The news: A new working paper suggests that websites are making less money because of the General Data Protection Rule (GDPR). It’s the first study of how the European privacy law affects the revenue of online businesses.

GDPR went into effect in May 2018. The authors analyzed data from web marketing service Adobe Analytics and compared the numbers before and after GDPR in 2018 with numbers from same dates in 2017. The data covered 1,500 online firms (including 128 of the top 1,000 global sites) and included both content sites that make money through page views and e-commerce sites that make money through purchases. The data showed that recorded page views and revenue fell by about 10% for EU users. That’s about $8,000 less revenue per week for the median site.

How could GDPR have caused this?: GDPR makes it harder for companies to collect customer data. In particular, customers now need to give permission to be tracked. The researchers speculate that this could hurt revenue in two ways. It might make people change their web habits: maybe constant pop-ups asking for permission to share data makes people worry about privacy and stop buying online. It could also reduce the amount of analytics data that businesses use to make decisions.

The big caveat: That 10% revenue drop looks dramatic, but the actual number is probably lower. The Adobe Analytics data the researchers relied on is subject to GDPR too, meaning that just as fewer people are sharing data with other websites since May 2018, fewer are sharing data with Adobe Analytics. In other words, there might be a group of people who are browsing and buying just as much as before, but aren’t showing up in the Adobe data set. If so, they would offset some of that 10% revenue drop—probably not all of it, but the picture is incomplete. We don’t know how big the exact revenue effect is.

Why it matters: A lot of the attention to the effects of GDPR has been around a handful of big companies that got penalized for breaking the rule. A French data protection group fined Google $57 million under GDPR back in January. Earlier this month, a UK data watchdog fined British Airways a record $230 million because of its data breach last year. But it’s also important to look at other effects. This new paper gives us a glimpse into the fates of web businesses more broadly, while another working paper suggests that the legislation has led to less venture capital investment in technology firms.