IT consultants, software firms and campaigners spent months touting 25 May 2018 as the dawning of a new era – for better or worse, depending on who was selling the snake oil – but research published this month indicates minor changes in reality.
The General Data Protection Regulation, which came into force on Towel Day, applies to any processing carried out by firms operating in the EU, and those offering goods or services to people in the EU.
That meant the law had major implications for the technical design of large numbers of websites, along with how organisations retained and protected personal data and informed users about that collection and use – at least in theory.
The situation was complicated by the fact that a companion law, the ePrivacy Regulation, which addresses privacy rules for electronic communications, was delayed. Originally intended to be implemented at the same time as GDPR, it is still making its way through the EU's legislative process.
European Parliament's ePrivacy rep bemoans members' slow progressREAD MORE
Nonetheless, as anyone with an email account can testify, firms certainly wanted users to know they were taking their privacy seriously, with a flurry of activity from organisations asking you to "re-consent" or look at their new privacy policies.
First, a survey of news sites in seven EU countries (Finland, France, Germany, Italy, Poland, Spain, the UK) carried out by the Reuters Institute at Oxford university found a 22 per cent drop in third-party cookies per page, between April and July 2018.
This included a 27 per cent decrease in cookies from design optimisation tools, and a 14 per cent drop in advertising and marketing cookies.
The report (PDF) found that US tech giants Google, Facebook and Amazon broadly retained their presence on news sites – in April, 97 per cent of pages tracked had content from Google; in July it was 96 per cent.
Facebook saw more of a drop, some 5 percentage points to 70 per cent – but this could also be attributed to the Cambridge Analytica scandal.
The reach of other companies fell more substantially: in April the top 10 firms all tracked content on at least 50 per cent of the pages assessed, but by July only five companies did.
Oracle – which was present on 53 per cent of pages in April – also fell out of the top 10, with just 32 per cent in July. This was attributed to a drop in AddThis usage, from 20 per cent to 10 per cent.
Meanwhile, a separate study by a team from Germany and the US, and published as a pre-print on arXiv (PDF), found that organisations were more upfront and detailed about cookies on their sites.
In June, some 62.1 per cent of the 6,759 websites assessed (the top 500 in each of the 28 member states) displayed cookie consent notices, up 16 per cent from January 2018.
These were also more varied than before, the paper said, with notices ranging from simply informing people that the site used cookies, or forcing them to confirm they'd seen the notice, to offering consent, either as a binary choice, slider, toggles or checkboxes.
GDPRmageddon: They think it's all over! Protip, it has only just begunREAD MORE
However, the team said there was little change in practices; tracking stayed broadly the same and the majority of sites still relied on opt-out consent mechanisms.
The researchers also found a 4.9 per cent increase in websites offering privacy policies – although half the sites only updated their policies in May 2018, despite the two-year implementation period.
Overall, the team concluded that GDPR has had a positive effect on transparency when it came to web privacy, but that this could lead to a false sense of privacy and security since the amount of tracking didn't change.
The paper called for clearer guidelines for service providers that set out what types of cookies can be set on what legal grounds, and an agreement within industry on technical privacy standards, such as Do Not Track.
Without this, it said, there is "an additional burden on users", who face increasing numbers privacy notifications that "may fulfill the law's transparency requirements but are unlikely to actually help web users make more informed decisions regarding their privacy".
The paper noted that the ePrivacy Regulation might provide some clarity on certain areas around cookie consent – indeed, it is expected that it will spell the end for the cookie banner – but said that, at the moment, "it is unclear when and in what form it may be adopted". ®