Does GDPR even boost privacy?

Maybe not:

This paper studies the effects of the EU’s General Data Protection Regulation (GDPR) on the ability of firms to collect consumer data, identify consumers over time, accrue revenue via online advertising, and predict their behavior. Utilizing a novel dataset by an intermediary that spans much of the online travel industry, we perform a difference-in-differences analysis that exploits the geographic reach of GDPR. We find a 12.5% drop in the intermediary- observed consumers as a result of GDPR, suggesting that a nonnegligible number of consumers exercised the opt-out right enabled by GDPR. At the same time, the remaining consumers are more persistently trackable. This observed pattern is consistent with the hypothesis that privacy-conscious consumers substitute away from less efficient privacy protection (e.g, cookie deletion) to explicit opt out, a process that would reduce noise on remaining consumers and make them more trackable. Further in keeping with this hypothesis, we observe that the average value of the remaining consumers to advertisers has increased, offsetting most of the losses from consumers that opt-out. Our results highlight the externalities that consumer privacy decisions have both on other consumers and for firms.

That is from a new paper by Guy Aridor, Yeon-Koo Che, William Nelson, and Tobias Salz, emphasis added by me.  Via the excellent Kevin Lewis.


GDPR is supposed to be opt-in rather than opt-out. Also, plenty of first party sites have stopped data collection practices they could not justify under GDPR, and the number of third party trackers across the European web has dropped significantly as well

GDPR enforcement has barely started, and most companies are trying to use dark patterns to fool users, which won’t fly. For example, Quantcast offers a pop up with two buttons, “Accept unspecified everything” or “Click here for rat’s warren of incomprehensible choices, including reject-all”. I would say there is a 90% chance they will be fined, as the French DPA (CNIL) has explicitly called out the practice (opt in and opt out have to be at the same level with the same weight, and you cannot default to opt in) and said they are moving from a “pedagogic phase” to an enforcement phase.

It's opt-in on paper, but it often becomes opt-out in practice.

Now every website makes you click "I agree" before entering, but for most people this has just become noise, and they will click through without reading or considering anything. Only a minority of people will make the active choice to figure out what it's about and possibly not agree. So, it's more like opt-out, really.

The GDPR covers much, much more than the Internet. And it most definitely is opt in for such things as allowing your bank to provide your information to their internal marketing department.

Yeah, I'm aware...I'm based in Europe and do a data-intensive job.

However, without having read the whole paper, it seems like basic online agreement to cookies, etc. is the context here.

Sure, but mainly because data privacy in the U.S. is seen only through the lens of the Internet, even though extensive data collection has been a feature of American society since at least the 1970s.

This is one of those ironies - while many Americans fought against the government collecting data, they were seemingly unaware (or profiting from) of the gigantic edifice being constructed around them.

Like dan1111 i work in data, and agree with him 100%.

So those that chose to opt out were not tracked and their privacy was respected. Those who did not opt out became even more trackable and as a result became more valuable in the eyes of ad buyers. Sounds like a win win to me. Not sure how Tyler concluded with a "maybe not" since hidden preferences due to lack of choice became real preferences with real choices. This is an all-around win for for privacy, consumer choice, and the ad industry.

More analysis is needed to conclude that it's an all-around win.

One would have to consider compliance costs and good things that are stopped (e.g. it makes some types of research harder or impossible; now some sites outside Europe are simply blocked to European users; etc.) against benefits.

Did not read the linked paper, maybe they address this, but might not some of the drop in users be due to many sites opting to
geoblock the eu rather than comply? Is it really a boon to privacy if you are now unable to get the service you were previously willing to trade your privacy for?

I'm skeptical of GDPR (despite disliking non-consensual tracking). Nonetheless, I agree that this makes GDPR look like a win-win.

"we perform a difference-in-differences analysis that exploits"

Journal editors should prohibit that annoying phrase unless it's a Marxist journal where genuine empirical research and exploitation are sorely needed.

Get yourself a dictionary.

~Get yourself~ *exploit* a dictionary.


Haha, you are correct.

I don't need to exploit a dictionary to recognize ugly, academic prose.

Does GDPR even boost privacy? Yes, for the ones who opted-out.

It's about freedom of choice, not privacy.

The answer to Cowen's question (does GDPR boost privacy) is that, on average, no, and may, on average, reduce privacy (because the increase in the invasion of privacy for those who don't opt out is greater than the increase in privacy for those who do). This is from the perspective of privacy qua consumer. But what about tracking location for public health reasons. If the coronavirus were to hit the U.S. like it has in China, would Americans support tracking as part of an effort to limit the spread of the virus? They certainly would. And once tracking is justified for public health reasons, would tracking become just part of life in America. Indeed, I can envision a time when everyone is required to log in to a tracking site, daily for sure but maybe shorter intervals. There's a story in the NYT today about the risk of Cambodia becoming a vector for transmission of coronavirus because cruise ships are allowed to dock and passengers allowed to disembark without wearing masks. I can envision a time when all Americans are required to carry a tracking device (i.e., a smart phone) at all times, and are required to report violations of public health mandates such as wearing a mask. I doubt there would be a choice to opt in or opt out.

Probably not a bot. (In before Skeptical)

Would I visit European sites, the opt-in looks like a necessity, and the other option is rather hidden. Now that may be just because they know my locale and they're offering me a US choice architecture. But it's possible that they were sneaky in the choice architecture they put into this data privacy plan.

Anyway, delete cookies early and often.

s/Would/When/ of course. A voice dictation error I did not catch in time.

If you're still deleting cookies, you need a new browser.

interesting use of the term “externality” for those who opt out of an invasive, persistent commercial practice

Didn't they include a feature where you can request a site to delete all data about you? Right to be forgotten, or something like that? Nice feature.

How about the choice to opt-out of those annoying "this site uses cookies" pop-ups that I get many times each day? I curse the EU every time I encounter them.

Exactly. The two largest effects of the law seem to be to annoy people with never-ending cookie announcement pop-ups and to require companies to hire hordes of "privacy experts" for legal compliance.

The cookies popups are unrelated to GDPR and existed well before. The way GDPR was written included many lessons learned from the failed cookie policy

When GDPR takes effect, you'll be able to ask companies what information they have about you and then ask them to delete that information.

Comments for this post are closed