We Value Your Privacy… Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy

Degeling; Martin;, Utz; Christine;, Lentzsch; Christopher;, Hosseini; Henry;, Schaub; Florian;, Holz; Thorsten

We Value Your Privacy… Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy

Degeling, Martin; Utz, Christine; Lentzsch, Christopher; Hosseini, Henry; Schaub, Florian; Holz, Thorsten

Zusammenfassung

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR’s transparency requirements. We monitored this rare event by analyzing changes on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites – 6,579 in total – for the presence of and updates to their privacy policy between December 2017 and October 2018. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5% of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. After May this positive development slowed down noticeably. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site’s cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 28 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the web became more transparent at the time GDPR came into force, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

Schlüsselwörter
GDPR; Privacy policy; Cookie banner;

Publikationstyp

Forschungsartikel in Online-Sammlung (Konferenz)

Begutachtet

Ja

Publikationsstatus

Veröffentlicht

Jahr

2019

Konferenz

Network and Distributed System Security Symposium (NDSS)

Konferenzort

San Diego

Fachzeitschrift

NDSS Symposium

Sprache

Englisch

ISBN

1-891562-55-X

DOI

https://doi.org/10.14722/ndss.2019.23378

Gesamter Text

ndss2019_04B-2_Degeling_paper.pdf