May 19, 2022

New Research Article: “We Value Your Privacy … Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy” (Preprint)

The following article (preprint, under submission) was recently shared on arXiv.


We Value Your Privacy … Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy


Martin Degeling
Ruhr-Universität Bochum

Christine Utz
Ruhr-Universität Bochum

Christopher Lentzsch
Ruhr-Universität Bochum

Henry Hosseini
Ruhr-Universität Bochum

Florian Schaub
University of Michigan

Thorsten Holz
Ruhr-Universität Bochum


via arXiv


The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR’s transparency requirements. We monitored this rare event by analyzing the GDPR’s impact on popular websites in all 28 member states of the European Union.

For each country, we periodically examined its 500 most popular websites – 6,579 in total – for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site’s cookie use and user tracking practices.

We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

Direct to Full Text Article

See Also: Changes in Third-Party Content on European News Websites after GDPR (via Reuters Institute for the Study of Journalism)

About Gary Price

Gary Price ( is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. Before launching INFOdocket, Price and Shirl Kennedy were the founders and senior editors at ResourceShelf and DocuTicker for 10 years. From 2006-2009 he was Director of Online Information Services at, and is currently a contributing editor at Search Engine Land.