M. Degeling, T. Holz, N. Pohlmann, D. Tatang, T. Urban
The European General Data Protection Regulation(GDPR), which went into effect in May 2018, leadsto important changes in this area: companies arenow required to ask for users’ consent before col-lecting and sharing personal data and by law usersnow have the right to gain access to the personalinformation collected about them.In this paper, we study and evaluate the effectof the GDPR on the online advertising ecosystem.In a first step, we measure the impact of the leg-islation on the connections (regardingcookie sync-ing) between third-parties and show that the gen-eral structure how the entities are arranged is notaffected by the GDPR. However, we find that thenew regulation has a statistically significant impacton the number of connections, which shrinks byaround 40%. Furthermore, we analyze the rightto data portability by evaluating thesubject accessrightprocess of popular companies in this ecosys-tem and observe differences between the processesimplemented by the companies and how they inter-pret the new legislation. We exercised ourright ofaccessunder GDPR with 36 companies that hadtracked us online. Although 32 companies (89%)we inquired replied within the period defined bylaw, only 21 (58%) finished the process by the dead-line set in the GDPR. Our work has implicationsregarding the implementation of privacy law as wellas what online tracking companies should do to bemore compliant with the new regulation.
„ The Unwanted Sharing Economy: An Analysis of Cookie Syncing and User Transparency under GDPR”