Three months in and Europe's new General Data Protection Regulation (GDPR) is still a confusing mess. More than a thousand websites are still blocked across Europe and intrusive privacy popups have become part and parcel of life online. But there is some good news: the number of websites tracking you has decreased.
"Unfortunately, our website is currently unavailable in most European countries," is the message still greeting visitors to the Los Angeles Times website. Owned by media group Tronc, the Times says it is "committed to looking at options" to bring its services back to the 741 million people in Europe. Meanwhile, the India Times says: "We are currently not providing access or use of our website/mobile application to our users in Europe."
Analysis by UK-based researcher Joseph O'Connor has found 1,051 US news websites are being blocked in Europe. These include the-daily-record.com and news9.com. Some websites are becoming accessible, with O'Connor finding that 13 news websites owned by GateHouse Media had become available again on August 20 but progress is slow. Many show users the HTTP error code 451: unavailable for legal reasons.
Bookmarking website Instapaper took two months after GDPR's enforcement date of May 25 to become available again in Europe. In a blog post announcing it was going independent from owners Pinterest the company wrote it had taken "a number of actions" to make itself available within the EU again. (It refused to comment further but has offered people in the EU six months of its Premium service for free).
Other websites aren't planning on making themselves available to people in the EU at any point. "Internet traffic on our local news sites originating from the EU and EEA is de minimis," a spokesperson for Lee Enterprises told Nieman Lab. "We believe blocking that traffic is in the best interest of our local media clients."
On top of websites being completely inaccessible, GDPR's implementation fundamentally changed the experience of using the web in another, more annoying, way: popups. These inform visitors of how websites are tracking them, offer options to see privacy policies and in some cases give the choice of turning off cookies that monitor user behaviour. The increase in transparency has been greeted positively by privacy campaigners. An early research paper from German and US academics, which examined 6,579 websites across Europe, says 62.1 per cent of the websites now show cookie consent notices – a jump of 16 per cent when compared to January 2018.
Rules around cookies largely come from the EU's ePrivacy regulation – a new version is being drafted by officials – but GDPR's introduction has redefined what consent means under the existing ePrivacy regulation. The situation is complicated. "In 2009, the e-Privacy Directive was updated to require “consent” for all non-essential cookies," law firm FieldFisher wrote in a blog post, which attempts to explain the deeply complex legal situation. In the UK, ePrivacy requirements are included in the Privacy and Electronic Communications Regulations (PECR). The UK data protection regulator, the Information Commissioner's Office (ICO), says that "not all cookies require consent" and where they do there are different ways consent can be obtained.
“The key is that the information offered to users complies with PECR and that the consent itself meets the definition in the GDPR," a spokesperson for the ICO says. "The most appropriate solution to achieve this is a matter for each organisation, depending on its particular circumstances."
The result is a huge variety of different website popups and cookie controls. "How effective the popups are will vary between websites," says Brent Mittelstadt, a research fellow at the Oxford Internet Institute. Visit the popular Minecraft Updates Tumblr – or any other website owned by Oath, including Yahoo Mail and the Huffington Post – and you'll be greeted with a page about how your data is used. If you choose to manage how your data is used, Oath lets you select which of its "partners" can access your information. There are 49 different sliders that allow users to share data: partners include AppNexus, which produces online advertising, and DataXU, which creates marketing software.
Read more: What is GDPR? The summary guide to GDPR compliance in the UK
The website of Popular Science magazine, owned by Bonnier Corp, gives a detailed breakdown of the 197 cookies it uses. (It classifies seven of these as being necessary, the rest are for marketing and other purposes). The descriptions include what each cookie is being used for, how long it has permissions for and who provides it. Bonnier doesn't have an option to deselect certain cookies and has one button: "Allow all cookies".
"Most people who want to casually want to read an article on a website are not going to be bothered to figure out what specific companies they want to allow to spy on them," says Smári McCarthy, an MP for Iceland's Pirate Party. "I'm guessing if you look at the distribution of settings the vast majority of people will just accept any advertising and tracking cookies and arbitrary spy modes." In many cases, users are nudged towards clicking to accept recommended settings. German website ComputerWoche shows its "Sounds Good, Thanks" choice button with a bright green background, while its "Update Privacy Settings Option" almost blends into the rest of the webpage.
Both Oath and Bonnier offer detailed descriptions of the cookies they use. Other websites have vastly different setups. AccuWeather gives two options for how its 199 partners collect and use data. First, you can let it use your data in return for seeing the website for free with advertisements. Or, you can not letting it use your data be forced to pay for access. There is no middle ground. The Washington Post has a similar option: offering a free version for people consenting to be tracked by cookies and willing to receive personalised ads. It also has a 'Premium EU Ad-Free Subscription' that doesn't have any online ads or tracking by third-parties.
The introduction of GDPR has led to a disparity in how websites inform users about cookies. However, early analysis shows it has reduced the amount of cookies used on leading websites. "There's a clear decline in the number of third-party cookies per page, looking across news sites in Europe," says Rasmus Kleis Nielsen director of research at the University of Oxford's Reuters Institute for the Study of Journalism. "We saw a 22 per cent drop per page."
Nielsen and colleagues monitored the number of third-party web content and cookies on European news websites a month before GDPR was implemented and a month after. The results of the analysis show on average UK news websites had 45 per cent fewer cookies at the end of July. Overall, design-related cookies dropped the most (27 per cent) followed by advertising and marketing cookies (14 per cent).
The percentage of news websites with Facebook or Twitter sharing buttons – which track users around the web, even if they don't have accounts – dropped from 84 per cent before GDPR to 77 per cent afterwards. However, the big tech companies still dominate. "In the case of the top companies – Google and Amazon – there's almost no decline. In the case of Facebook there's a relatively small decline," Nielsen says. "We still see the large US-based tech companies, that also after GDPR, are companies that publishers seem to feel it is necessary to continue to collaborate with."
Expect that to change. The provisions of GDPR have yet to be challenged in court and the ePrivacy regulation that specifically covers cookies needs to be finalised by EU regulators. "As with European law in general, these things require testing, interpretation by the courts," Mittelstadt says. "It will be something that changes over time."
This article was originally published by WIRED UK
