Characterising Third Party Cookie Usage in the EU after GDPR


Abstract

The recently introduced General Data Protection Regulation (GDPR) requires that when obtaining information online that could be used to identify individuals, their consents must be obtained. Among other things, this affects many common forms of cookies, and users in the EU have been presented with notices asking their approvals for data collection. This paper examines the prevalence of third party cookies before and after GDPR by using two datasets: accesses to top 500 websites according to Alexa.com, and weekly data of cookies placed in users' browsers by websites accessed by 16 UK and China users across one year. We find that on average the number of third parties dropped by more than 10% after GDPR, but when we examine real users' browsing histories over a year, we find that there is no material reduction in long-term numbers of third party cookies, suggesting that users are not making use of the choices offered by GDPR for increased privacy. Also, among websites which offer users a choice in whether and how they are tracked, accepting the default choices typically ends up storing more cookies on average than on websites which provide a notice of cookies stored but without giving users a choice of which cookies, or those that do not provide a cookie notice at all. We also find that top non-EU websites have fewer cookie notices, suggesting higher levels of tracking when visiting international sites. Our findings have deep implications both for understanding compliance with GDPR as well as understanding the evolution of tracking on the web.






[PDF]







Third-party Dataset

All collected data have been obtained with agreement from participants and under Research Ethics Minimal Risk Registrationprocess at our university to ensure the permissions of approvals relevant to this research (Ethics approval no. MRS-1718-6539). If you are interested in using this data, please send us an email to Request Data and indicate which of following parts you need in the email. Example screencast videos for non-complaince websites in Top500: here


Contact Us


If you are interested in using this data, please e-mail us at netsys[at]kcl.ac.uk

We are sharing the video dataset under the terms and conditions specified here and following GDPR's Terms of Usage. In the email, please indicate which part of the dataset you need and the usage of the dataset. If you do not get any email notification for your logged request within 24 hours, please e-mail us at netsys.noreply[at]gmail.com.


Dataset Terms and Conditions

  1. You will use the data solely for the purpose of non-profit research or non-profit education.

  2. You will respect the privacy of end users and organizations that may be identified in the data. You will not attempt to reverse engineer, decrypt, de-anonymize, derive or otherwise re-identify anonymized information.

  3. You will not distribute the data beyond your immediate research group.

  4. If you create a publication using our datasets, please cite our papers as follows. 


Xuehui Hu and Nishanth Sastry. 2019. Characterising Third Party Cookie Usage in the EU after GDPR. In Proceedings of the 10th ACM Conference on Web Science (WebSci ’19). Association for Computing Machinery, New York, NY, USA, 137–141. DOI:https://doi.org/10.1145/3292522.3326039




`