European Privacy Laws Shape Global Competition and Privacy Landscape

We study the intended and unintended consequences of privacy protection in the case of websites after the European General Data Protection Regulation (GDPR) went into force. We follow 110,706 websites and their connections to third-party services every other week for a period of 12 months. Our results show that websites reduces their connections to web technology providers, especially regarding requests that involve personal data after the GDPR comes into force. However, we show that the increasing long-run trend is not affected, which raises concerns about the effectiveness of the GDPR. We show that this is not only true for websites that mainly cater to an audience inside the European Union (EU), but also for those that cater to Non-EU audiences.

We further document an increase in market concentration in tracking services after the introduction of the GDPR. Only the leading firm in a variety of markets, Google, can increase its market share. Combining website-level data with information about the browsing behavior of a large number of users in the United States and Germany, we show that consumers under the age of 18 and consumers associated with higher levels of privacy sensitivity are less likely to encounter third-party cookies when browsing the web after the introduction of the GDPR.