We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

[1]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[2]  Chang Liu,et al.  Raising a Red Flag on Global WWW Privacy Policies , 2002, J. Comput. Inf. Syst..

[3]  Melanie Volkamer,et al.  "This Website Uses Cookies": Users' Perceptions and Reactions to the Cookie Disclaimer , 2018 .

[4]  Jure Leskovec,et al.  Mining of Massive Datasets, 2nd Ed , 2014 .

[5]  Norman M. Sadeh,et al.  Which Apps Have Privacy Policies? - An Analysis of Over One Million Google Play Store Apps , 2018, APF.

[6]  Steven Skiena,et al.  Polyglot: Distributed Word Representations for Multilingual NLP , 2013, CoNLL.

[7]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[8]  Wouter Joosen,et al.  Rigging Research Results by Manipulating Top Websites Rankings , 2018, ArXiv.

[9]  Lorrie Faith Cranor,et al.  Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice , 2012, J. Telecommun. High Technol. Law.

[10]  Barry Werth,et al.  How short is too short? , 1991, The New York times magazine.

[11]  J. Reeve,et al.  Solutions to problematic polypharmacy: learning from the expertise of patients. , 2015, The British journal of general practice : the journal of the Royal College of General Practitioners.

[12]  Anna-Lan Huang,et al.  Similarity Measures for Text Document Clustering , 2008 .

[13]  Norman M. Sadeh,et al.  Automatic Extraction of Opt-Out Choices from Privacy Policies , 2016, AAAI Fall Symposia.

[14]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[15]  Timothy Libert,et al.  An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies , 2018, WWW.

[16]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[17]  Frederick Liu,et al.  The Creation and Analysis of a Website Privacy Policy Corpus , 2016, ACL.

[18]  Anne Oeldorf-Hirsch,et al.  The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services , 2020 .

[19]  Jiyoung Cha,et al.  Information privacy: a comprehensive analysis of information request and privacy policies of most-visited Web sites , 2011 .

[20]  Shinsaku Kiyomoto,et al.  PrivacyGuide: Towards an Implementation of the EU GDPR on Internet Privacy Policy Evaluation , 2018, IWSPA@CODASPY.

[21]  Nora A Draper,et al.  Persistent Misperceptions: Americans’ Misplaced Confidence in Privacy Policies, 2003–2015 , 2018, Journal of Broadcasting & Electronic Media.

[22]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[23]  Daniel D. Suthers,et al.  I'm supposed to see that?' AdChoices Usability in the Mobile Environment , 2018, HICSS.

[24]  Toru Nakamura,et al.  Challenges in Classifying Privacy Policies by Machine Learning with Word-based Features , 2018, ICCSP.

[25]  Robert W. Proctor,et al.  Examining Usability of Web Privacy Policies , 2008, Int. J. Hum. Comput. Interact..

[26]  Peter Fankhauser,et al.  Boilerplate detection using shallow text features , 2010, WSDM '10.

[27]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[28]  Razieh Nokhbeh Zaeem,et al.  A study of web privacy policies across industries , 2017 .

[29]  Kang G. Shin,et al.  Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning , 2018, USENIX Security Symposium.

[30]  Lorrie Faith Cranor,et al.  How Short Is Too Short? Implications of Length and Framing on the Effectiveness of Privacy Notices , 2016, SOUPS.

[31]  Lorrie Faith Cranor,et al.  Designing Effective Privacy Notices and Controls , 2017, IEEE Internet Computing.

[32]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[33]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[34]  Narseo Vallina-Rodriguez,et al.  A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists , 2018, Internet Measurement Conference.