pith. sign in

arxiv: 2604.18633 · v1 · submitted 2026-04-18 · 💻 cs.CR · cs.CY

Global Web, Local Privacy? An International Review of Web Tracking

Harry Yu , Patton Yin , Sebastian Zimmeck This is my paper

Pith reviewed 2026-05-10 06:07 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords web trackingGDPRePrivacy Directiveprivacy lawsBrussels effectcookie bannersopt-in jurisdictionsthird-party trackers
0
0 comments X

The pith

Privacy laws like the GDPR cut the number of web trackers on popular sites by half.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper measures third-party tracker connections on the same websites when visited from ten countries that have different privacy rules. It looks at both globally popular sites and country-specific top sites to isolate the impact of local laws on a borderless internet. Sites show markedly fewer trackers when loaded from EU countries with opt-in consent requirements than from opt-out places like the US and Australia. Avoiding interaction with cookie banners in Germany reduces trackers by nearly half on the tested sites. The authors conclude that rules such as the GDPR and ePrivacy Directive produce a measurable drop in tracking despite the global nature of the web.

Core claim

Websites from the Common Top 525 have 50.5 percent fewer average tracker connections when accessed from EU countries than from non-EU countries. Australia and California, the opt-out jurisdictions studied, record the highest overall tracking levels while opt-in jurisdictions record lower ones. For a sample of 36 global top sites, simply not interacting with cookie banners in Germany decreases trackers by 48.5 percent. Only 28 percent of those sites display cookie banners in every country studied, indicating a moderate Brussels effect, yet the paper finds that EU law functions mainly as a shield against dominant US ad-tech practices.

What carries the argument

Cross-border measurement of third-party tracker connections on matched sets of global and local top websites.

If this is right

  • Opt-in privacy jurisdictions experience lower average levels of web tracking than opt-out ones.
  • Non-interaction with cookie banners produces a large immediate drop in active trackers.
  • Global sites show partial adaptation to stricter European rules through banner display.
  • Strong enforcement of existing privacy laws remains necessary to realize further reductions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The results suggest that the strictest local rules set a de-facto standard for global sites even without universal adoption.
  • Users could gain protection by defaulting to non-EU access points or automated consent avoidance tools.
  • Differences in enforcement intensity across EU member states may explain varying tracker levels within the region.
  • Future work could test whether similar laws in new jurisdictions produce comparable percentage drops.

Load-bearing premise

The measured differences in tracker counts are caused mainly by the privacy laws rather than by site adaptations, user-agent variations, or regional ad-tech differences.

What would settle it

Repeating the measurements while forcing identical site versions and user agents across all countries and finding no tracker reduction in EU locations would show the laws are not the primary cause.

Figures

Figures reproduced from arXiv: 2604.18633 by Harry Yu, Patton Yin, Sebastian Zimmeck.

Figure 1
Figure 1. Figure 1: Overview of our web crawling pipeline implemented and run on a separate VM server for each country. 4.4. Entries Throughout this study, we use the term “entry” to refer to a unique record of an HTTP request for a tracking purpose, e.g., advertising, recorded by Privacy Pioneer. We refer to a “tracker connection” as the action that produces an entry. We use the number of entries as a proxy to quantify poten… view at source ↗
Figure 2
Figure 2. Figure 2: An example entry recorded by Privacy Pioneer. Upon visiting https://www.adobe.com/ (“rootUrl”), the site loaded Google’s conversion script (“requestUrl” = https://www.googleadservices.com/pagead/conversion.js). The entry is an advertising entry, i.e., labeled “typ” = advertising, “parentCompany” = Google, and “cookie” = 0 (no cookie recorded). For clarity, if a site makes multiple requests to the same doma… view at source ↗
Figure 3
Figure 3. Figure 3: shows the percentage of sites in a country that make at least one advertising, analytics, or social tracker connection [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: shows the average number of entries across countries. For most countries (South Africa, India, Canada, South Korea, Singapore, Germany, and Spain) it is greater in the Common Top 525 sites than in the Country-specific Top 525 sites. The Country-specific Top 525 sites show a greater range from 0.9 to 14.1 compared to the Common Top 525 sites, which have a range from 4.2 to 11.7. In the Country-specific Top … view at source ↗
Figure 5
Figure 5. Figure 5: shows the average number of entries in the advertising, analytics, and social categories for the Common and Country-specific Top 525 sites split into sites with and without a cookie banner. For the Common Top 525 sites, those without a banner have more average entries than sites with a banner. This trend holds for all countries. Sites without a banner have on average 9.6 entries, which is 26.3% more than t… view at source ↗
Figure 6
Figure 6. Figure 6: For the Common Top 525 sites the percentage of sites with cookie banners is in a narrow range across two sets of sites with one set consisting of the EU countries, Germany and Spain, and the other of the remaining countries (top). The banner distribution for the Country-specific Top 525 sites has a much larger range (bottom). (Common Top 525 sites: n = 420 for each country, Country-specific Top 525 sites: … view at source ↗
Figure 7
Figure 7. Figure 7: Cookie banners across ten countries for the Common Top 525 sites (n = 420 for each country). 28% (119/420) of sites show cookie banners in all ten countries. As previous findings suggest [36, 37], CMPs have substantial potential impact on cookie banner and tracker settings. Our findings point to their prominent role as well. During our crawl we observed 23.6% (990/4200) connections to OneTrust, as indicate… view at source ↗
Figure 8
Figure 8. Figure 8: For Germany (left) the number of tracker connections upon not interacting with cookie banners is often reduced by at least half compared to consenting. The difference is substantially less pronounced for the US (right). Our measurement for Spain (Figure A2) exhibits a similar trend as for Germany. (Common Top 525 sites: n = 36 for each country.) Figure A3 shows the distribution of parent companies for the … view at source ↗
read the original abstract

Web tracking by ad networks, social networks, and other third parties is privacy-invasive. To protect users' privacy an increasing number of countries are adopting new privacy laws. However, a major reason why their application on the web is so challenging is that privacy laws are local while the web is global. To that end, we evaluate websites' tracker connections for ten countries for two sets of sites -- the global Common Top 525 and the Country-specific Top 525 sites. We find that Australia and the US (California) -- two of the three opt-out jurisdictions in our study -- have the highest level of web tracking while opt-in jurisdictions generally have lower levels. We also find that the Common Top 525 sites have 50.5\% fewer average tracker connections when accessed from EU countries compared to non-EU countries. Further, simply not interacting with cookie banners decreases trackers by 48.5\% for Germany, as measured for a sample of 36 Common Top 525 sites. These results suggest that the General Data Protection Regulation and the ePrivacy Directive have a tangible effect in reducing tracking. As 28\% of Common Top 525 sites show cookie banners in all ten countries, our results suggest a moderate Brussels effect. However, against the backdrop of global US ad tech practices, EU law primarily acts as a Brussels shield. Generally, we think that strong enforcement of privacy laws is key to increase user privacy on the web.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper reports an observational measurement study of third-party tracker connections on the global Common Top 525 and country-specific Top 525 websites accessed from ten countries. It finds highest tracking levels in opt-out jurisdictions (Australia, US California) and generally lower levels in opt-in jurisdictions. Common Top 525 sites show 50.5% fewer average tracker connections from EU countries versus non-EU; a Germany sample of 36 sites shows 48.5% fewer trackers when cookie banners are not interacted with. The authors conclude that GDPR and the ePrivacy Directive have a tangible effect in reducing tracking, with a moderate Brussels effect (28% of Common Top 525 sites display banners in all ten countries) but primarily functioning as a Brussels shield against global US ad-tech practices, and stress the importance of strong enforcement.

Significance. If the observed differences can be attributed primarily to legal compliance, the work supplies useful empirical baselines on how regional privacy rules interact with global web infrastructure. The concrete percentages drawn from two site lists and the banner-interaction sample constitute a clear strength, providing reproducible observational data even without machine-checked proofs or parameter-free derivations. The study remains limited by its observational design, so its policy relevance hinges on whether alternative explanations can be ruled out.

major comments (2)
  1. [Results section (50.5% EU vs. non-EU comparison for Common Top 525)] Results section (50.5% EU vs. non-EU comparison for Common Top 525): the claim that this difference demonstrates a tangible effect of GDPR/ePrivacy is not supported by controls for site-level adaptations to regional ad-tech markets, differences in third-party infrastructure availability by country, crawler configuration (user-agent, cookie handling), or network-level effects. The same-site, different-location design leaves the central causal interpretation vulnerable to non-legal explanations.
  2. [Results section (Germany cookie-banner experiment)] Results section (Germany cookie-banner experiment): the 48.5% reduction is measured on a narrow sample of only 36 Common Top 525 sites in one country and isolates consent effects only locally; it does not generalize to or validate the broader cross-country EU/non-EU differences that drive the main claim.
minor comments (2)
  1. [Abstract and results] Abstract and results: the reported 50.5% and 48.5% figures lack error bars, confidence intervals, or explicit discussion of robustness to crawler configuration and tracker classification rules, reducing interpretability of the quantitative claims.
  2. [Discussion] Discussion: the 'moderate Brussels effect' inference from the 28% of sites showing banners in all ten countries would benefit from additional detail on banner detection methodology and whether banner presence correlates with actual tracker reduction.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments highlighting the observational nature of our study and the need for careful interpretation of causal claims. We address each major comment below and will revise the manuscript to clarify limitations and the scope of our findings.

read point-by-point responses

  1. Referee: Results section (50.5% EU vs. non-EU comparison for Common Top 525): the claim that this difference demonstrates a tangible effect of GDPR/ePrivacy is not supported by controls for site-level adaptations to regional ad-tech markets, differences in third-party infrastructure availability by country, crawler configuration (user-agent, cookie handling), or network-level effects. The same-site, different-location design leaves the central causal interpretation vulnerable to non-legal explanations.

    Authors: We agree that our study is observational and does not establish definitive causality. The same-site, different-location design was chosen precisely to control for site-specific content and popularity differences by measuring the identical websites from multiple jurisdictions. Crawler configurations were held constant across locations (identical user-agent strings, cookie policies, and browser settings) to reduce technical confounds. We cannot fully exclude variations in third-party infrastructure availability or site-level ad-tech adaptations, and we will revise the Results and Limitations sections to explicitly discuss these alternative explanations, emphasize the observational design, and temper causal language to 'suggests a tangible effect' while noting that enforcement and market factors may also contribute. This revision will strengthen the manuscript without altering the reported measurements. revision: partial

  2. Referee: Results section (Germany cookie-banner experiment): the 48.5% reduction is measured on a narrow sample of only 36 Common Top 525 sites in one country and isolates consent effects only locally; it does not generalize to or validate the broader cross-country EU/non-EU differences that drive the main claim.

    Authors: The Germany experiment is presented as a supplementary, illustrative analysis to demonstrate the local effect of non-interaction with consent banners in an opt-in setting, not as a direct validation or generalization of the cross-country results. The sample size of 36 was limited by the practical requirement for manual banner interaction. We will revise the text to explicitly state its supplementary role, clarify that it supports the plausibility of consent mechanisms rather than validating the primary EU/non-EU comparison, and move any interpretive language to the Discussion to avoid implying broader generalizability. revision: yes

Circularity Check

0 steps flagged

No circularity: pure observational counts with no derivations or fitted inputs

full rationale

The paper reports direct empirical measurements of tracker connection counts across jurisdictions for fixed site lists, with no equations, parameters, or derivation steps. All reported quantities (e.g., average tracker connections, percentage reductions) are raw aggregates of observed network requests rather than quantities defined from or fitted to prior outputs of the same study. The central suggestion that GDPR/ePrivacy reduce tracking is framed as an interpretation of the measured differences, not as a prediction or result derived by construction from any self-referential input. No self-citation chains, ansatzes, or uniqueness theorems are invoked to support any load-bearing step. This is a standard observational comparison study whose internal logic is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an empirical web-measurement study. No free parameters, mathematical axioms, or invented entities are introduced; the central claims rest on observed differences in tracker counts.

pith-pipeline@v0.9.0 · 5554 in / 990 out tokens · 33585 ms · 2026-05-10T06:07:43.444610+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

92 extracted references · 92 canonical work pages

  1. [1]

    Oh, the Places You’ve Been! User Reactions to Longitudinal Transparency About Third-Party Web Tracking and Inferencing

    Weinshel, B.; Wei, M.; Mondal, M.; et al. Oh, the Places You’ve Been! User Reactions to Longitudinal Transparency About Third-Party Web Tracking and Inferencing. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; pp. 149–166

    work page 2019

  2. [2]

    A Survey on Web Tracking: Mechanisms, Implications, and Defenses

    Bujlow, T.; Carela-Espa˜nol, V .; Sol´e-Pareta, J.; et al. A Survey on Web Tracking: Mechanisms, Implications, and Defenses. Proc. IEEE2017,105, 1476–1510

    work page

  3. [3]

    European Parliament and Council of the European Union. Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). Available online: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng (accessed on 11 March 2026)

    work page 2016

  4. [4]

    European Parliament and Council of the European Union. Directive 2009/136/EC of 25 November 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sec...

    work page 2009

  5. [5]

    About the LGPD

    Coordination for the Improvement of Higher Education Personnel (CAPES). About the LGPD. 2023. https://www.gov.br/capes/en/access-to-information/privacy-and-personal-data-protection/about-the-lgpd (accessed on 11 March 2026)

    work page 2023

  6. [6]

    Personal Information Protection Act

    Korea Legislation Research Institute. Personal Information Protection Act. Korea Legislation Research Institute Website

    work page

  7. [7]

    Available online: https://elaw.klri.re.kr/eng service/lawView.do?hseq=62389&lang=ENG (accessed on 11 March 2026)

    work page 2026

  8. [8]

    California Consumer Privacy Act (CCPA)

    California Department of Justice. California Consumer Privacy Act (CCPA). California Department of Justice website. 2024. Available online: https://oag.ca.gov/privacy/ccpa (accessed on 11 March 2026)

    work page 2024

  9. [9]

    The role of privacy fatigue in online privacy behavior.Comput

    Choi, H.; Park, J.; Jung, Y . The role of privacy fatigue in online privacy behavior.Comput. Hum. Behav.2018,81, 42–51

    work page 2018

  10. [10]

    The Brussels Effect.Northwestern Univ

    Bradford, A. The Brussels Effect.Northwestern Univ. Law Rev.2015,107, 1–68

    work page 2015

  11. [11]

    Privacy-Pioneer-Web-Crawler

    Privacy Tech Lab. Privacy-Pioneer-Web-Crawler. Available online: https://github.com/privacy-tech-lab/privacy-pioneer-web- crawler (accessed on 11 March 2026)

    work page 2026

  12. [12]

    FPDetective: Dusting the Web for Fingerprinters

    Acar, G.; Juarez, M.; Nikiforakis, N.; et al. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, 4–8 November 2013; pp. 1129–1140

    work page 2013

  13. [13]

    Online Tracking: A 1-million-site Measurement and Analysis

    Englehardt, S.; Narayanan, A. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), Vienna, Austria, 24–28 October 2016; pp. 1388–1401

    work page 2016

  14. [14]

    Cookies That Give You Away: The Surveillance Implications of Web Tracking

    Englehardt, S.; Reisman, D.; Eubank, C.; et al. Cookies That Give You Away: The Surveillance Implications of Web Tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW), Florence, Italy, 18–22 May 2015; pp. 289–299

    work page 2015

  15. [15]

    Detecting and Defending Against Third-Party Tracking on the Web

    Roesner, F.; Kohno, T.; Wetherall, D. Detecting and Defending Against Third-Party Tracking on the Web. In Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation, San Jose, CA, USA, 25–27 April 2012; pp. 155–168

    work page 2012

  16. [16]

    Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016

    Lerner, A.; Kornfeld Simpson, A.; Kohno, T.; et al. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In Proceedings of the 25th USENIX Security Symposium, Austin, TX, USA, 10–12 August 2016; pp. 997–1013

    work page 1996

  17. [17]

    Third-Party Web Tracking: Policy and Technology

    Mayer, J.R.; Mitchell, J.C. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 20–23 May 2012; pp. 413–427

    work page 2012

  18. [18]

    Disconnect Tracker Protection Lists

    Disconnect, Inc. Disconnect Tracker Protection Lists. 2025. Available online: https://github.com/disconnectme/disconnect- tracking-protection (accessed on 11 March 2026)

    work page 2025

  19. [19]

    Website Data Transparency in the Browser

    Zimmeck, S.; Goldelman, D.; Kaplan, O.; et al. Website Data Transparency in the Browser. In Proceedings on Privacy Enhancing Technologies, Online, 15–20 July 2024; pp. 211–234

    work page 2024

  20. [20]

    We Value Your Privacy· · · Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy

    Degeling, M.; Utz, C.; Lentzsch, C.; et al. We Value Your Privacy· · · Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 24–27 February 2019

    work page 2019

  21. [21]

    Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites

    Sørensen, J.K.; Kosta, S. Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites. In Proceedings of The Web Conference (WWW ’19), San Francisco, CA, USA, 13–17 May 2019; pp. 1590–1600

    work page 2019

  22. [22]

    Adtech and Real-Time Bidding under European Data Protection Law.Ger

    Veale, M.; Zuiderveen Borgesius, F. Adtech and Real-Time Bidding under European Data Protection Law.Ger. Law J.2022, 23, 226–256

    work page 2022

  23. [23]

    Clash of the Trackers: Measuring the Evolution of the Online Tracking Ecosystem

    Solomos, K.; Ilia, P.; Ioannidis, S.; et al. Clash of the Trackers: Measuring the Evolution of the Online Tracking Ecosystem

    work page

  24. [24]

    Available online: https://arxiv.org/abs/1907.12860 (accessed on 11 March 2026)

    work page arXiv 1907

  25. [25]

    European Privacy Law and Global Markets for Data

    Peukert, C.; Bechtold, S.; Batikas, M.; et al. European Privacy Law and Global Markets for Data. 2020. Available online: https://doi.org/10.3929/ethz-b-000406601 (accessed on 11 March 2026). https://doi.org/10.xxxx/xxx 20 of 23 Yu et al.Pragmatic Cybersecur.2026,Volume(Issue), Page Number

    work page doi:10.3929/ethz-b-000406601 2020

  26. [26]

    Measuring the Impact of the GDPR on Data Sharing in Ad Networks

    Urban, T.; Tatang, D.; Degeling, M.; et al. Measuring the Impact of the GDPR on Data Sharing in Ad Networks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (AsiaCCS ’20), Taipei, Taiwan, 5–9 October 2020; pp. 222–235

    work page 2020

  27. [27]

    Taming the Cookie Monster with Dutch Law—A Tale of Regulatory Failure.Comput

    Leenes, R.; Kosta, E. Taming the Cookie Monster with Dutch Law—A Tale of Regulatory Failure.Comput. Law Secur. Rev. 2015,31, 317–335

    work page 2015

  28. [28]

    C-311/18, Data Protection Comm’r v

    Court of Justice of the European Union. C-311/18, Data Protection Comm’r v. Facebook Ire. Ltd. & Schrems. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62018CJ0311& from=ENhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62018CJ0311&from=EN (accessed on 11 March 2026)

    work page 2026

  29. [29]

    Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S

    Rubinstein, I.; Margulies, P. Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground.Conn. L. Rev.2022,54, 391–456

    work page 2022

  30. [30]

    The Brussels effect(s) and the rise of a privacy profession.Int

    Birnhack, M.D.; Mundlak, G. The Brussels effect(s) and the rise of a privacy profession.Int. Data Priv. Law2025, 15, 138–155

    work page

  31. [31]

    Measuring Cookies and Web Privacy in a Post-GDPR World

    Dabrowski, A.; Merzdovnik, G.; Ullrich, J.; et al. Measuring Cookies and Web Privacy in a Post-GDPR World. In Proceedings of the International Conference on Passive and Active Measurement (PAM 2019), Puerto Varas, Chile, 27–29 March 2019; V olume 11419, pp. 258–270

    work page 2019

  32. [32]

    4 Years of EU Cookie Law: Results and Lessons Learned

    Trevisan, M.; Traverso, S.; Bassi, E.; et al. 4 Years of EU Cookie Law: Results and Lessons Learned. In Proceedings on Privacy Enhancing Technologies (PoPETs 2019), Online, 16–20 July 2019; pp. 126–145

    work page 2019

  33. [33]

    Do Cookie Banners Respect My Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework

    Matte, C.; Bielova, N.; Santos, C. Do Cookie Banners Respect My Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (IEEE S&P ’20), San Francisco, CA, USA, 18–21 May 2020; pp. 791–809

    work page 2020

  34. [34]

    Automating Cookie Consent and GDPR Violation Detection

    Bollinger, D.; Kubicek, K.; Cotrini, C.; et al. Automating Cookie Consent and GDPR Violation Detection. In Proceedings of the 31st USENIX Security Symposium (USENIX Security’22), Boston, MA, USA, 10–12 August 2022; pp. 2893–2910

    work page 2022

  35. [35]

    Automated Large-Scale Analysis of Cookie Notice Compliance

    Bouhoula, A.; Kubicek, K.; Zac, A.; et al. Automated Large-Scale Analysis of Cookie Notice Compliance. In Proceedings of the 33rd USENIX Security Symposium (USENIX Security’24), Philadelphia, PA, USA, 14–16 August 2024; pp. 1723–1739

    work page 2024

  36. [36]

    Measuring the Emergence of Consent Management on the Web

    Hils, M.; Woods, D.W.; B¨ohme, R. Measuring the Emergence of Consent Management on the Web. 2020. Available online: https://informationsecurity.uibk.ac.at/pdfs/HWB2020 Consent Management IMC.pdf (accessed on 11 March 2026)

    work page 2020

  37. [37]

    Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR

    Machuletz, D.; B ¨ohme, R. Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR. In Proceedings on Privacy Enhancing Technologies (PoPETs 2020), Virtual, 13–17 July 2020; pp. 481–498

    work page 2020

  38. [38]

    A Cross-Country Analysis of GDPR Cookie Banners and Flexible Methods for Scraping Them

    Nouwens, M.; Kristensen, J.B.; Maalt, K.; et al. A Cross-Country Analysis of GDPR Cookie Banners and Flexible Methods for Scraping Them. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems, Yokohama, Japan, 26 April–1 May 2025

    work page 2025

  39. [39]

    Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

    Nouwens, M.; Liccardi, I.; Veale, M.; et al. Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI ’20), Honolulu, HI, USA, 25–30 April 2020; pp. 1–13

    work page 2020

  40. [40]

    PriSEC: A Privacy Settings Enforcement Controller

    Khandelwal, R.; Linden, T.; Harkous, H.; et al. PriSEC: A Privacy Settings Enforcement Controller. In Proceedings of the 30th USENIX Security Symposium, Online, 11–13 August 2021; pp. 465–482

    work page 2021

  41. [41]

    Websites’ Global Privacy Control Compliance at Scale and over Time

    Hausladen, K.; Wang, O.; Eng, S.; et al. Websites’ Global Privacy Control Compliance at Scale and over Time. In Proceedings of the 34th USENIX Security Symposium (USENIX Security 2025), Seattle, W A, USA, 13–15 August 2025; pp. 5837–5856

    work page 2025

  42. [42]

    Usability and Enforceability of Global Privacy Control

    Zimmeck, S.; Wang, O.; Alicki, K.; et al. Usability and Enforceability of Global Privacy Control. In Proceedings of the 23rd Privacy Enhancing Technologies Symposium (PETS 2023), Lausanne, Switzerland, 10–15 July 2023; pp. 265–281

    work page 2023

  43. [43]

    Intractable Cookie Crumbs: Unveiling the Nexus of Stateful Banner Interaction and Tracking Cookies.arXiv2025, arXiv:2506.11947

    Rasaii, A.; Dao, H.; Feldmann, A.; et al. Intractable Cookie Crumbs: Unveiling the Nexus of Stateful Banner Interaction and Tracking Cookies.arXiv2025, arXiv:2506.11947

    work page arXiv

  44. [44]

    TCF—Transparency & Consent Framework

    IAB Europe. TCF—Transparency & Consent Framework. Available online: https://iabeurope.eu/transparency-consent- framework/ (accessed on 11 March 2026)

    work page 2026

  45. [45]

    Opting Out May Not Prevent Websites from Collecting Your Data

    Zimmeck, S. Opting Out May Not Prevent Websites from Collecting Your Data. 2021. Available online: (accessed on 11 March 2026)

    work page 2021

  46. [46]

    Navigating Cookie Consent Violations Across the Globe

    Tang, B.; Bui, D.; Shin, K.G. Navigating Cookie Consent Violations Across the Globe. In Proceedings of the 34th USENIX Conference on Security Symposium, Seattle, W A, USA, 13–15 August 2025

    work page 2025

  47. [47]

    Cost-Based California Effects.Yale J

    Frankenreiter, J. Cost-Based California Effects.Yale J. Regul.2022,39, 1155–1217

    work page 2022

  48. [48]

    Dissecting Privacy Perspectives of Websites Around the World: ”Aceptar Todo, Alle Akzeptieren, Accept All

    Ogut, A.; Turanlioglu, B.; Metiner, D.C.; et al. Dissecting Privacy Perspectives of Websites Around the World: ”Aceptar Todo, Alle Akzeptieren, Accept All. . .” In Proceedings of the 33rd USENIX Security Symposium, Philadelphia, PA, USA, 14–16 August 2024; pp. 2849–2863

    work page 2024

  49. [49]

    The Impact of User Location on Cookie Notices (Inside and Outside of the European Union).arXiv2021, arXiv:2110.09832

    Eijk, R.V .; Asghari, H.; Winter, P.; et al. The Impact of User Location on Cookie Notices (Inside and Outside of the European Union).arXiv2021, arXiv:2110.09832

    work page arXiv

  50. [50]

    International Differences in Information Privacy Concerns: A Global Survey of Consumers

    Bellman, S.; Johnson, E.J.; Kobrin, S.J.; et al. International Differences in Information Privacy Concerns: A Global Survey of Consumers. Available online: https://business.columbia.edu/sites/default/files-efs/imce-uploads/CDS/1172.pdf (accessed https://doi.org/10.xxxx/xxx 21 of 23 Yu et al.Pragmatic Cybersecur.2026,Volume(Issue), Page Number on 11 March 2026)

    work page 2026

  51. [51]

    The role of personal data value, culture and self-construal in online privacy behaviour.PLoS ONE2021,16, e0253568

    Fleming, P.; Bayliss, A.P.; Edwards, S.G.; et al. The role of personal data value, culture and self-construal in online privacy behaviour.PLoS ONE2021,16, e0253568

    work page

  52. [52]

    Cultural differences in privacy protection: A case study of DiDi privacy violations.Issues Inf

    Hua, J.; Wang, P. Cultural differences in privacy protection: A case study of DiDi privacy violations.Issues Inf. Syst.2023, 24, 304–319

    work page 2023

  53. [53]

    A cross-cultural analysis of transparency: the interplay of law, privacy policies, and user perceptions.Int

    Xu, M.; ˇZiga Jug.; TamoLarrieux, A. A cross-cultural analysis of transparency: the interplay of law, privacy policies, and user perceptions.Int. Data Priv. Law2024,14, 197–222

    work page

  54. [54]

    SoK: Technical Implementation and Human Impact of Internet Privacy Regulations

    Birrell, E.; Rodolitz, J.; Ding, A.; et al. SoK: Technical Implementation and Human Impact of Internet Privacy Regulations. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2024; pp. 673–696

    work page 2024

  55. [55]

    The Limitations of Privacy Rights.Notre Dame Law Rev.2023,98, 975–1036

    Solove, D.J. The Limitations of Privacy Rights.Notre Dame Law Rev.2023,98, 975–1036

    work page 2023

  56. [56]

    The Extra-Territorial Reach of PIPEDA: T

    Practical Law Canada Commercial Transactions. The Extra-Territorial Reach of PIPEDA: T. (A.) v. Globe24h.com. Available on- line: https://ca.practicallaw.thomsonreuters.com/w-005-9407?transitionType=Default&contextData=(sc.Default)&firstPage=true (accessed on 11 March 2026)

    work page 2026

  57. [57]

    Advisory Guidelines on Key Concepts in the Personal Data Protection Act

    Personal Data Protection Commission Singapore. Advisory Guidelines on Key Concepts in the Personal Data Protection Act. Available online: https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory- guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf (accessed on 11 March 2026)

    work page 2022

  58. [58]

    Guidelines on Applying the Per- sonal Information Protection Act to Foreign Business Operators

    Personal Information Protection Commission. Guidelines on Applying the Per- sonal Information Protection Act to Foreign Business Operators. Available online: https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS217&mCode=D010030000&nttId=10059 (ac- cessed on 11 March 2026)

    work page 2026

  59. [59]

    Judgment of the Court (Grand Chamber) of 4 July 2023

    EUR-Lex. Judgment of the Court (Grand Chamber) of 4 July 2023. Meta Platforms Inc and Others v Bundeskartellamt. Re- quest for a Preliminary Ruling from the Oberlandesgericht D¨usseldorf. 2023. Available online: https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=celex:62021CJ0252 (accessed on 11 March 2026)

    work page 2023

  60. [60]

    Judgment of the Court (Grand Chamber) of 1 October 2019

    EUR-Lex. Judgment of the Court (Grand Chamber) of 1 October 2019. Bundesverband der Verbraucherzentralen und Ver- braucherverb¨ande— Verbraucherzentrale Bundesverband e.V . v Planet49 GmbH. Request for a Preliminary Ruling from the Bundesgerichtshof. 2019. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62017CJ0673 (accessed ...

    work page 2019

  61. [61]

    Personal data processing for behavioural targeting: which legal basis?Int

    Zuiderveen Borgesius, F.J. Personal data processing for behavioural targeting: which legal basis?Int. Data Priv. Law2015, 5, 163–176

    work page

  62. [62]

    Cookies e protec ¸˜ao de dados pessoais

    Autoridade Nacional de Protec ¸˜ao de Dados. Cookies e protec ¸˜ao de dados pessoais. Available online: https://www.gov.br/ anpd/pt- br/centrais-de-conteudo/materiais-educativos-e-publicacoes/guia-orientativo-cookies-e-protecao-de-dados-pessoais.pdf (accessed on 11 March 2026)

    work page 2026

  63. [63]

    Advisory Guidelines on The Personal Data Protection Act (PDPA) for Selected Topics

    Personal Data Protection Commission Singapore. Advisory Guidelines on The Personal Data Protection Act (PDPA) for Selected Topics. Available online: https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-selected- topics/advisory-guidelines-on-the-pdpa-for-selected-topics-(revised-may-2024).pdf (accessed on 11 March 2026)

    work page 2024

  64. [64]

    Guidance Note on Direct Marketing

    Information Regulator South Africa. Guidance Note on Direct Marketing. Available online: https://inforegulator.org.za/wp- content/uploads/2020/07/GUIDANCE-NOTE-ON-DIRECT-MARKETING-IN-TERMS-OF-THE-PROTECTION-OF- PERSONAL-INFORMATION-ACT-4-OF-2013-POPIA.pdf (accessed on 11 March 2026)

    work page 2020

  65. [65]

    Tracking pixels and privacy obligations

    Office of the Australian Information Commissioner. Tracking pixels and privacy obligations. Available on- line: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/tracking- pixels-and-privacy-obligations (accessed on 11 March 2026)

    work page 2026

  66. [66]

    Guidelines on privacy and online behavioural advertising

    Office of the Privacy Commissioner of Canada. Guidelines on privacy and online behavioural advertising. Available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and- ads/gl ba 1112/ (accessed on 11 March 2026)

    work page 2026

  67. [67]

    CCPA Enforcement Case Examples

    State of California Department of Justice. CCPA Enforcement Case Examples. Available online: https://oag.ca.gov/privacy/ccpa/enforcement (accessed on 11 March 2026)

    work page 2026

  68. [68]

    Verwaltunsgericht Hannover. Urt. v. 19.03.2025, Az.: 10 A 5385/22. Available online: https://voris.wolterskluwer- online.de/browse/document/230df5cf-d76c-4561-9499-e44445a96f11 (accessed on 11 March 2026)

    work page 2025

  69. [69]

    Procedimiento Nº: EXP202309901 (PS/00284/2024

    Agencia Espa ˜nola de Protecci ´on de Datos. Procedimiento Nº: EXP202309901 (PS/00284/2024. Available online: https://www.aepd.es/documento/ps-00284-2024.pdf (accessed on 11 March 2026)

    work page 2024

  70. [70]

    GDPR Enforcement Tracker

    CMS. GDPR Enforcement Tracker. Available online: https://www.enforcementtracker.com/?insights (accessed on 11 March 2026)

    work page 2026

  71. [71]

    Landmark settlement of $50m from Meta for Australian users impacted by Cambridge Analytica incident

    Office of the Australian Information Commissioner. Landmark settlement of $50m from Meta for Australian users impacted by Cambridge Analytica incident. Available online: https://www.oaic.gov.au/news/media-centre/landmark-settlement-of- $50m-from-meta-for-australian-users-impacted-by-cambridge-analytica-incident (accessed on 11 March 2026)

    work page 2026

  72. [72]

    Joint investigation of Facebook, Inc

    Office of the Privacy Commissioner of Canada. Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. Available online: https://www.priv.gc.ca/en/opc- actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-002/ (accessed on 11 March 2026). ...

    work page 2019

  73. [73]

    South Korea’s PIPC Fines Meta for Unauthorized Use of Sensitive Data and Privacy Violations

    Werner, J. South Korea’s PIPC Fines Meta for Unauthorized Use of Sensitive Data and Privacy Violations. Available online: https://babl.ai/south-korea-pipc-fines-meta-for-unauthorized-use-of-sensitive-data-and-privacy-violations/ (accessed on 11 March 2026)

    work page 2026

  74. [74]

    California Won’t Let It Go: Attorney General Bonta Announces $2.75 Million Settlement with Disney, Largest CCPA Settlement in California History

    State of California Department of Justice. California Won’t Let It Go: Attorney General Bonta Announces $2.75 Million Settlement with Disney, Largest CCPA Settlement in California History. Available online: https://oag.ca.gov/news/press- releases/california-wont-let-it-go-attorney-general-bonta-announces-275-million (accessed on 11 March 2026)

    work page 2026

  75. [75]

    Attorney General Bonta Announces Largest CCPA Settlement to Date, Se- cures $1.55 Million from Healthline.com

    State of California Department of Justice. Attorney General Bonta Announces Largest CCPA Settlement to Date, Se- cures $1.55 Million from Healthline.com. Available online: https://oag.ca.gov/news/press-releases/attorney-general-bonta- announces-largest-ccpa-settlement-date-secures-155 (accessed on 11 March 2026)

    work page 2026

  76. [76]

    Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act

    State of California Department of Justice. Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act. Available online: https://oag.ca.gov/news/press-releases/attorney-general- bonta-announces-settlement-sephora-part-ongoing-enforcement (accessed on 11 March 2026)

    work page 2026

  77. [77]

    Connecticut, California and Colorado Announce Joint Investigative Privacy Sweep

    Connecticut Office of the Attorney General. Connecticut, California and Colorado Announce Joint Investigative Privacy Sweep. Available online: https://portal.ct.gov/ag/press-releases/2025-press-releases/connecticut-california-and-colorado- announce-joint-investigative-privacy-sweep (accessed on 11 March 2026)

    work page 2025

  78. [78]

    Youth Sports Media Company to Pay $1.10 Million Fine, Change Practices Over Privacy Violations

    California Privacy Protection Agency. Youth Sports Media Company to Pay $1.10 Million Fine, Change Practices Over Privacy Violations. Available online: https://privacy.ca.gov/2026/03/youth-sports-media-company-to-pay-1-1-million-fine- change-practices-over-privacy-violations/ (accessed on 11 March 2026)

    work page 2026

  79. [79]

    Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Process

    California Privacy Protection Agency. Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Process. Available online: https://privacy.ca.gov/2026/03/ford-to-change-practices-pay-fine-for-adding-unnecessary-friction- to-opt-out-process/ (accessed on 11 March 2026)

    work page 2026

  80. [80]

    Lessons from Brazilian DPA sanctions to date

    Luz, J.C.J. Lessons from Brazilian DPA sanctions to date. Available online: https://iapp.org/news/a/lessons-from-brazilian- dpa-sanctions-to-date (accessed on 11 March 2026)

    work page 2026

Showing first 80 references.