requires explanation). In the period preceding the first publication (May 2025), the lodz.pl portal used Microsoft Clarity in two instances, including the Session Replays function recording mouse movements, clicks, and the course of the user session, without an effective prior consent mechanism. After public disclosure of the case, it is suggested that it was only a test implementation – the question is why was it in the services for over a year? Why was the tool used in two instances simultaneously, for what purposes, on what subdomains, and whether the recordings collected during the period of activity were deleted in accordance with Article 17 of the GDPR. The scale concerns approximately 1 million users per month. This type of tool allows narrowing analysis to selected areas of the service. It would be worthwhile to reveal the reasons for the implementation and why, despite the alleged non-use, the code was not deleted according to the law.
3. Commercialization of a public portal. A portal funded by public funds is monetized by Google AdSense and the City Library’s own ad server (ads.biblioteka.lodz.pl, Revive Adserver). Selling advertising space does not fit into the catalog of public tasks of the library, and the portal does not obtain effective user consent. Data collected for the purpose of informing residents is used to target commercial ads – Łódź Media Group openly offers such services on the media.lodz.pl website.
4. Mass user tracking. The audit revealed the presence of at least seven tracking systems: two instances of Microsoft Clarity, Google Analytics, Google Tag Manager, Google AdSense, Facebook Pixel, and the Library’s own ad server. On the mpu.lodz.pl subpage, Google Ads conversion tags, the Google Signals mechanism (cross-device remarketing), and marketing consent parameters are additionally active. Such an extensive infrastructure goes beyond standard analytics of an information portal.
5. Violation of the information obligation. The portal’s privacy policy does not indicate the full list of data recipients, does not provide retention periods for individual systems, and does not explain the legal basis for commercial processing. There is also a fundamental contradiction: official IOD (Data Protection Officer) information clauses on the BIP declare that “data will not be processed in an automated way, including in the form of profiling,” while technical analysis confirms the activation of Google Signals, remarketing tags, and marketing consent parameters.
6. Probable cross-domain tracking and profiling. The configuration of tracking tools on the lodz.pl, mpu.lodz.pl, kartalodzianina.pl portals and other municipal subdomains creates conditions for tracking the same user across domains. This opens the way for correlating behavioral data with demographic data from the Łódź Citizen Card. No privacy policy has disclosed the cross-domain tracking mechanism nor obtained separate consent for combining data between portals.
7. Lack of Data Protection Impact Assessment (DPIA). The nature of processing on the lodz.pl portal meets at least three criteria obliging the administrator to conduct a DPIA: systematic evaluation of users’ personal aspects, processing on a large scale (1 million users per month), and systematic monitoring of a publicly accessible area. According to UODO and EDPB guidelines, meeting two out of nine criteria obliges a DPIA. The lack of such analysis constitutes gross negligence.
8. Data exploitation in the Łódź Citizen Card program. The program conducted by the Łódź Tourist Organization covers over 350,000 active participants. Regulations (§IX point 9) explicitly provide for automated profiling based on age, interests, and how the offer is used. Łódź Media Group openly offers ad targeting using data from the Card. To verify eligibility, the program collects documents revealing a broad picture of the resident’s financial, professional, and health situation – including information on the health status of participants and persons under their care.
9. Outdated code as a mechanism for injecting commercial tags. In the code of the lodz.pl portal and the mpu.lodz.pl service, the Google Universal Analytics identifier (UA-25825547-40) is still active, despite the tool being retired by Google in 2023. Decompilation of GTM containers showed that this is not a dead artifact: the UA container functions as a zone container, whose configuration instructs GTM to load the GA4 container from the lodz.pl portal along with active Google Ads tags, the Google Signals function, and conversion rules for commercial campaigns. As a result, a user visiting a public administration page is included in the commercial remarketing infrastructure of the lodz.pl portal.
The case remains open; sugarcoating will do nothing. Proceedings before UODO and UKE are ongoing. The evidence in the repository dowody.dadalo.pl is successively being supplemented.
If you are from the cybersecurity industry, interested in AI, privacy, have a confirmed portfolio or recommendations from people in the industry and would like to help in analyzing the Android application, debugging data flows, and further system analytics – I encourage you to cooperate. We can act in a decentralized way.
Questions for Google
I addressed a set of detailed press questions to Google – about the enforcement of the EU User Consent Policy, about the operation of Google Consent Mode v2, about the platform’s responsibility for machine-generated consent signals before user interaction with the banner, and about the status of deployments where the old Universal Analytics identifier serves to inject tags on public administration services.
I am waiting for a response. I will publish the full text of the questions and any response in a separate material when there is a basis for this conversation.
We would appreciate Google’s response to the following questions:
1. Publisher audits under the EU User Consent Policy:
What is Google’s standard procedure for auditing high-traffic publishers or groups of domains operating on shared infrastructure in the EEA? In particular, what typically triggers such audits, and how quickly are remedial measures applied once a potentially non-compliant pattern is detected?
2. Consent signals in Google Ads systems:
When Google receives a consent signal indicating granted consent for ads or analytics, does Google validate that signal against any independent indicator of actual user interaction, or is the publisher’s declaration treated as authoritative for auction and ad-tech processing purposes?
3. Advanced Consent Mode v2 and certified CMPs:
Under a compliant implementation of Advanced Consent Mode v2, is it permissible for Google tags to transmit data to Google endpoints before the user has interacted with the CMP banner? If not, what observable characteristics distinguish a compliant implementation from a non-compliant one?
4. Certified CMPs and actual enforcement:
Does Google assess only the presence of a certified CMP, or also its actual operational effect in preventing premature consent signals before user interaction?
5. Legacy UA identifiers in GTM zone configurations:
Is the continued use of legacy Universal Analytics identifiers in GTM zone or container logic consistent with Google’s current policies where such configurations still govern the loading of GA4 or Google Ads-related tags?
I leave the entities mentioned in this text – the City of Łódź Office, the City Library, persons holding decision-making functions in the described ecosystem, as well as companies – the opportunity to present their position. Every substantive response referring to the documented charges will be published on the website.
