In May 2018, the European Union (EU) introduced the General Data Protection Regulation (GDPR), a landmark element of its privacy legislation. From the outset, privacy rules of this kind were met with scepticism by the online advertising industry, which warned that such restrictions would damage the digital economy. Critics argued that by limiting online tracking and disrupting targeted advertising, the GDPR would erode publishers’ capacity to generate revenue, ultimately threatening the sustainability of free, high-quality online content. Yet, despite these concerns, comparatively little attention has been paid to examining how the regulation has actually shaped the relationship between news and media websites and their audiences.

A new longitudinal study has sought to fill this gap by analysing how news and media providers in both the EU and the United States adapted to the GDPR in the months and years following its implementation. The researchers focused on whether restrictions on data collection altered patterns of content production and audience engagement. Their findings suggest that, although EU websites made adjustments, they continued to produce high-quality material and maintain audience engagement at levels broadly similar to those of their U.S. counterparts.

The research, conducted by teams from Carnegie Mellon University, MIT, Institut Mines Télécom Business School, and Cornell University, appears in Management Science. According to Vincent Lefrere of Institut Mines Télécom, a co-author of the study, the central question concerned the balance between privacy protection and the economic needs of content providers. “Content providers rely heavily on online advertising,” Lefrere explains. “The GDPR raised fears that restrictions on the data flows underpinning programmatic ads would threaten their ability to function. This raised fundamental questions about how to reconcile privacy regulation with broader societal interests.”

To answer these questions, the researchers examined nearly 1,000 websites across France, Germany, the Netherlands, Spain, the United Kingdom, and the United States. Drawing on data collected at regular intervals between April 2017 and November 2019, the study compared the responses of EU-based websites, which are directly subject to GDPR obligations, with those of U.S. websites, which are less directly affected by the regulation. The analysis revealed marked differences in behaviour. Both EU and U.S. providers initially reduced visitor tracking after the GDPR came into force, though this decline was temporary. However, EU websites ultimately stabilised at significantly lower tracking levels than before, particularly in relation to both EU and U.S. visitors. Moreover, EU websites were far more likely to adopt consent mechanisms than their American counterparts.

These trends reflected the different regulatory environments in which the websites operated, reinforced by the fact that EU websites drew most of their visitors from within the EU. In contrast, U.S. websites were primarily frequented by domestic audiences. Strikingly, however, the regulation did not appear to undermine EU providers’ ability to produce and share content. Using multiple methods and outcome measures, the study found no statistically significant evidence of reduced content availability or engagement relative to U.S. websites. While there was a slight decline in the average number of page views per visitor on EU sites, other indicators—such as total traffic, site rankings, and social media reactions—remained largely unaffected.

The authors conclude that EU websites adapted to the GDPR’s constraints in ways that mitigated the feared consequences. As Cristobal Cheyre of Cornell University observes, “A negative impact of the GDPR on consumer-facing metrics should not have been taken for granted. Our findings show that businesses were able to adjust, and in doing so, minimised any potential negative outcomes.”

Nevertheless, the researchers caution against over-generalising their results. Their analysis does not extend to the long-term implications of the GDPR, nor does it evaluate whether differing levels of privacy protection may have altered the quality of user experiences across EU and U.S. sites. Even so, the results challenge the industry’s initial claims of imminent disaster. As Alessandro Acquisti of MIT Sloan, another co-author, notes: “Although the ad-tech industry predicted dire consequences, our study shows that EU content providers weathered the transition without the collapse many anticipated. These findings are highly relevant to ongoing debates about regulating privacy and corporate data practices.”

More information: Vincent Lefrere et al, Does Privacy Regulation Harm Content Providers? A Longitudinal Analysis of the Impact of the GDPR, Management Science. DOI: 10.1287/mnsc.2022.03186

Journal information: Management Science Provided by Carnegie Mellon University