Google is the biggest beneficiary of the GDPR, according to the results of a study from Cliqz and Ghostery. The study aimed to assess the impact of GDPR on the tracker landscape and the online advertising market in Europe. Using data from WhoTracks.me, it compares the prevalence of trackers one month before and one month after the introduction of the regulation.

WhoTracks.me is a joint venture between the two companies. It provides structured information on tracking technologies, market structure and data-sharing on the web. On the WhoTracks.me website, interested parties can find visualized monthly tracker statistics, based on the evaluation of around 300 million-page loads and more than half a million websites.

Most trackers collect data for advertising purposes. They want to know as much as possible about a user in order to display personalized ads. The more targeted ads are to the user’s interests, the more successful they are, and the more money they generate. In the run-up to GDPR coming into force on 25 May, the ad tech industry was deeply concerned about the impact it would have on the sector.

A comparison of tracker prevalence for April (pre-GDRR) compared to July (post) reveals a clear picture. Smaller ad trackers have lost significant reach, which the companies can be used as a proxy for market share). They lost between 18 per cent and 31 per cent. Facebook suffered a decline of just under 7 per cent. In contrast, market leader Google was able to slightly increase its reach, by 1 per cent.

Significant resources
There companies offer several possible explanations for this. Firstly, Google and other big ad tech companies have had significant resources dedicated to compliance. There have also been reports that Google may have used its dominant position to encourage publishers to reduce the number of ad tech vendors and thus the number of trackers on their sites. Finally, in order to avoid the risk of fines, it’s possible that website owners have chosen to play it safe, dropping smaller advertisers that may have found it difficult to prove compliance with GDPR.

Whatever the reasons, the companies argue that Google benefits indirectly from the effects of the GDPR, which led the online ad market in Europe to become more concentrated, as the majority of advertisers lose market share. Google used the uncertainty around GDPR to its advantage and further expanded its leading position. On the other hand, many smaller competitors have been steadily losing market share since GDPR came into effect.

A similar trend can be seen when looking at the entire tracker landscape in the EU. The average number of trackers per page has dropped by almost 4 per cent from April to July. The opposite is true in the US, where the average number of trackers per page has increased by 8 per cent over the same period.

While the effects of GDPR on the tracker landscape in Europe can be observed across all website categories, the reduction seems more prevalent among categories of sites with a lot of trackers. Most trackers per page are still located on news websites. On average, they embed 12.4 trackers. Compared to April, however, this represents a decline of 7.5 per cent.

On eCommerce sites, the average number of trackers decreased by 6.9 per cent to 9.5 per page. For recreation websites, the decrease is 6.7 per cent, which corresponds to 10.7 trackers per page. A similar trend is observed for almost all other website categories. The only exception are banking sites, on which 7.4 per cent more trackers were active in July than in April. However, the average number of trackers per page is only 2.6.

For users this means that while the number of trackers asking for access to their data is decreasing, a tiny few (including Google) are getting even more of their data. This, the companies say, is not least due to the fact that many consent management tools use manipulative UX design (so-called dark patterns) to nudge users towards particular choices and actions that may be against their own interests. They trick the users into clicking away the privacy consent notices and thus “consent” to any kind of data collection.

Future regulations
The companies believe that such manipulation attempts could be prevented by future regulations enforcing machine-readable standards. The next opportunity for that would be the ePrivacy regulation, which will complement the GDPR. It would be desirable, for example, if ePrivacy required that the privacy policies of websites, information on the type and scope of data collection by third parties, details of the Data Protection Officer and reports on data incidents must be machine-readable. This would increase transparency and create a market for privacy and compliance where industry players keep each other in check.

In the end, the study concludes, users should never only rely on laws and regulations such as GDPR to protect their privacy. Instead, they should be aware of who they are providing which data to, and technical solutions in the form of anti-tracking tools can help, by preventing personal data from being transferred to third parties, regardless of cookie settings.