High-interest credit card ads are being targeted at people seeking benefits advice on UK local council websites.
A BBC investigation found more than 950 advertising cookies - small text files that track people on the internet - embedded in council benefits pages.
The regulator said it would assess the findings, which showed the majority of councils do not use the correct form of consent under privacy laws.
The advertising industry denied using data from vulnerable residents.
The BBC Shared Data Unit used the open source software webXray to take a snapshot over two days last October of more than 400 council benefits pages.
- More than half of UK councils had third-party advertising cookies on their benefits pages - a total of 950 cookies
- More than two-thirds of councils did not appear to ask for the correct form of consent under privacy laws
- Examples of targeted adverts on benefits pages seen by the BBC included high-interest credit cards, Black Friday deals, sports cars with features for disabled people and private funeral care plans
The Information Commissioner's Office (ICO), an independent body set up to uphold information rights, said the setting of non-essential cookies without consent would be illegal.
ICO executive director for technology policy and innovation Simon McDougall said: "This investigation by the BBC further highlights our concerns about the lack of transparency and consent when adtech is used.
"While the ICO is keen to promote innovative uses of technology, that cannot be at the expense of people's fundamental legal rights. We will be assessing the information provided by the BBC."
Privacy International (PI), the UK non-profit privacy advocacy group, is concerned about the impact that targeted advertising has had on the internet as a whole.
"It's just a wild west," said technologist Eliot Bendineli.
"There are thousands of things happening every second when you load a page, and you literally have no control.
"Tracking people through benefits pages is sadly typical. It's always the people that are already vulnerable who are going to suffer the most."
What are cookies?
Cookies are small text files that track people across the internet and collect data on them.
Many cookies are essential and used to improve the browsing experience. They are used for audience measurement, hosting and website design.
Third-party advertising cookies help companies deliver ads that are relevant to your browsing habits.
I’ve been a web developer since the late 1990s and a privacy researcher for the past seven years. This may be the most unexpected place I’ve seen an ad online
What is the law?
The General Data Protection Regulation (GDPR) came into force in 2018, ushering in stricter rules around handling and sharing data that could identify people.
In practice, this means any company which handles, stores or shares data must ensure the rights of the individual are upheld, or face a hefty fine.
Sitting alongside GDPR are the Privacy and Electronic Communications Regulations, which demand full active consent from users before tracking cookies are embedded on browsers.
"I've been a web developer since the late 1990s and a privacy researcher for the past seven years and this may be the most unexpected place I've seen an ad online," said Prof Tim Libert, a computer scientist at Carnegie Mellon University and creator of the webXray tool used in this investigation.
"In my view targeting residents through benefits pages is utterly reprehensible, as the most protection should be extended to those most in need."
Disability charity Scope added: "These targeted trackers are cause for concern.
"Being served an advert for a credit card or low-cost loan while applying for state financial support could lead to debt and financial insecurity.
"Everyone needs to do all they can to make sure disabled people are not unfairly targeted when trying to seek out support."
The ICO has already taken a strong line on investigating the adtech industry, with a report released in June noting "general, systemic concerns".
The data protection watchdog can issue enforcement notices and fines if they detect a breach of data privacy laws.
Facing financial pressures, some UK councils have turned to online advertising as a source of extra revenue.
For example, the BBC previously reported one Welsh council earned just under £15,000 in revenue from online advertising in 2016-17.
The Council Advertising Network (CAN) helps around 50 councils generate income through online advertising. It also uses advertising technology to deliver messages about services to residents.
Managing director Lloyd Clark said: "We automatically block all categories of advertising that could be used to target vulnerable groups.
"The councils have control of these categories."
Sadly, I think it's possible they [the councils] might be unaware. The internet is difficult, and websites are hard to maintain. It's a full time job.
Defending the industry, Mr Clark said it existed to serve relevant adverts to the public.
"People don't like irrelevant adverts. But it's certainly possible for bad actors to behave like bad actors.
"Given the tech furniture present right now we're in a position where you need to really trust people because the system won't work without it. It creates a real challenge."
A spokesman for Sheffield Council, which had 25 third party advertising cookies on its benefits pages, said: "Whilst we are reviewing our use of advertising, currently this is an important revenue stream which is used to help fund improvements to our site for citizens.
"The advertising is carefully controlled and many categories are not allowed where we deem this to be potentially harmful, particularly to our most vulnerable users."
Privacy International's Mr Bendineli said: "Sadly, I think it's possible they [the councils] might be unaware. You can easily imagine that they don't have the budget to set up a proper website, or someone who sets it up doesn't explain how things are working.
"The internet is difficult, and websites are hard to maintain. It's a full time job and even at Privacy International where we focus on that type of stuff we spend a lot of time maintaining everything we have online. We spend a lot of time making sure it's secure."
In Northern Ireland, the LGA said each council was responsible for the management of its own website, but "welcomed" the BBC's findings "to support the ongoing management of council websites".
The Welsh Local Government Association did not respond to requests for comment from the BBC.
Just under half of advertising cookies found came from Google's advertising arm, DoubleClick.
Google told the BBC it did not build advertising profiles from "sensitive interest categories".
It said: "We have strict policies preventing advertisers from using such data to target ads."
Google has also said that it would phase out third-party cookies within the next two years on websites accessed via its Chrome browser, in response to calls for greater privacy controls.
Prof Libert added: "First and foremost, it is important to note that there is no way for a tracker to force their code onto a site short of hacking it - the site itself must place the code there.
"So the biggest party of responsibility is the website owner without question."
More about this story
The Shared Data Unit makes data journalism available to news organisations across the media industry, as part of a partnership between the BBC and the News Media Association. This piece of content was produced by a local newspaper journalist working alongside BBC staff.
Additional reporting team: Alex Homer, Anna Khoo, Paul Lynch, Pete Sherlock