The European Union's (EU) General Data Protection Regulation (GDPR), in effect since May 2018, enforces strict limitations on handling users' personal data, hence impacting their activity tracking on the Web. In this study, we perform an evaluation of the tracking performed in 2,000 high-traffic websites, hosted both inside and outside of the EU. We evaluate both the information presented to users and the actual tracking implemented through cookies; we find that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EUbased ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law. On the other hand, we find that tracking remains ubiquitous. In particular, we found cookies that can identify users when visiting more than 90% of the websites in our dataset--and we also encountered a large number of websites that present deceiving information, making it it very difficult, if at all possible, for users to avoid being tracked.
Can I opt out yet? GDPR and the global illusion of cookie control
ASIACCS 2019, 14th ACM Asia Conference on Computer and Communications Security, 7-12 July, Auckland, New Zealand
© ACM, 2019. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2019, 14th ACM Asia Conference on Computer and Communications Security, 7-12 July, Auckland, New Zealand http://dx.doi.org/10.1145/3321705.3329806
PERMALINK : https://www.eurecom.fr/publication/5941