How the General Data Protection Regulation has affected the web

Most notably, the number of cookie notices has skyrocketed. However, they often do not meet the legal requirements.

The European General Data Protection Regulation (GDPR) has been in effect since 25 May 2018 and has affected the World Wide Web to a considerable degree. In collaboration with the University of Michigan, USA, a team at the Horst Görtz Institute for IT Security and the Institute for Applied Work Science at Ruhr-Universität Bochum analysed how the necessary changes have been implemented by enterprises on their websites. The researchers collected the privacy policies and cookie notices on popular websites in all 28 EU member states and analysed which changes were made over time.

The results were published by Dr. Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini and Professor Thorsten Holz from Ruhr-Universität, as well as Professor Florian Schaub from the University of Michigan as an online pre-print.

More than 6,000 websites analysed

Over the course of their study, the research team analysed the privacy policies of the 500 most-frequented websites in each EU member state – 6,357 web pages in total – between January and June 2018. This includes, for example, search engines and online shops, as well as the websites of banks, universities, and governments.

Approximately 74 per cent of the analysed websites did not have their respective privacy policies amended until shortly before 25 May 2018. “The analysis has moreover shown that a certain percentage of webpages in some of the countries did not have a policy of that sort at all; it was only integrated just before the GDPR came into force. Ultimately, approximately 85 per cent of the websites we analysed were able to produce a privacy policy by the deadline,” explains Martin Degeling.

Cookie notices on the rise

One of the most noteworthy results relates to the placement of cookie notices that inform users about the usage of cookies. Cookies are stored in the browser and are used by websites via analytics services to evaluate the browsing habits of visitors. After the GDPR came into force, approximately 62 per cent of the analysed websites provided cookie notices – 16 per cent more than in January 2018. Accordingly, cookie notices have been the crucial element that has been on an increase in connection with the implementation of the GDPR. For the most part, however, the notices do not meet the legal requirements, since they do not offer users the necessary options to deactivate cookies.

Second research phase to follow: focus on the user

“In conclusion, we can say that the GDPR has rendered data processing on the Internet more transparent on the one hand; on the other hand, there are no mechanisms yet in place to make the approval process comprehensible and usable for website visitors,” says Martin Degeling. In a second research phase, the researchers will focus on the end users in the context of the GDPR and will study those users’ attitude towards the new privacy policies and cookie notices.

Original publication

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Thorsten Holz, Florian Schaub: We value your privacy ... now take some cookies: measuring the GDPR’s impact on web privacy, 2018, pre-print online

Click here for the press release.