GDPR use in urls

On May 25, 2018 GDPR went into effect. The General Data Protection Regulation (yes, I had to look it up) is an EU standard to protect customer data in the EU. For users, it basically means more popups on cookies and tracking. For those in the EU, it also means that some websites from outside the EU are no longer accessible (the sites prefer to keep the detailed tracking, and simply block EU visitors).

How is GDPR implemented? in the HTTP Archive, we see a lot of requests with the term ‘gdpr’ in the url (often as url parameters, i.e “&gdpr=0”). So, how has the addition of GDPR to the legal landscape affected the urls in on the web today?

Simply looking for website requests with the term ‘gdpr’ shows a small bump in the middle of May, but a large increase in the June 1, 2018 crawl:

Post GDPR enforcement, there has been continued growth of requests using gdpr in the url - nearly doubling again by July 1 as more sites become GDPR compliant.

In the July 15 run of HTTP archive, the number of sites run jumped from 500k to 1.2M, so the y-axis values change drastically, but we still see growth in the number of requests using GDPR or about 100k new requests every 2 weeks:

It appears that more and more sites are adding gdpr compliance to their sites, and the term is appearing in the urls of requests that are gdpr compliant. in 4 months, we’ve seen a jump from near 0 to 2.4% of all urls containing the term GDPR.

For reference, here is the query I used to tabulate the data:
SELECT
SUBSTR(_TABLE_SUFFIX, 0, 10) AS date,
COUNT(url)
FROM
httparchive.requests.2018*
WHERE
url like “%gdpr%” AND _TABLE_SUFFIX like “%mobile%”
GROUP BY
_TABLE_SUFFIX
ORDER BY
date DESC

Thanks very much for the data but please don’t continue to peddle common misconceptions about GDPR. It is first and foremost harmonisation of rules within the EU single market: having differing data protection regimes is considered to restrict competition. The US has odd notions of jurisdiction and assumes both in theory and practice that US law is universal. That this is not the case in the rest of the world is one of the drivers behind GDPR.

The main visible consequence of GDPR is that the concept of explicit permission that must be given before data can be collected on users. This isn’t difficult to understand and it does not of itself mean more popups and banners. What it does do is highlight the information asymmetry of many online business models that suggest personal data can be traded for services without actually pricing the personal data.

GDPR is being taken up outside the EU not just because of the size of the market but because the definitions of what can be considered personal data and consent are considered useful. Other countries and companies are also waking up to the fact that sometimes it’s better to regulate before the fact and thus provide some indemnity: class action suits over the inevitable breaches of personal data should have less force where GDPR is followed. Though, of course, US district courts may consider this irrelevant when awarding damages.

The scope of the adoption also highlights the change in the sanctions regime but also the effectiveness in communicating the regulations. This might be meaningfully compared with other bureaucratic regulations such as accessibility which though important, have been badly drafter, poorly communicated and ineffectively enforced.

I don’t think the intention here is to have a political debate about GDPR, but simply to analyze its technical effects on websites.