The General Data Protection Regulation (GDPR), which primarily aims to protect personal data within the EU, has been in effect for a little over four months now. But what has changed since 25th of May? What impact did the GDPR have on the tracker landscape and the online advertising market in Europe? A study by Cliqz and Ghostery answers these questions. Using data from WhoTracks.me, it compares the prevalence of trackers one month before and one month after the introduction of the GDPR. WhoTracks.me is a joint initiative of Cliqz and Ghostery. It provides structured information on tracking technologies, market structure and data-sharing on the web and thus creates more transparency. On the WhoTracks.me website, interested parties will find visualized monthly tracker statistics. They are based on the evaluation of around 300 million-page loads and more than half a million websites.

Smaller Advertisers Lose – Google Wins

Most trackers collect data for advertising purposes. They want to know as much as possible about a user in order to display personalized ads. The more targeted ads are to the user’s interests, the more successful they are, and the more money they generate. The global online advertising market has an estimated volume of $270 billion in 2018 and is expected to grow by over 20% in the next two years. Before the introduction of the GDPR, the advertising industry was correspondingly concerned about the possible impact the GDPR would have on the advertising market and competition. A comparison of tracker prevalence of April against July reveals a clear picture: Especially smaller advertising trackers have significantly lost reach (which can be used as a proxy for market share). They lost between 18% and 31%. Facebook suffered a decline of just under 7%. In contrast, market leader Google was even able to slightly increase its reach (plus 1%).

There are several possible explanations for this: Google and other big ad-tech companies have had significant resources dedicated to compliance.

Reports indicate that Google may have used its dominant position to encourage publishers to reduce the number of trackers on their sites and thus the number of ad-tech vendors.

Not to risk penalties, website owners prefer to play it safe and drop smaller advertisers that may have a harder time proving compliance. One thing is certain: Google benefits indirectly from the effects of the GDPR, which led the online advertising market in Europe to become more concentrated, as the majority of advertisers lose market share. Google seems to have successfully taken advantage of the uncertainty around GDPR to further solidify its leading market position. On the other hand, many smaller competitors have been steadily losing market share since the GDPR came into effect.

Less Trackers per Site

A similar trend can be seen when looking at the entire tracker landscape in the EU: The average number of trackers per page has dropped by almost 4% from April to July. The opposite is true in the US: there, the average number of trackers per page has increased by 8 percent over the same period.

The effects of the GDPR on the tracker landscape in Europe can be observed across all website categories. The reduction seems more prevalent among categories of sites with a lot of trackers. Most trackers per page are still located on news websites: On average, they embed 12.4 trackers. Compared to April, however, this represents a decline of 7.5%. On e-commerce sites, the average number of trackers decreased by 6.9% to 9.5 per page. For recreation websites, the decrease is 6.7%, which corresponds to 10.7 trackers per page. A similar trend is observed for almost all other website categories. The only exception are banking sites, on which 7.4% more trackers were active in July than in April. However, the average number of trackers per page is only 2.6.

For users this means that while the number of trackers asking for access to their data is decreasing, a tiny few (including Google) are getting even more of their data. This is not least due to the fact that many consent management tools use manipulative UX design (so-called dark patterns) to nudge users towards particular choices and actions that may be against their own interests. They trick the users into clicking away these pesky privacy consent notices and thus “consent” to any kind of data collection.

What the ePrivacy Regulation Must Do Better

Such manipulation attempts could be prevented by future regulations enforcing machine-readable standards. The next opportunity for that would be the ePrivacy regulation, which will complement the GDPR. It would be desirable, for example, if ePrivacy required that the privacy policies of websites, information on the type and scope of data collection by third parties, details of the Data Protection Officer and reports on data incidents must be machine-readable. This would increase transparency and create a market for privacy and compliance where industry players keep each other in check. In the end, users should never only rely on laws and regulations such as the GDPR to protect their privacy. Instead, they should be aware of who they are providing which data to. Technical solutions in the form of anti-tracking tools such as Ghostery or Cliqz can help. They prevent personal data from being transferred to third parties, regardless of cookie settings.