Skip to main content
Article

Did EU Data Laws Really Rein in Online Tracking?

Published on:

Europe’s landmark data legislation slowed down online surveillance, but didn’t stop it. In his study, Klaus Miller shows tracking has grown - just less aggressively, and with more disclosure.

GDPR - RGPD

Key Findings


•    With new regulation, EU sites used a fifth fewer trackers per website on average.
•    Privacy-invasive trackers saw the biggest decline - essential trackers stayed.
•    News publishers tracked users more aggressively than other categories.
•    Most users still click 'accept all', fueling the privacy paradox.
•    Stronger enforcement and functional decoupling are key to reform.

 

 

 

When the EU’s General Data Protection Regulation (GDPR) came into force in 2018, it was hailed as a turning point for digital privacy. But nearly seven years later, the online world looks more like a recalibrated system than a reformed one. In our recent study co-authored by Karlo Lukic and Bernd Skiera, we examined how websites actually responded — and found that while privacy-invasive trackers declined, the overall volume of tracking scripts continued to grow. GDPR didn’t dismantle the surveillance infrastructure; it simply made parts of it more visible, and arguably, more consented to.

Why Online Tracking Persists

Most people are familiar with the obvious traces they leave online: logins, newsletter signups. But every page load summons an army of “trackers,” including “cookies.” Used by publishers, advertisers and platforms, these scripts record your behavior, link identities, and construct detailed user profiles – without your knowledge.

Some serve legitimate purposes (site security, language preferences). Others share data across platforms and advertisers, enabling everything from hyper-targeted ads to eerily prescient recommendations. Such tracking raises major privacy concerns – for instance, imagine data about your location being correlated with visits to the website of Alcoholics Anonymous.

So the European Union adopted the General Data Protection Regulation (GDPR), which came into force in 2018. The GDPR defined what personal data could be collected, and under what conditions. In principle, non-essential trackers (those not needed for website functionality) now require explicit consent.

What GDPR Changed - And What It Didn’t

Nearly seven years down the line, my colleagues and I ask how much has actually changed. What we examined in our article “The Impact of the General Data Protection Regulation (GDPR) on Online Tracking”, was not so much whether tracking vanished after the regulation (it didn't), but whether the most privacy-invading forms decreased.

To measure the real-world impact of GDPR, they tracked the trackers, analyzing tracking on websites within and outside the EU before and after the regulation took effect.

EU publishers had 4 fewer trackers on average than non-EU ones, mainly due to a 2.2-per-publisher drop in GDPR-targeted PII trackers.

Contrary to the intuition that GDPR might reduce tracking, the overall number of trackers actually increased over the observed period. However, EU publishers saw a 14.8% smaller increase than their non-EU counterparts. That’s equivalent to 4 fewer trackers per publisher on average.

Crucially, the types of trackers that declined were the ones GDPR targeted: those that collect and share personally identifiable information (PII). These fell by 2.2 per publisher. Advertising trackers, however, were only slightly affected.

How Users Contribute to the Problem

Essential trackers are required for a website to load, display fonts, or verify that you are not a robot; these saw minimal change. That was to be expected, as these don’t require user consent under GDPR.

Non-essential trackers, especially those involved in advertising and user profiling, were more affected, though not eliminated. Advertising trackers dropped only slightly. Analytics tools remained in use. And cookie consent banners popped up everywhere. But user behavior remained largely unchanged. Most people still click “accept all.”

That is because of the “privacy paradox,” as we explain: 99% of users are unwilling to pay for privacy (through pay-or-tracking models), though they say they want privacy. People are paying with their attention, with their data, so tracking will remain.

Why News Sites Lead in Tracking

The study also examined how different types of websites responded. News sites, unsurprisingly, were the biggest trackers. With an average of 29 trackers per site, they were well above categories like government (7 trackers) or reference pages.

Why is that? News publishers mostly rely on ad revenue, and ad revenue still relies heavily on third-party data. So these sites may be more reluctant to comply fully – it's a matter of economic survival.

But one has to remain cautious. These publishers may have not complied before we observed them. Or it may not even be deliberate, as advertisers may sneak cookies within the ads on the site without the publishers being aware of this. The market is complex, so you have to be a large, technologically sophisticated publisher, like Le Monde or Der Spiegel, to know about that.

Whatever the case, not all publishers interpreted - or complied with - GDPR equally. It is common knowledge that GDPR is under-enforced.

What Real Reform Could Look Like

For users, the digital landscape remains imperfect. Their consent is requested, but it often remains superficial, if not forced – after all, when users are not offered the opportunity to opt-in to less privacy-invasive analytics tracking, they will likely continue to click on “accept all.”

One solution suggested in the paper is the decoupling of functions that are usually bundled together. In the case of YouTube, the video functioning is bundled with tracking, so Google, which owns YouTube, can monetize your data. But if they were unbundled who would be willing to pay to use the service, i.e., watch the video?

As a conclusion, GDPR didn’t kill the cookie – it slightly changed the recipe: the infrastructure for collecting, retaining, and sharing data remains largely intact, though users have gained a modicum of privacy – or at least are aware when relinquishing it.

Methodology 

The researchers analyzed a sample of 29,735 websites over a 32-month period spanning 12 months before and 20 months after the regulation took effect. They compared trends in tracker use between EU publishers (subject to the regulation) and non-EU publishers (not subject), distinguishing between different types of tracking tools.

Applications

One solution to balance tracking benefits with privacy would be to separate a tracker’s functionality from its data collection. This would preserve content features like embedded videos without creating surveillance, but would shift the financial burden of that functionality to publishers, advertisers, tracker providers, or users.

GDPR has an enforcement problem, as data protection agencies lack resources and tend to focus on major actors of the web. But fines are effective: Klaus Miller observed a decrease in the number of trackers after Google was sentenced to pay a €50 million fine in 2019 – though tracking rebounded afterward.

Based on the article by Karlo Lukic, Klaus Miller and Bernd Skiera, The Impact of the General Data Protection Regulation (GDPR) on Online Tracking (International Journal of Research in Marketing, March 2025).