Measuring the Impact of the GDPR on Data Sharing in Ad Networks
Tobias Urban, Dennis Tatang, Martin Degeling, Thorsten Holz, Norbert Pohlmann
ACM Asia Conference on Computer & Communications Security (ASIACCS), Taipei, Taiwan, June 2020
The European General Data Protection Regulation (GDPR), which went into effect in May 2018, brought new rules for the processing of personal data that affect many business models, including online advertising. The legislation's definition of personal data applies to every company that collects data from European Internet users. This includes tracking services that, until then, argued that they were collecting anonymous information and data protection requirements would not apply to their businesses.
Previous studies have analyzed the impact of the GDPR on the prevalence of online tracking with mixed results. In this paper, we go beyond the analysis of the number of third parties and focus on the underlying information sharing networks between online advertising companies in terms of cookie syncing. Utilizing graph analysis, our measurement shows that the number of ID syncing connections decreased by around 40% around the time the GDPR went into effect, but a long term analysis shows a slight rebound since then. While we can show a decrease in information sharing between third parties, which is likely related to the legislation, the data also shows that the amount of tracking, as well as the general structure of cooperation, was not affected. Consolidation in the ecosystem lead to a more centralized infrastructure that might actually have negative effects on user privacy, as fewer companies perform tracking on more sites.