This paper studies the effects of the EU’s General Data Protection Regulation (GDPR) on the ability of firms to collect consumer data, identify consumers over time, accrue revenue via online advertising, and predict their behavior. Utilizing a novel dataset by an intermediary that spans much of the online travel industry, we perform a difference-in-differences analysis that exploits the geographic reach of GDPR. We find a 12.5% drop in the intermediary- observed consumers as a result of GDPR, suggesting that a nonnegligible number of consumers exercised the opt-out right enabled by GDPR. At the same time, the remaining consumers are more persistently trackable. This observed pattern is consistent with the hypothesis that privacy-conscious consumers substitute away from less efficient privacy protection (e.g, cookie deletion) to explicit opt out, a process that would reduce noise on remaining consumers and make them more trackable. Further in keeping with this hypothesis, we observe that the average value of the remaining consumers to advertisers has increased, offsetting most of the losses from consumers that opt-out. Our results highlight the externalities that consumer privacy decisions have both on other consumers and for firms.