How EU’s data protection regulation affected news and media websites

In May 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR), a major component of EU privacy law. Privacy regulations like the GDPR have long been criticized by the online advertising industry as harmful to the digital economy. Critics argue that stricter privacy laws reduce online tracking, disrupt targeted advertising, and, as a result, weaken the ability of publishers and content creators to generate revenue and maintain free, high-quality content for users. But since its implementation, little attention has been directed to understanding the regulation’s possible effect on interactions between online news and media websites and their visitors.

In a new longitudinal study, researchers examined EU and U.S. news and media websites to determine how online content providers adapted their responses to the GDPR over time, and whether restrictions on online tracking affected outcomes such as the quantity of content and visitors’ engagement. The study found that while EU websites made changes and adapted, they continued to produce quality content and engage audiences at levels comparable to their U.S. counterparts.

The study, by researchers at Carnegie Mellon University, MIT, Institut Mines Telecom Business School, and Cornell University, is published in Management Science.

“Content providers rely on online advertising for revenue,” notes Vincent Lefrere at Institut Mines Telecom, who coauthored the study. “The GDPR raised concerns that these providers could be harmed by the regulation of data flows used in programmatic ads and restrictions on online tracking. This, in turn, has led to questions about the appropriate balance between the regulatory goal of protecting privacy and other societal interests.”

In their study, researchers investigated how the GDPR affected ad-supported news and media websites and their consumers by capturing websites’ responses to the regulation and the effects of the regulation on numerous content metrics. They compared the responses and content metrics of EU websites (more directly affected by the GDPR) to those of U.S. websites (less directly affected). The study examined nearly 1,000 content providers in several EU countries (France, Germany, the Netherlands, Spain, and the United Kingdom) and in the United States, mining information from their websites at regular intervals between April 2017 and November 2019, before and after the GDPR was implemented.

The study found significant evidence of changes, especially among EU websites, but also differences in responses between EU and U.S. websites. Both EU and U.S. websites responded to the GDPR by significantly reducing the magnitude of visitor tracking—though this reduction was short-lived and followed by an increase in tracking. However, EU websites’ tracking of both EU and U.S. visitors decreased relative to U.S. websites’ tracking of U.S. visitors, and EU websites’ tracking eventually stabilized at levels lower than before the GDPR was implemented. In addition, EU websites increasingly used consent mechanisms, while few U.S. websites did so.

These patterns, along with the observation that most visitors to EU websites originated from the EU while most visitors to U.S. websites came from the United States, confirm that from a regulatory standpoint, the GDPR affected EU and U.S. websites in very different ways.

Using multiple identification strategies and dependent variables, the study did not find any statistically significant impact of the GDPR on EU websites’ ability to provide content relative to their U.S, counterparts, a finding the authors characterize as surprising. While they found a small decline in the average number of page views per user in EU websites relative to U.S. websites, they found no statistically significant impact on other measures of visitor engagement, including the amount of traffic EU websites received or their rank, or visitors’ social media reactions to new content.

These findings suggest that EU websites responded to the GDPR, but over time found ways to do so without affecting their ability to produce content. Thus, “a negative impact of the GDPR on metrics of interest to consumers should not have been assumed; instead, businesses’ responses may have evolved and adapted in ways that minimized potential negative effects,” says Cristobal Cheyre at Cornell University, one of the authors of the study.

Among the limitations of the study, the authors note that it does not analyze potential long-term effects of the regulation. Also, the study does not focus on the role of variable degrees of privacy protection in determining the quality of visitors’ experiences with EU and U.S. websites.

“Although industry predicted dire consequences from the GDPR for content providers, the results of our study suggest that EU content providers responded to the regulation without triggering the undesirable outcomes forecast by the ad-tech industry,” says Alessandro Acquisti at MIT Sloan, who worked on the study while at Carnegie Mellon University. “Our findings can inform the ongoing debate over regulating privacy and firms’ data practices.”

The study was funded by the Alfred P. Sloan Foundation, CARNOT Telecom & Societe Numerique, DATAIA Convergence Institute (as part of the Programme d’Investissement d’Avenir), the French National Research Agency, and the National Science Foundation.