We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy (1808.05096v4)

Abstract: The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

• The paper empirically investigates the impact of the GDPR on privacy policies and cookie consent notices across popular EU websites, using data collected before and after the regulation's enactment.
• The study found increased adoption of privacy policies (from 79.6% to 84.5%) and cookie consent notices (16% increase to 62.1%) post-GDPR, but highlighted significant technical disparities in implementing granular user control.
• Findings indicate that while GDPR fostered greater transparency, it did not fully harmonize privacy standards across EU countries, pointing to persistent variances in implementation and technical challenges limiting comprehensive user empowerment.

Analysis of GDPR's Impact on Web Privacy

The research paper titled "We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy" offers a thorough empirical investigation into the impact of the General Data Protection Regulation (GDPR) on web privacy across the European Union (EU). Primarily, this paper capitalizes on the GDPR's enactment date of May 25, 2018, to analyze the shift in privacy policies and cookie consent notices on the 500 most popular websites from each of the 28 EU member states.

The investigation demonstrates significant changes in privacy policies and cookie consent notices, reflecting the regulatory requirements imposed by the GDPR. Notably, the paper highlights that before the GDPR came into effect, 79.6% of the analyzed websites had privacy policies, increasing to 84.5% by the enforcement date. The variability across regions was notable, with Latvia experiencing a 15.7% increase in privacy policy adoption compared to the more modest increases in countries like Germany.

Cookie consent notices saw a more pronounced transformation, with 62.1% of websites incorporating these notifications post-GDPR, marking a 16% increase from earlier in the year. This change is manifestly positive as more websites began displaying these notices that inform users of their data tracking practices. However, the implementation of these consents revealed a wide range of technical disparities. Many websites utilized third-party libraries to manage cookie consents, but functionality varied significantly, particularly in providing granular user control, which is integral to complying with GDPR's stipulation of "informed consent."

The analysis shows the limitations imposed by core web security protocols, such as the same-origin policy, which complicate the effective opt-out of third-party cookies. This technical challenge underscores a systemic gap in achieving comprehensive and user-friendly consent mechanisms despite regulatory adherence.

The implications of these findings suggest that while GDPR has succeeded in fostering greater transparency in websites' data handling practices, it has not fully harmonized privacy standards across EU countries. There remains a persistent variance not only in the implementation of cookie consents but also in the usage of GDPR-compliant language within privacy policies.

Furthermore, the paper identifies the most widespread libraries used for cookie consent implementation and outlines their respective strengths and deficiencies. The analysis outlines that the prevalence and adoption of privacy policies and practices have increased, but substantial work remains to bridge the gap between compliance and practical, meaningful user empowerment.

Future research could examine the effectiveness of privacy policy length and complexity on user comprehension and the extent to which GDPR-aligned practices translate into user trust and privacy. There is also potential for development in the area of technical solutions that can effectively manage user consent in a more seamless and transparent manner without overly burdening the users.

In summary, while there is a positive trend in privacy policy adoption and consent notification frameworks post-GDPR, the paper highlights critical gaps and opportunities for further research and regulatory development. The GDPR serves as a critical regulatory framework that influences not just European, but global web privacy practices, pointing towards an essential evolution in the dialogue between regulatory bodies, companies, and web users.