A new study finds that the European Union’s effort to give individuals more control of their personal data has decreased the amount of consumer information tracked online. But the remaining data might be even more valuable to companies marketing to customers.
In the two years since the General Data Protection Regulation went into effect, there was a 10.7% rate of users opting out of sharing their data under the directive’s features, however, the trackability of remaining users increased by about 8%, according to MIT assistant professor of economics Tobias Salz.
“GDPR has changed the composition of users,” said Salz in an interview. “Our results indicate that those users who remain are on average of higher value to advertisers.”
The working paper, “The Effect of Privacy Regulation on the Data Industry: Empirical Evidence from GDPR,” was written by Salz and his co-researchers Guy Aridor and Yeon-Koo Che, both of Columbia University. The researchers studied an anonymous third-party advertising company that recorded keyword searches, and purchases, for online travel agencies. The dataset was collected for searches and purchases between Jan. 1 – July 31, 2018. GDPR went into effect in May of 2018.
Under the directive, a person living in one of the EU countries has the right to know how their data is collected, processed, and protected by a company, as well as the right to request that that information be erased if it is no longer needed. GDPR applies to companies based in the EU, and companies outside the EU that offer goods, services, or “monitor the behavior” (such as social media) of people living in one of the EU member countries.
“What this means for these third-party providers is of course less traffic and as a result less business,” Salz said. “And we do find an overall reduction in revenues.”
However, he added, “we find that some of these losses are actually being offset. That to us was indeed surprising.”
Here’s a closer look at the findings:
In the world of advertising, conversions — clicks on an ad that lead to a purchase — are key, and they need to be measured. One way of doing this is through cookies (small identifying files stored on browsers that track a person’s behavior across websites).
In the two years since the regulation went into effect, there was a 12.5% decrease in the number of unique cookies as a result of the directive’s opt-out features.
Salz said that it’s important to keep in mind that the unique number of cookies is a combination of users that generate long histories because they never use cookie blockers, and users that always appear as new users — even if it’s the same person opening various tabs from a site, because of their use of privacy settings.
“If you have some users that are going to protect their privacy through cookie blockers or private browsing, then it's very hard to measure the conversion rate for those users,” Salz said. “After the introduction of GDPR these users simply disappear from the data.”
There might be less data for the advertiser to work with, however, he added, “the users that remain in the data are those that make less use of this privacy protection, and therefore are of higher value,” because the advertiser can track behavior like keyword searches and purchases — and tailor future marketing to that behavior. These are the users where the researchers found 8% higher trackability, a boon for the third-party advertiser.
In one study on travel agency websites, consumer trackability increased by 8% under GDPR.
To explain the trackability increase, the researchers looked at the “identifier persistence” of a user before and after GDPR went into effect, and how often a cookie shows up again on a site after varying numbers of weeks.
They hypothesized that consumers who were previously using privacy settings would also more likely opt out under GDPR, meaning they no longer show up in a dataset, leaving those remaining consumers who do share their information with a site, and making that latter group more trackable.
Future consumer data research
Salz and his co-researchers write that the use of consumer data could go one of two ways. On the one hand, their information could be used for targeted advertising and services they want or need. On the other, if that information is used for something like personalized pricing, it could be seen as harmful to those consumers.
The economists also suggest studying consumer data privacy beyond their scope of the travel industry. Unlike Google or Facebook, where users have no choice but to share their data with the company, Salz said, the small third-party company they worked with relies on data collection through cookies, and it is up to the consumer whether or not to share it.
“In that sense,” Salz said, “I think our results indicate that the GDPR regulation falls harder on these small advertising companies.”