The Impact of Privacy Laws on Websites and Users 3736976011, 9783736976016

Citation preview

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Websites and Users

Inaugural-Dissertation

zur Erlangung des Doktorgrades des Fachbereiches Wirtschaftswissenschaften der Johann Wolfgang Goethe-Universität Frankfurt am Main

vorgelegt von Julia Franziska Schmitt aus Bad Soden am Taunus, Deutschland

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Bibliografische Information der Deutschen Nationalbibliothek Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie; detaillierte bibliographische Daten sind im Internet über http://dnb.d-nb.de abrufbar. 1. Aufl. - Göttingen: Cuvillier, 2022 Zugl.: Frankfurt a. M., Univ., Diss., 2022

© CUVILLIER VERLAG, Göttingen 2022 Nonnenstieg 8, 37075 Göttingen Telefon: 0551-54724-0 Telefax: 0551-54724-21 www.cuvillier.de

Alle Rechte vorbehalten. Ohne ausdrückliche Genehmigung des Verlages ist es nicht gestattet, das Buch oder Teile daraus auf fotomechanischem Weg (Fotokopie, Mikrokopie) zu vervielfältigen. 1. Auflage, 2022 Gedruckt auf umweltfreundlichem, säurefreiem Papier aus nachhaltiger Forstwirtschaft. ISBN 978-3-7369-7601-6 eISBN 978-3-7369-6601-7

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Vorwort

Es handelt sich um eine Dissertation des Fachbereichs Wirtschaftswissenschaften der Johann Wolfgang Goethe Universität, Frankfurt am Main.

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Table of Contents List of Figures ........................................................................................................................... V List of Tables ......................................................................................................................... VII List of Abbreviations ............................................................................................................... IX 0

Synopsis .............................................................................................................................. 1 0.1 0.2 0.3 0.4

Introduction.................................................................................................................. 1 Aim and Structure of Dissertation ............................................................................... 5 Summary and Results of Articles ................................................................................ 9 Implications of Results .............................................................................................. 13 0.4.1 Implications of Results for Websites ............................................................... 14 0.4.2 Implications of Results for Policymakers ........................................................ 15 0.4.3 Implications of Results for Users ..................................................................... 17 0.4.4 Implications of Results for Research ............................................................... 17 0.5 References.................................................................................................................. 19 1

The Impact of Privacy Laws on Online User Behavior .................................................... 21 1.1 Introduction................................................................................................................ 22 1.2 Knowledge on Effects of Privacy Changes on Online User Behavior ...................... 25 1.2.1 User Attitudes and Behavior with Regard to Privacy ...................................... 25 1.2.2 Field Studies: Effects of Privacy Laws on Various Outcomes ........................ 27 1.3 Description of Empirical Study ................................................................................. 28 1.3.1 Background on the GDPR ................................................................................ 28 1.3.2 Description of Set-Up of Empirical Study ....................................................... 29 1.3.3 Overview of Data ............................................................................................. 30 1.3.3.1 Description of Data Sample. ................................................................ 30 1.3.3.2 Description of User Quantity and Usage Intensity Metrics ................. 33 1.3.4 Description of Methodology to Analyze Data ................................................. 36 1.3.4.1 Description of Methodology to Analyze User Quantity Metrics ......... 36 1.3.4.2 Description of Methodology to Analyze Usage Intensity .................... 38 1.3.4.3 Description of Methodology to Analyze Variations of Effects across Websites ............................................................................................... 39 1.4 Results of Empirical Study ........................................................................................ 39 1.4.1 GDPR’s Effect on User Quantity Metrics ........................................................ 39 1.4.2 GDPR’s Effect on Usage Intensity Metrics ..................................................... 42 1.4.3 Variation in GDPR’s Effects as a Function of Website and User Characteristics .................................................................................................. 44 1.4.3.1 Variation in the GDPR’s Effects as a Function of the Industry of the Website ............................................................................................... 44 1.4.3.2 Variation in the GDPR’s Effects as a Function of Website Popularity 46

I Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

1.5

1.6

1.7 1.8 1.9

1.4.3.3 Variation in the GDPR’s Effects as a Function of Users’ Country of Origin ............................................................................................... 48 1.4.4 Robustness of Results....................................................................................... 50 1.4.4.1 Robustness Checks with Respect to Website Selection ....................... 50 1.4.4.2 Robustness Checks with Respect to Control Group ............................ 50 1.4.4.3 Robustness Checks with Respect to Data ............................................ 51 1.4.4.4 Robustness Checks with Respect to Confounding Factors .................. 52 1.4.4.5 Robustness Checks with Respect to the Synthetic Control Method .... 52 Discussion .................................................................................................................. 53 1.5.1 Summary of Results: User Quantity and Usage Intensity ................................ 53 1.5.2 Differential Effects of the GDPR as a Function of Website and User Characteristics .................................................................................................. 55 Analysis of GDPR’s Economic Effect on Websites .................................................. 56 1.6.1 Analysis of GDPR’s Economic Effect on E-Commerce Websites .................. 56 1.6.2 Analysis of GDPR’s Economic Effect on Ad-Based Websites ....................... 57 Concluding Remarks ................................................................................................. 57 References.................................................................................................................. 59 Appendix.................................................................................................................... 63 1.9.1 Appendix A: Additional Figures ...................................................................... 63 1.9.2 Appendix B: Derivation of Analysis of Usage Intensity Metrics .................... 68 1.9.3 Appendix C: Robustness Checks with Respect to Website Selection ............. 70 1.9.3.1 Decreasing the Threshold for Website Filtering .................................. 70 1.9.3.2 Increasing the Threshold for Website Filtering ................................... 70 1.9.4 Appendix D: Robustness Checks with Respect to Early and Late Compliance....................................................................................................... 74 1.9.5 Appendix E: Robustness Checks with Respect to Control Group ................... 75 1.9.5.1 Closer Examination of the Non-EU-Websites based on Share of EUTraffic ............................................................................................... 76 1.9.5.2 Closer Comparison of EU-Websites and Non-EU-Websites for NonEU-Users .............................................................................................. 78 1.9.5.3 Closer Comparison of EU-Users and Non-EU-Users for EUWebsites ............................................................................................... 78 1.9.5.4 Examination of Non-EU-User Interface on Subsample of Control Websites ............................................................................................... 79 1.9.5.5 Usage of Stricter Control Group with Websites with Definitive NonEU-Location ......................................................................................... 80 1.9.6 Appendix F: Robustness Checks with Respect to Data ................................... 82 1.9.6.1 Comparison of SimilarWeb Data with AGOF Data for Unique Visitors ............................................................................................... 82 1.9.6.2 Comparison of SimilarWeb Data with AGOF Data for Page Impressions .......................................................................................... 83 1.9.7 Appendix G: Robustness Checks with Respect to Confounding Factors ........ 85 1.9.8 Appendix H: Robustness Checks with Respect to the Synthetic Control Method ............................................................................................................. 87

II Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

1.9.8.1 Usage of another Synthetic Control Method ........................................ 88 1.9.8.2 Calculation of Synthetic Control Group without Industry Specification ......................................................................................... 88 1.9.8.3 Calculation of Synthetic Control Group with EU-Traffic Share as Matching Variable ................................................................................ 88 1.9.8.4 Calculation of Synthetic Control Group with a Higher Number of Control Websites .................................................................................. 89 1.9.9 Appendix References ....................................................................................... 90 2

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates .................... 91 2.1 Introduction................................................................................................................ 92 2.2 User Decision Behavior on Consent Banners ............................................................ 95 2.2.1 User Decision Behavior in Privacy Settings .................................................... 95 2.2.2 User Decision Behavior and Consent Banners ................................................ 96 2.3 Description of Empirical Study ................................................................................. 98 2.3.1 Description of Consent Banners ....................................................................... 98 2.3.2 Description of Experimental Design .............................................................. 100 2.3.3 Description of Dependent Variable ................................................................ 100 2.3.4 Description of Independent Variables ............................................................ 101 2.3.4.1 Description of Experiment 1: Consent Banner Position and Close Option ............................................................................................. 105 2.3.4.2 Description of Experiment 2: Consent Banner Button Labels ........... 106 2.4 Results of Consent Banner Design Variations......................................................... 108 2.4.1 Results of Experiment 1: Impact of Consent Banner Position and Close Button Existence ............................................................................................ 108 2.4.2 Results of Experiment 2: Impact of Button Labels ........................................ 111 2.5 Summary and Implications of Results ..................................................................... 115 2.6 Conclusion and Limitations ..................................................................................... 116 2.7 References................................................................................................................ 119 2.8 Appendix.................................................................................................................. 123

3

The Illusion of Control: Control and Convenience on Consent Banners........................ 125 3.1 Introduction.............................................................................................................. 126 3.2 Previous Findings on Consent Banners’ Control and Convenience ........................ 130 3.2.1 Theoretical Framework and Existing Literature ............................................ 130 3.2.2 Background on GDPR and Consent Banners ................................................. 132 3.3 Evaluation and Description of Consent Banners’ Control ...................................... 134 3.3.1 Evaluation of Consent Banners’ Control ....................................................... 134 3.3.2 Description of Consent Banners’ Control ...................................................... 134 3.4 Evaluation and Description of Consent Banners’ Convenience .............................. 135 3.4.1 Evaluation of Consent Banners’ Convenience ............................................... 135 3.4.1.1 Selection of Consent Banner Characteristics ..................................... 136 3.4.1.2 Setup of User Study ........................................................................... 139 III

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

3.4.2 Description of Consent Banners’ Convenience ............................................. 141 3.5 Determination and Description of Consent Banner Designs ................................... 145 3.5.1 Determination of Consent Banner Designs .................................................... 145 3.5.2 Description of Consent Banner Designs ........................................................ 145 3.6 Evaluation of Consent Banners’ Control and Convenience .................................... 149 3.6.1 Distribution of One-Layer Consent Banners’ Control and Convenience ...... 149 3.6.2 Distribution of Two-Layer Consent Banners’ Control and Convenience ...... 153 3.7 Conclusion ............................................................................................................... 158 3.7.1 Summary of Results ....................................................................................... 158 3.7.2 Contribution and Implication of Results ........................................................ 160 3.7.3 Limitations and Future Research.................................................................... 161 3.8 References................................................................................................................ 163 3.9 Appendix.................................................................................................................. 166 Curriculum Vitae ................................................................................................................... 169

IV Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

List of Figures Figure 0.1: Example of a Consent Banner ................................................................................. 2 Figure 0.2: Theoretical Foundation of Dissertation ................................................................... 3 Figure 0.3: Aim of Thesis and Scope of Articles....................................................................... 7 Figure 1.1: Scope of GDPR and Resulting Assignment to Treatment and Control Group ..... 29 Figure 1.2: Comparison of Logarithm of User Quantity Metrics between Treatment and Control Group and Pre- and Post-GDPR Period ................................................... 35 Figure 1.3: Distribution of the Effect of GDPR on Weekly Total Number of Visits over Time ...................................................................................................................... 40 Figure 1.4: Distribution of the Effect of GDPR across Website Industries ............................. 45 Figure 1.5: Distribution of the Effect of GDPR across Deciles of Industry Ranks ................. 47 Figure 1.6: Distribution of the Effect of GDPR across User Countries................................... 49 Figure 2.1: Example of a Consent Banner ............................................................................... 93 Figure 2.2: Example of a Consent Banner’s Second Layer ..................................................... 98 Figure 2.3: Consent Banner Designs with a Close Button in Experiment 1 .......................... 106 Figure 2.4: Button Labels in Experiment 2 ............................................................................ 108 Figure 2.5: Average Consent Rates for Consent Banner Designs in Experiment 1 .............. 109 Figure 2.6: Average Consent Rate for Button Labels in Experiment 2 ................................. 112 Figure 3.1: Example of a Consent Banner ............................................................................. 126 Figure 3.2: Interplay of Studies with Evaluation of Control and Convenience Distribution 129 Figure 3.3: Example of a Two-Layer Consent Banner’s First Layer .................................... 133 Figure 3.4: Example of a Two-Layer Consent Banner’s Second Layer ................................ 133 Figure 3.5: Most and Least Convenient First Layer Design .................................................. 143 Figure 3.6: Most and Least Convenient Second Layer Design ............................................. 144 Figure 3.7: One-Layer Consent Banner Design Distribution (n=559) .................................. 146 Figure 3.8: Two-Layer Consent Banner Design Distribution (n=681) .................................. 148 Figure 3.9: Theoretical Distribution of Convenience and Control on One-Layer Consent Banners (n=54).................................................................................................... 152 Figure 3.10: Empirical Distribution of Convenience and Control on One-Layer Consent Banners (n=559).................................................................................................. 152 Figure 3.11: Theoretical Distribution of Convenience and Control on First Layer of TwoLayer Consent Banners (n=10,368) .................................................................... 156 Figure 3.12: Empirical Distribution of Convenience and Control on First Layer of Two-Layer Consent Banners (n=681) ................................................................................... 156

V Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Figure 3.13: Theoretical Distribution of Convenience and Control on Second Layer of TwoLayer Consent Banners (n=10,368) .................................................................... 157 Figure 3.14: Empirical Distribution of Convenience and Control on Second Layer of TwoLayer Consent Banners (n=681) ......................................................................... 157

Appendix – Chapter 1 Figure A1 - 1: Distribution of Websites across Industries ....................................................... 63 Figure A1 - 2: Distribution of the Effect of GDPR on Monthly Number of Unique Visitors over Time .............................................................................................................. 64 Figure A1 - 3: Distribution of the Effect of GDPR on Weekly Number of Page Impressions over Time .............................................................................................................. 65 Figure A1 - 4: Distribution of the Effect of GDPR on Weekly Time on Website over Time . 66 Figure A1 - 5: Distribution of the Effect of GDPR on Weekly Number of Bouncing Visitors over Time .............................................................................................................. 67

Appendix – Chapter 3 Figure A3 - 1: Choice Sets and Stimuli for Conjoint Analysis for First Layer ..................... 166 Figure A3 - 2: Choice Sets and Stimuli for Conjoint Analysis for Second Layer ................. 167

VI Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

List of Tables Table 0.1: Description of Articles within Thesis ........................................................................ 8 Table 1.1: Derivation of Final Sample of Website-Instances ................................................... 32 Table 1.2: Distribution of Website-Instances in Treatment and Control Groups ..................... 33 Table 1.3: Relationship between the User Quantity and Usage Intensity Metrics ................... 34 Table 1.4: Summary of Results for User Quantity Metrics ...................................................... 41 Table 1.5: Summary of GDPR’s Effect on Usage Intensity Metrics ........................................ 43 Table 2.1: Possible User Decisions on Consent Banners and Consequences for Websites ..... 99 Table 2.2: Possible Consent Banner Design Characteristics and Levels ................................ 103 Table 2.3: Consent Banner Design Characteristics Tested in Experiment 1 .......................... 105 Table 2.4: Consent Banner Design Characteristics Tested in Experiment 2 .......................... 107 Table 2.5: Number of Observations per User Decision in Experiment 1 ............................... 109 Table 2.6: Pairwise Comparisons of Position and Close Option ............................................ 110 Table 2.7: Pairwise Comparisons of Button Labels................................................................ 113 Table 3.1: Categories of Consent Banners’ Control ............................................................... 134 Table 3.2: Preliminary Set of Possible Consent Banner Characteristics (Before Interviews) 137 Table 3.3: Final Set of Consent Banner Design Characteristics (After Interviews) ............... 139 Table 3.4: Description of the Participant Sample (n=188) ..................................................... 141 Table 3.5: Part-Worth Estimations and Importance of First Layer Characteristics (n=188) .. 142 Table 3.6: Part-Worth Estimations and Importance of Second Layer Characteristics (n=188) .............................................................................................................................. 143 Table 3.7: Descriptive Statistics of Control and Convenience of One-Layer Consent Banners in Theory (n=54) and Practice (n=559) ............................................................... 151 Table 3.8: Descriptive Statistics of Control and Convenience of Two-Layer Consent Banners in Theory (n=10,368) and Practice (n=681) ........................................................ 155

VII Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Appendix – Chapter 1 Table A1 - 1: Effect of Threshold Reduction on Number of Websites and Difference of Composition of Original and New Sample ........................................................... 72 Table A1 - 2: Effect of Threshold Increase on Number of Websites and Difference of Composition of Original and New Sample ........................................................... 73 Table A1 - 3: Summary of Results for Total Visits with and without Inclusion of 30-DayPeriod before and after GDPR .............................................................................. 74 Table A1 - 4: Examination of Control Group based on EU Traffic Share .............................. 77 Table A1 - 5: Coefficients of Regression Analysis based on Control Websites’ EU-Share ... 78 Table A1 - 6: Closer Comparison of EU- and Non-EU-Websites’ Total Visits for Non-EUUsers...................................................................................................................... 78 Table A1 - 7: Closer Comparison of EU- and Non-EU-Users’ Total Visits for Non-EUWebsites ................................................................................................................ 79 Table A1 - 8: Results of Regression Analysis comparing the Number of Unique Visitors for SimilarWeb and AGOF ......................................................................................... 83 Table A1 - 9: Results of Regression Analysis comparing the Number of Page Impressions for SimilarWeb and AGOF ......................................................................................... 84 Table A1 - 10: User Group Comparison of Confounding Factors........................................... 86

Appendix – Chapter 2 Table A2 - 1: Pairwise Comparisons of Interactions between Position and Close Option.... 123

VIII Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

List of Abbreviations ANOVA

Analysis of Variance

CJEU

Court of Justice of the European Union

CMP

Consent Management Provider

CPM

Cost per Mille

DiD

Difference-in-Differences

DPA

Data Protection Authority

GDPR

General Data Protection Regulation

HSD

Honestly Significant Difference

LGPD

Lei Geral de Protecao de Dados Pessoais

Mbps

Megabits per Second

PDPA

Personal Data Protection Act

PDPB

Personal Data Protection Bill

pp

Percentage Points

SCG

Synthetic Control Group

SUTVA

Stable Unit Treatment Value Assumption

YoY

Year-Over-Year

IX Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis

0 Synopsis 0.1 Introduction The collection and usage of users’ personal data online has become crucial for companies and accelerates the tremendous growth of the digital economy (e.g., Reinsel et al. 2018). Websites benefit from collecting data about users by utilizing the data to personalize the user experience. For example, websites use the collected data about users to customize content and product recommendations and monetize the data by, e.g., enabling other firms to place targeted ads on the website (see, e.g., Skiera et al. 2021). Yet, the rapidly growing data collection on the internet fuels privacy concerns among users (Pew Research Center 2019) and strengthen the need for policymakers to regulate the data collection. As a response to the privacy concerns, policymakers worldwide have enforced or are drafting new privacy laws such as the EU’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Protecao de Dados (LGPD), Thailand’s Personal Data Protection Act (PDPA), or India’s Personal Data Protection Bill (PDPB). All these privacy laws aim to strengthen the protection and privacy of personal data and as a fundamental right (e.g., GDPR Recital 1 (2)). Increasing data privacy seeks to empower users to govern how companies use their personal data (e.g., GDPR Recital 7 (2)). Accordingly, policymakers, privacy laws as well as many practitioners and researchers follow Alan Westin’s (1967) definition of privacy: “the claim of individuals […] to determine for themselves when, how, and to what extent information about them is communicated.” This definition, the common definition of privacy, builds upon the users’ control over their personal data – and lays the foundation for the idea that consent is the key to providing users with more privacy. Thus, privacy laws strongly focus on providing users with the ability to consent to the usage of their personal data. For example, for the use of online tracking technologies, policymakers require websites to obtain the users’ consent via an opt-in approach (regulated in GDPR Art. 7; LGPD Art. 5 XII; PDPA Section 19; PDPB Section 11 (2); reinforced by, e.g., Curia 2019). Obtaining consent via an opt-in approach, also known as explicit consent, means that a user must actively accept the data collection and usage on a website. Per default,

1 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis i.e., if the user does not take any action on a consent request, the user denies consent. Commonly, to request the users’ consent and to inform users about the websites’ data usage, websites display so-called consent banners to users (see Figure 0.1 for an example of a consent banner). Figure 0.1: Example of a Consent Banner

While the means to request consent from users is the same across websites, i.e., a consent banner, policymakers decided to give websites the freedom of choosing how they design consent banners while staying within the legal boundaries (see, e.g., GDPR Recital 32). With websites being relatively free in the specific implementation of the design of these consent banners, websites implemented the same requirements for consent in various ways (e.g., Degeling et al. 2019, Sanchez-Rola et al. 2019). Policymakers within the privacy law GDPR further fuel these differences in consent banner designs across websites by issuing inconsistent official guidelines within the scope of the same privacy law. For example, the data protection authority (DPA) in Spain regards consent as valid when the users keep browsing the website if the website informs the users of the consequence of their behavior (AEDP 2019). In contrast, the French DPA does not consider consent to be valid if the users simply keep browsing the website (CNIL 2019). Currently, it is unclear how the degree of freedom that policymakers grant websites in the implementation of consent banners and the resulting differences in consent banners affect websites and user privacy. Yet, when drafting privacy laws, policymakers have to trade-off between increasing user privacy and damaging websites economically by restricting their ability to collect personal data and, therefore, to monetize it. If the implementation freedom affected this trade-off, e.g., design differences in consent banners affected user privacy or the websites’

2 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis ability to earn revenue, such effects would be crucial for policymakers to consider when evaluating privacy laws. Similarly, websites would need to account for the effect of design differences to optimally decide upon a design to implement. Indeed, research suggests that design differences in privacy settings can impact privacy and the user behavior. More specifically, the privacy calculus theory (Dinev and Hart 2006) proposes that user behavior in privacy settings is a result of a trade-off that users conduct. In this trade-off, the user weights the perceived losses, e.g., data breaches, and perceived gains, e.g., better content suggestions, of a privacy decision against each other. The theory further proposes that the result of this trade-off depends on the users’ individual privacy concerns and attitudes as well as the context of privacy decisions. This second aspect, the context of privacy decisions, encompasses both the general characteristics of websites, e.g., website industry and popularity, and the websites’ specific implementation of privacy options, e.g., the design of a consent request or privacy policy. Consequently, as Figure 0.2 visualizes, the privacy calculus theory suggests that the specific implementations of privacy laws and consent banners resulting from the implementation freedom of privacy laws affect user behavior. Figure 0.2: Theoretical Foundation of Dissertation

3 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis For websites, the potential effect of the implementation freedom of privacy laws on user behavior can be an opportunity: Websites can use the freedom to optimize the design of the consent banner and the implementation of other legal requirements. However, it also poses challenges for websites. Firstly, the freedom increases the existing uncertainty about whether a specific implementation is compliant due to the ample design space and conflicting official guidelines. Thus, considering the legal requirements imposed by privacy laws and official guidelines issued by data protection authorities becomes even more challenging for websites as a result of the implementation freedom. Secondly, websites must carefully consider how potential implementations of consent banners and other legal requirements will affect user behavior on their website. For example, different implementations of privacy laws on a website might affect 1) the probability that users consent to a website’s data usage (the so-called “consent rate”), 2) the users’ decision to stay on a website, or 3) the users’ decision to return to a website. Suppose an ad-financed website that earns revenue from displaying ads to users chose an implementation that negatively impacted these three decisions for its user base. Consequently, the website would obtain the users’ consent for fewer users, resulting in the website being able to personalize the displayed ads for fewer users, reducing the ads’ and, ultimately, the websites’ profitability. Additionally, the users may leave the website sooner and re-visit the website less often, i.e., interact less with the website, resulting in the users seeing fewer ads on the website. Consequently, the reduced ad profitability and reduced number of ads shown to the users would diminish the ad-financed website’s revenue. Despite research indicating an effect of different implementations of privacy laws, e.g., the specific design of consent banners, on user behavior, no knowledge exists about this effect. Consequently, websites cannot anticipate whether and how the implementation of privacy laws affects user behavior and, thus, their revenues. Yet, websites must assess the effect that different privacy law implementations and different consent banner designs have on user behavior as a driver of their revenues to adequately choose how to implement privacy laws. For this endeavor, websites need an empirical foundation. Similarly, to best assess existing privacy laws and to draft future ones, policymakers need to evaluate whether existing privacy laws achieved their aim to increase user privacy while not

4 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis strongly damaging websites. As described above, the privacy calculus theory implies that different implementations of the same legal requirements can affect websites’ revenues (see Figure 0.2). Accordingly, the empirical foundation about the effect of different privacy law implementations on user behavior can aid policymakers when evaluating the economic damage that privacy laws cause to websites. Furthermore, the different implementations can affect the level of privacy that users have on websites. More specifically, the privacy calculus theory highlights that user privacy and the user decision in privacy settings depends on, amongst others, the 1) availability of privacy options and 2) convenience of selecting the privacy options (Ajzen 1991; Dinev and Hart 2006) as users are convenience-driven (e.g., Anderson 1972). Thus, the privacy calculus theory indicates that the implementation freedom of privacy laws affects user privacy if the freedom results in websites implementing the same requirements differently in terms of availability and convenience. Yet, existing research investigating GDPR’s effect on user privacy (e.g., Degeling et al. 2019) only focuses on the first aspect, the availability of privacy options. Consequently, there is a lack of knowledge about whether and how privacy laws and the differences in the implementation of the legal requirements, such as the consent requirement, affect websites’ revenue and user privacy. This lack of knowledge prohibits policymakers from thoroughly examining whether privacy laws and the implementation freedom achieved their aim to limit the damage to websites while increasing user privacy. Thus, policymakers need an empirical foundation that aids them in assessing whether current privacy laws need additional specifications and that enables them to apply this knowledge in the drafting stage of future privacy laws.

0.2 Aim and Structure of Dissertation This dissertation aims to shed light on the effects of privacy laws and their implementation freedom on 1) websites’ revenues and 2) user privacy. To investigate the effects of privacy laws on websites’ revenues and user privacy, this dissertation uses the enforcement of the privacy law GDPR to examine its effects on websites and users. The articles included within this dissertation further provide insights into the impact of the implementation freedom for consent banners on websites’ revenues and user privacy.

5 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis To assess the privacy law’s effect on websites’ revenues, I examine the websites’ user quantity and quality as an indicator of the websites’ ability to earn revenue, e.g., via product sales or ads. To assess the privacy law’s effect on user privacy, I examine the control that users have over their personal data and the convenience of that control (see Figure 0.3) in the post-GDPR era. For these purposes, this dissertation includes three articles that investigate different factors that influence websites’ revenues and user privacy using statistical methods and novel datasets. Figure 0.3 shows the different factors that influence websites’ revenues and user privacy and visually outlines which article addresses which factors. Table 0.1 summarizes the details of the three articles. Specifically, in Article I, I examine the GDPR’s effect on websites’ revenue in terms of user quantity and user quality measured by the usage intensity. In Article II, I examine the GDPR’s effect on websites’ revenue in terms of the user quality measured by the consent rate. Finally, in Article III, I examine the user privacy post-GDPR regarding the control and convenience of the privacy options.

6 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis Figure 0.3: Aim of Thesis and Scope of Articles

7 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

x

x

x

x

Results

ANOVA

Field Experiments: Variation of consent banners

Website popularity and industry are strong indicators of effect size and direction

Effects vary across websites

x Determination of combination of characteristics that increases consent rate for websites

x Change of consent rate between 1.60 and 14.90 percentage points per characteristic

x Characteristics have significant effects on consent rate

Panel Difference Esti- x mator; Regression x Mean Comparisons / t-test

Empirical Study: En- x On average, GDPR affected forcement of GDPR user quantity and usage intensity negatively Synthetic Control Group Method x Effect stronger over time

Applied Methods

Empirical Study: x Websites offer high control at Manual collection of cost of convenience consent banner dex Consent banners with one signs layer lack control; consent x In-depth interviews banners with two layers lack convenience x Conjoint Analyses x Maximization of control and x Hierarchical Bayes convenience possible Model

x

x Examine whether consent x Two datasets from field x Choose Wisely: experiments with Conbanners’ characteristics afThe Impact of fect consent rate sent Management ProConsent Banner x Quantification of effects vider x Designs on x Investigate how websites Consent Rates can take advantage of free- x User-level data on consent decision dom to increase consent Julia Schmitt rate compliantly

Julia Schmitt, Klaus Miller, Bernd Skiera

Dataset

Examine the effect of web- x Weekly traffic data on sites’ implementation of five user behavior metGDPR on user behavior rics over 2.5 years over time x Scraped website locaInvestigate how effects tion data vary based on website and user characteristics x 6,286 websites (Top 1,000 of 14 countries) across 24 industries

Research Aims

x Data on user preferx Examine theoretical and practical distribution of ences consent banners’ control The Illusion of x Manually collected set and convenience Control: Conof consent banner dex Examine relationship of trol and Consigns on 1,850 websites consent banners’ control venience on (Top 500 websites of and convenience III Consent Banfive countries) x Examine whether and how ners consent banners can be more convenient Julia Schmitt

II

I

x The Impact of Privacy Laws on User Behavior x

Article

Working Paper

Working Paper

Under 2nd Round Review at the Journal of Marketing Research

Status

Synopsis

Table 0.1: Description of Articles within Thesis

8

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis

0.3 Summary and Results of Articles The first article (Chapter 1) examines the effect of GDPR on user behavior on websites over time. Specifically, the article captures user behavior in terms of user quantity (e.g., total number of visits) and user quality in terms of usage intensity (e.g., page impressions per visit). Both the user quantity and usage intensity can impact the websites’ revenue, as outlined above. Furthermore, different implementations of GDPR across websites can affect user behavior differently. For example, different implementations of GDPR’s requirements across websites could include differences in consent banner designs, privacy policies, or the websites’ ability to personalize the user experience to engage users better. Accordingly, the article further examines how the GDPR’s effect varies across websites and as a function of website and user characteristics. The article utilizes a dataset containing weekly traffic data for the Top 1,000 websites of 12 EU countries as well as the US and Switzerland. Overall, the analysis includes traffic data for 6,286 unique websites across 24 industries. The traffic data encompasses five user behavior metrics (total number of visits, number of unique visitors, number of page impressions, total visit duration, number of bouncing visitors) from July 1st, 2017, to November 30th, 2019. Thus, the weekly traffic data is available for almost a year prior to the enforcement of GDPR and captures the effect of GDPR on user behavior over 1.5 years. To examine the GDPR’s effect on user behavior, we use the enforcement date of GDPR, May 25th, 2018, as the event for our empirical study. To draw inferences on the impact of GDPR coming into effect, we further consider the GDPR’s scope peculiarities and combine a synthetic control group (SCG) approach with a panel difference estimator, similar to a Difference-in-Differences (DiD) analysis. First, we calculate the GDPR’s effect on each website, enabling a detailed investigation of the distribution of GDPR’s effects across our website sample. We then use the results on the website level to examine how the GDPR’s effects vary based on website and user characteristics (i.e., website industry and popularity; user country of origin). We find that GDPR affects websites in one of two major ways: Some websites have difficulties attracting the same amount of users as before GDPR (i.e., GDPR negatively affects the user quantity), while other websites face difficulties engaging users the same way as before

9 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis GDPR (i.e., GDPR negatively affects the usage intensity). Regarding the user quantity, GDPR harms websites, on average, and the negative effect becomes stronger over time. For example, the total number of visits to a website dropped by, on average, 4.90% after 3 months and 10% after 18 months of GDPR. However, the websites that experience decreased user quantity benefit in terms of usage intensity and vice versa. For example, after 18 months of GDPR, the websites that experience decreased total visits experience an increase in the page impressions per visit by 5.53%. The article further shows that the GDPR’s effects across websites differ strongly in size and direction, with some websites even benefiting from GDPR. Both the effect direction and sizes vary across website popularity, website industry, and user country of origin. Most notably, less popular websites experience even more negative effects than popular ones, suggesting an increased market concentration after GDPR. The most prominent change on the websites’ user interface after the enforcement of GDPR is their adjustment of the consent banner. While there are other aspects that websites had to adjust, e.g., the privacy policy, the first interaction that users have on a website is their interaction with the consent banner. Thus, although Article I does not specifically investigate how the websites implement the consent banner, the difference in the GDPR’s effects likely stem – at least to some extent – from different consent banner implementations. To investigate this aspect further, the subsequent articles specifically focus on the effect of implementation differences of consent banners. The second article (Chapter 2) examines the effect of differences in consent banners on user quality in terms of the consent rate, i.e., the share of users accepting the data collection and usage on a website. Websites can vary the design of consent banners while considering legal regulations and official guidelines, resulting in a sizeable possible design space. The second article aims to examine whether and how changing the characteristics of consent banners affects the user quality in terms of the consent rate and to quantify the effects. The article further shows how websites can use the determined effects of consent banner characteristics to take advantage of the vast design space to increase the consent rate compliantly. To achieve the described aim, I conduct two field experiments with a large international consent management provider (CMP). A CMP supports websites in the technical implementation of consent banners and the subsequent recording and management of the users’ consent 10 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis decisions. The two field experiments within this article serve to examine the effect of three selected characteristics of consent banners on the consent rate and to quantify these effects. The three selected characteristics are the position of the consent banner on the website, the existence of a close option, and the button labels. Using analysis of variance (ANOVA), I find that all three aspects have significant and nonnegligible effects on the consent rate. Specifically, the effects of the chosen characteristics vary between 1.60 and 14.90 percentage points (pp). These large effects on the consent rate suggest that websites can achieve vastly different consent rates with the large variety of possible consent banner designs. Using the directions of the effects, I further determine the combination of characteristics that increases the probability of users to accept the data collection and usage, i.e., the consent rate, the most. Thereby, I show websites how they can adjust their consent banner design to increase the consent rate compliantly. Overall, the first two articles focus on the effect of GDPR and the different implementations of consent banners on websites’ revenues as a result of users changing their behavior. Both articles show that the effect is substantial and varies greatly across websites. Yet, the effect on user privacy remains unclear. Accordingly, in the third article (Chapter 3), I examine the distribution of user privacy online on consent banner. As outlined above, user privacy encompasses the availability of control options (e.g., Dinev and Hart 2006) and the convenience of that control (e.g., Anderson 1972, Ajzen 1991; Dinev and Hart 2006). Thus, I examine the distribution of control and convenience on consent banners in theory and practice. The theoretical distribution bases upon the theoretically feasible consent banner designs and provides insights into the relationship of the two aspects and whether current consent requirements can – in theory – strengthen user privacy. The practical distribution bases upon the implemented consent banner designs on the Top 500 websites of 5 countries and assesses how websites position themselves in that relationship in practice and whether privacy laws achieved the aim to increase user privacy online. In the article, I conduct three studies. The first two studies serve to operationalize the consent banners’ control and convenience to make them comparable across different consent banner designs. To operationalize the consent banners’ control, I conduct in-depth interviews with six privacy experts. The interviews show that control is best measured by categorizing it into four categories based on the granularity of the control and whether the options are pre-ticked to 11 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis accept the data collection. To operationalize the consent banners’ convenience, I conduct two conjoint analyses with 188 users. The user preferences derived from the conjoint analyses result in a convenience measure on a scale from 0-1 for each of the two layers of consent banners1. The consent banner design characteristics that I assess in the conjoint analyses result in 10,422 theoretically possible designs that represent the theoretical distribution of consent banners. The third study serves to examine the consent banner distribution in practice. Two researchers independently collect the design of consent banners on the Top 500 websites of 4 EU countries and the USA, all of which have to comply with the GDPR as the researchers access the websites from an EU location. In total, the dataset contains the designs of the consent banners of 1,240 websites2. I then combine the three studies in two ways: 1) Examination of the theoretical distribution of consent banners’ control and convenience: I combine the measures for the consent banners’ control and convenience derived from the first two studies with the theoretical distribution of consent banner designs derived from the consent banner characteristics defined in the second study. 2) Examination of the empirical distribution of consent banners’ control and convenience: I combine the measures for the consent banners’ control and convenience derived from the first two studies with the empirical distribution of the 1,240 consent banner designs derived from the third study. Overall, in the third article, I show a prevalent negative relationship between consent banners’ control and convenience in practice that is not present in theory. Regarding the control on consent banners, I find that about half of the websites display a consent banner within the highest control category, i.e., one that offers a granular and not pre-ticked choice. At the same time, 41.37% of the websites provide no choice to the user (the lowest control category). Re-

1

The first layer of a consent banner is the one that users immediately see. The second layer of a consent banner is the one that users have to actively access, e.g., by clicking on a button that loads the second layer.

2

The initial list of 2,500 (non-unique) websites of dropped to 1,853 (unique) websites when filtering out websites that appear in the Top 500 lists of multiple countries. Additionally, 3 websites block EU users and are disregarded. Of the remaining 1,850 websites, 610 websites do not display a consent banner and are not investigated further.

12 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis garding the consent banners’ convenience, I find that websites predominantly implement consent banners in a way that users perceive as inconvenient. Combining the two aspects shows a positive relationship between the consent banners’ control and convenience in the theoretical distribution for both consent banner layers. Moreover, there are consent banner designs that maximize the control and convenience together. Contrastingly, in practice, there is a negative relationship between the two aspects, i.e., websites implement consent banners so that a higher control corresponds with a lower convenience. Additionally, no website maximizes the two aspects together on the first layer, and only 15 websites do so on the second layer. Consequently, I uncover the need for websites to make consent banners more convenient – and for many websites to offer more control. If websites do not voluntarily adjust the distribution, policymakers can use the findings to consider additional measures to achieve such a change to increase user privacy as such a change is theoretically possible. Lastly, I outline how control and convenience can increase simultaneously on consent banners, e.g., by providing a reject button and a granular selection option on the first layer of consent banners.

0.4 Implications of Results In my dissertation, I provide insights into how the privacy law GDPR affects websites’ revenues in terms of user quantity and quality and user privacy in terms of control and convenience. I further specifically show how the implementation freedom that policymakers grant websites in complying with the GDPR’s consent requirement affects websites’ revenues and user privacy. Overall, in this dissertation, I show that the GDPR negatively affects websites’ revenues, on average, in terms of user quantity and usage intensity. The effects on websites’ revenues differ vastly across websites. The substantial differences in the privacy law’s effect on websites’ revenues also become apparent when examining the consent rate: The policymaker’s decision to give websites freedom in the consent banner implementation leads to websites obtaining significantly different consent rates. Moreover, the dissertation shows that the freedom leads to websites implementing consent banners that vastly differ in control and convenience, i.e., user privacy. Websites predominantly implement a high control at the cost of convenience. As users are convenience-driven, this predominantly inconvenient consent banner distribution effectively reduces user privacy as users do not exercise the offered control even if it is available.

13 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis Additionally, combining the findings of Articles II and III shows that websites can strongly increase the consent rate without affecting consent banners’ control and convenience, i.e., user privacy. For instance, websites can increase the consent rate by adjusting the position of consent banners (increase of up to 14.90pp) and the button labels (increase by between 1.60pp and 5.90pp for each adjustment). These adjustments do not affect the users’ control or perceived convenience of consent banners, thereby leaving user privacy unaffected. Yet, if websites removed the close option on consent banners, they would increase the consent rate by 13.50pp but reduce the users’ perceived convenience, thereby reducing user privacy. The dissertation’s two-sided approach in examining the GDPR’s effect sheds light on several essential aspects for websites, policymakers, and users alike. Thus, this dissertation and the results that I derive from the three articles contain many implications for each entity and further spark future research. 0.4.1

Implications of Results for Websites

When complying with the GDPR’s consent requirements, websites have several options to design consent banners due to the implementation freedom. However, precisely this freedom and the resulting inconsistent official guidelines led to websites being confused about how to comply with the GDPR’s requirements (WatchGuard Technologies 2017). Additionally, as, e.g., Johnson et al. (2002) show for newsletter signups, the requirement of an explicit instead of an implicit (users give consent per default) consent request can reduce the consent rate. As current privacy laws require explicit consent, they likely reduce websites’ revenues in terms of user quality and user quantity as well. Accordingly, websites must examine and account for factors that can reduce the negative revenue impact of privacy laws in general and consent banners in particular. Besides showing how the GDPR and differences in the GDPR’s implementation affect websites’ ability to earn revenue, this dissertation enables websites to better navigate the challenging design selection of consent banners. Particularly, the first article (Chapter 1) helps websites to understand the effect of privacy laws on user behavior. More specifically, websites can use the outlined effect of the privacy law GDPR on user behavior to better anticipate the effect that future privacy laws might have on user quantity and usage intensity. Accordingly, websites can better prepare for the enforcement of upcoming privacy laws and anticipate how the privacy

14 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis laws might affect the websites’ ability to attract and keep users on their website, depending on the websites’ popularity, industry, and user base. Articles II and III (Chapters 2 and 3) show that the design of consent banners tremendously impacts the consent rate and user privacy. Hence, based on these findings, both articles aid websites in using the implementation freedom for consent banners to increase the consent rate while simultaneously considering the effect on the consent banners’ convenience and thus the users’ browsing experience. Furthermore, Article II shows which design characteristics increase the consent rate. More specifically, websites can increase the consent rate by positioning the consent banner in the center of the website, removing the close option, and selecting button labels that all mention “cookies” and neutrally express agreement (accept button) while strongly expressing disagreement (reject button). In the short- and long-term, increasing the consent rate is vital for websites as websites need the users’ consent to keep their ability to collect and utilize personal data to earn revenue. However, especially in a long-term orientation, increasing user privacy in terms of control and convenience is equally important. Users become increasingly annoyed at consent banners and block or ignore them (Weiß and Krösmann 2020). As websites can only obtain (explicit) consent if users interact with consent banners, websites need to increase the convenience of consent banners and thus user privacy to keep their consent rates high in the long-term. In this relation, Article III shows that users perceive consent banners as most convenient if they have one layer with a close option, no accept option, a reject option via a button, and an un-ticked granular selection. Together, Articles II and III indicate that an increased consent rate and user privacy do not have to contradict each other: A variation in the position and button labels of consent banners can increase the consent rate while leaving user privacy unaffected. Accordingly, this dissertation as a whole can serve as guidance for websites in 1) anticipating the user reaction to their implementation of current or future privacy laws and 2) their decision about how to best implement consent banners to obtain explicit consent as required by privacy laws. 0.4.2

Implications of Results for Policymakers

When drafting privacy laws, policymakers have to trade-off between increasing user privacy and reducing the damage that websites incur by having data collection and usage restricted. One of the results of the GDPR’s attempt to solve this trade-off was the policymaker’s decision 15 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis to impose strict consent requirements onto websites while allowing a certain degree of freedom in the requirement’s implementation. This dissertation provides an empirical foundation for policymakers to assess the impact of privacy laws and to evaluate their decision to give websites freedom in the implementation of consent banners. The first two articles (Chapters 1 and 2) aid policymakers in understanding the effect of the privacy law GDPR and its implementation freedom on website’s revenue. Specifically, Article I shows that the implementations of the privacy law GDPR on websites had diverse, but on average negative, effects on websites’ revenue in terms of user quantity and usage intensity. Furthermore, Article II shows that implementing different consent banner designs results in considerable differences in the consent rate that websites can achieve. Thereby, the two articles aid policymakers that have already enforced privacy laws by serving as guidance for potential additional official guidelines. They further aid policymakers in the drafting stage of future privacy laws by assisting policymakers to better anticipate the effect that privacy laws, the consent requirement, and the implementation freedom have on websites’ revenues. Article III (Chapter 3) aids policymakers in understanding the effect of the GDPR and the implementation freedom on user privacy across websites. The article shows considerable differences in user privacy across websites after almost three years of GDPR, with user privacy being predominantly low in practice as most websites either do not provide users with control over their data or a low convenience of that control. In theory, an increase in both the control and convenience is possible simultaneously, showing that the GDPR’s requirements can achieve a high user privacy. Thereby, the article provides policymakers with an empirical foundation to assess whether the current distribution of consent banners facilitates reaching the policymaker’s aim to grant users more privacy or whether additional specifications or enforcement strategies are necessary. Overall, the dissertation can aid policymakers when evaluating current privacy laws and drafting future ones: All three articles together enable policymakers to conduct a multi-faceted and thorough evaluation of the GDPR’s effect and, specifically, the effect of the implementation freedom of consent banners. Additionally, if the policymakers’ evaluation results in the decision to further regulate and standardize the implementation of consent banners, the last two articles (Chapters 2 and 3) serve as guidance for policymakers when issuing additional guidelines. Specifically, they show which consent banner designs increase user privacy, i.e., control

16 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis and convenience, while outlining how such designs affect websites’ consent rates and thus revenues. 0.4.3

Implications of Results for Users

Policymakers are drafting and enforcing privacy laws, amongst others, due to the users’ wish for more privacy. However, the decision to give websites freedom in the implementation of the consent requirement led to a large variety of consent banners across websites. The lack of standardization of consent banners and the recurring choices led users to increasingly ignore them (e.g., Weiß and Krösmann 2020). However, exercising the offered options could enable users to make meaningful privacy choices. This dissertation predominantly aids users by uncovering that the majority of websites offers low user privacy. More specifically, in the third article (Chapter 3), I show a negative relationship between consent banners’ control and convenience in practice, i.e., most websites either offer no control to users or provide a high control at the cost of convenience. Thus, Article III indicates a need for a change in consent banners to strengthen user privacy. Particularly, websites have to design consent banners in a desirable way for users: consent banners that are easier to understand and more accessible, for instance, by including a granular selection option on the first layer of consent banners. Users can benefit from the findings of this article in case the articles can initiate a change in the consent banner distribution and user privacy initiated by websites or policymakers. Additionally, the first two articles (Chapters 1 and 2) can aid users in their understanding of how their behavior on websites affects websites’ revenue. Such knowledge might result in users making more conscious consent decisions on websites as an economic damage to websites might lead to websites developing new business models, potentially endangering the future of the free internet. 0.4.4

Implications of Results for Research

This dissertation shows the effect of GDPR and the implementation freedom on the websites’ revenue and user privacy. Within each of the three articles included in this dissertation, I outline the specific research possibilities that the respective article can spark. Additionally, the dissertation as a whole sparks further research opportunities. For instance, the three articles show that the implementation of the GDPR can affect websites’ revenues

17 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis (Articles I and II) and user privacy (Article III). However, it is unclear whether websites face a trade-off when designing a consent banner that achieves a high revenue on the one hand and offers high user privacy on the other hand. This dissertation shows that such a trade-off exists for one of the examined design characteristics: the existence of a close option. More specifically, displaying a close option on a consent banner increases user privacy but leads to the website achieving a lower consent rate, thus a lower revenue, compared to not displaying a close option. Future research has yet to examine such a connection and possible trade-off for other characteristics that are out of the scope of this dissertation. Similarly, future research can examine the effect of different consent banner designs on the websites’ revenue. While Articles II and III focus on the design differences, the Article I focuses on the general implementation of GDPR and does not assess consent banner design differences. Therefore, future research can connect the three studies and thoroughly analyze the effect of different design characteristics on websites’ user quantity and usage intensity. Lastly, policymakers, websites, and this dissertation focus on the implementation of the consent requirement via consent banners. However, there might be other, potentially simpler, solutions for the fulfillment of the consent requirement. Accordingly, future research can examine potential consent requests on websites outside the realm of consent banners or even standardization possibilities that might not require each website to have individual consent requests.

18 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis

0.5 References AEPD (2019): “A Guide on the Use of Cookies”, Agencia Espanola Protección Datos, https://www.aepd.es/sites/default/files/2020-09/guia-cookies-en.pdf, last accessed on October 05, 2021. Ajzen, I. (1991): “The Theory of Planned Behavior”, Organizational Behavior and Human Decision Processes, 50 (2), 179-211. Anderson, W. T. (1972): “Convenience Orientation and Consumption Behavior”, Journal of Retailing, 48 (3), 49-71. CNIL (2019): “Cookie and Other Tracers: The CNIL Publishes Amending Guidelines and Its Recommendation”, https://www.cnil.fr/fr/cookies-et-autres-traceurs-la-cnil-publie-des-lignesdirectrices-modificatives-et-sa-recommandation, last accessed on October 05, 2021. Curia (2019): “Judgement of the Court in Case C-673/17”, http://curia.europa.eu/juris/document/document.jsf?docid=218462&text=&doclang=EN&pageIndex=0&cid=975326, last accessed on October 05, 2021. Degeling, M.; Utz, C.; Lentzsch, C.; Hosseini, H.; Schaub, F.; Holz, T. (2019): “We Value Your Privacy … Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy”, Proceedings of the Network and Distributed System Security Symposium 2019. Dinev, T.; Hart, P. (2006): “An Extended Privacy Calculus Model for E-Commerce Transactions”, Information Systems Research, 17 (1), 61-80. GDPR 2016/679: Regulation (EU) 2016/679, Official Journal of the European Union. Johnson, E. J.; Bellman, S.; Lohse, G. L. (2002): “Defaults, Framing and Privacy: Why Opting In-Opting Out”, Marketing Letters, 13 (1), 5-15. LGPD 13.709/2018: General Personal Data Protection Law, National Congress of Brazil. PDPA B.E: 2562 (2019): Personal Data Protection Act, Government Gazette. PDPB (2018): The Personal Data Protection Bill.

19 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Synopsis Pew Research Center (2019): “Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information”, https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-controlover-their-personal-information/, last accessed on October 05, 2021. Reinsel, D.; Gantz, J.; Rydning, J. (2018): “The Digitalization of the World. From Edge to Core”, IDC, https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagatedataage-whitepaper.pdf, last accessed on October 05, 2021. Sanchez-Rola, I.; Dell’Amico, M.; Kotzias, P.; Balzarotti, D.; Bilge, L.; Vervier, P.-A.; Santos, I. (2019): “Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control”, ACM ASIA Conference on Computer and Communications Security, New York, USA, https://doi.org/10.1145/3321705.3329806. Skiera, B.; Miller, K.; Jin, Y.; Kraft, L.; Laub, R.; Schmitt. J. (2021): “The Impact of the General Data Protection Regulation (GDPR) on the Online Advertising Industry”, Book, first draft available. WatchGuard Technologies (2017): “37 Percent of Global Organizations Unsure if They Need to Comply with GDPR”, https://www.watchguard.com/wgrd-about/press-releases/37-percent-global-organizations-unsure-if-they-need-comply-gdpr, last accessed on October 05, 2021. Weiß, R.; Krösmann, C. (2020): “Cookie-Banner spalten Internetnutzer”, Bitkom Research, https://www.bitkom.org/Presse/Presseinformation/Cookie-Banner-spalten-Internetnutzer, last accessed on October 05, 2021. Westin, A. (1967): “Privacy and Freedom”, New York: Atheneum Press, 1967.

20 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

1 The Impact of Privacy Laws on Online User Behavior Julia Schmitt, Klaus M. Miller, Bernd Skiera

ABSTRACT Policymakers worldwide draft privacy laws that require trading-off between safeguarding consumer privacy and preventing economic loss to companies that use consumer data. However, little empirical knowledge exists as to how privacy laws affect companies’ performance. Accordingly, this paper empirically quantifies the effects of the enforcement of the EU’s General Data Protection Regulation (GDPR) on online user behavior over time, analyzing data from 6,286 websites spanning 24 industries during the 10 months before and 18 months after the GDPR’s enforcement in 2018. A panel differences estimator, with a synthetic control group approach, isolates the short- and long-term effects of the GDPR on user behavior. The results show that, on average, the GDPR’s effects on user quantity and usage intensity are negative; e.g., the numbers of total visits to a website decrease by 4.9% and 10% due to GDPR in respectively the short- and long-term. These effects could translate into average revenue losses of $7 million for e-commerce websites and almost $2.5 million for ad-based websites 18 months after GDPR. The GDPR’s effects vary across websites, with some industries even benefiting from it; moreover, more-popular websites suffer less, suggesting that the GDPR increased market concentration.

Keywords: Privacy Law, Online Privacy, Consumer Protection, GDPR, Data Privacy Regulation

21 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

1.1 Introduction Internet users generally perceive their privacy as a cause for concern. For example, a survey in 2019 by Pew Research Center showed that 79% of American users are concerned about how companies use their data, partly because they do not know which data companies collect. In recent years, policymakers worldwide have drafted and enforced privacy laws to mitigate these types of concerns. One of the highest-profile and most expansive laws is the European Union’s (EU) General Data Protection Regulation (GDPR), which became enforceable on May 25th, 2018. Similarly, other countries such as Chile, Serbia, Brazil, India, and Thailand have also recently enforced or approved privacy laws. While the specific details of the various privacy laws differ, their basic idea is to increase the individuals’ privacy, commonly defined as the individuals’ control over their personal data (Holvast 1993). In practical terms, privacy laws such as the GDPR seek to enhance data privacy by targeting the operations of companies that handle user data through two main avenues: 1) limiting companies’ capacity to collect and use user data, and 2) requiring that companies be transparent about their data collection practices. On the one hand, these requirements resulted in websites reducing the number of thirdparty cookies (e.g., Libert et al. 2018) and updating and providing more information in their privacy policies, likely increasing the transparency (Degeling et al. 2019; Linden et al. 2020). These findings suggest that GDPR likely increased user privacy in terms of tracker intrusiveness and transparency. On the other hand, as we will elaborate in what follows, these requirements affect companies’ operations, which may lead to economic loss. Moreover, companies’ attempts to recoup these losses may have negative societal effects. For example, a company might scale back its services or charge for services once provided for free, resulting in a lessinformed citizenry. Moreover, some companies might cut jobs, causing financial distress to their employees; if such layoffs take place on a large scale, the societal harm could be profound. Thus, in establishing privacy regulations, policymakers must carefully balance between ensuring citizens’ right to privacy and avoiding excessive damage to the performance of companies that use user data, given the potential societal effects of such damage. Yet, it is challenging to predict how implementing data privacy laws will affect companies’ performance and revenue. Part of the challenge stems from users responding in unexpected ways to efforts

22 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior to protect their privacy. Indeed, though users claim to value their privacy, it is well established that their actual behavior online does not necessarily align with these stated preferences (known as the privacy paradox; e.g., Acquisti 2004). Accordingly, we present an empirical study to examine how the GDPR coming into effect, which we refer to as “enforcement of GDPR,” affected user behavior on thousands of websites. We focus on two classes of user behavior metrics: user quantity (e.g., numbers of total visits) and usage intensity (e.g., page impressions per visit). These metrics are of interest as indicators of company performance. They often link with companies’ revenues (e.g., e-commerce sites or sites with ad-based revenue; see the concluding sections of this article). Our analysis builds upon the premise that enforcing a privacy law can positively and negatively affect user quantity and usage intensity. Regarding user quantity, limitations on data collection and usage restrict companies’ marketing activities, such as targeting new customers through personalized ads. As a result, users might be less aware of certain companies than they would have been otherwise and face increased search costs to find them. Consequently, traffic to those companies’ websites might decrease. At the same time, traffic to certain websites might increase among users who find themselves with fewer alternatives – indeed, shortly after the enforcement date of GDPR, some websites operating outside the EU blocked access to EUusers to avoid having to comply with the law (Lecher 2018). Regarding usage intensity, the requirements for transparency and consent to collect data may require websites to adjust their appearances – thereby affecting the user experience. For example, users might face a pop-up with information regarding the website’s cookie usage or other data collection activities and then have to click to accept or decline cookies and the respective data collection. This interaction might increase users’ awareness of their data disclosure and influence their usage intensity (Dinev and Hart 2006). In particular, they might spend less time on the website to reduce the amount of data it can collect, or they might abandon the website to avoid having to authorize it to collect data. Alternatively, once users have consented to have their data collected, they might use the website more than they would otherwise – to avoid having to visit other websites and authorize them to collect data. Lastly, there might be users who do not change their behavior at all. These arguments suggest that, overall, the enforcement of a privacy law such as the GDPR, i.e., the GDPR becoming effective, may have positive or negative effects, or no effect at all, on

23 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior the number of users who visit a particular website and on their usage intensity. Moreover, different websites might be affected differently, as users’ expectations regarding their privacy and their consequent responses to privacy-driven changes in website operations may vary across regions (cultures) or websites in different industries (e.g., Dinev et al. 2006). It is also essential to understand how these effects develop over time, as it might take users several months to adjust their usage habits. Thus, our study aims to achieve the following specific objectives: 1) Quantifying the effects of the enforcement of the GDPR on five metrics of user quantity and four metrics of usage intensity on websites over time (from 3 months up to 18 months after the enforcement of the GDPR); 2) Identifying how these effects vary as a function of website characteristics (i.e., website industry and popularity) and user characteristics (i.e., a user’s country of origin). Our analysis relies on a dataset capturing user behavior on 6,286 unique websites spanning 24 industries; these websites represent the most popular websites in 13 countries (11 EU countries, Switzerland, and the United States). The data cover the period from July 2017 to December 2019 – i.e., 10 months before and 18 months after the enforcement of the GDPR (hereafter referred to as “GDPR”) on May 25th, 2018 – enabling us to construct a before-and-after analysis. Within our dataset, some website-user interactions are subject to the GDPR (i.e., interactions involving EU-websites or EU-users). In contrast, others are not (i.e., interactions involving Non-EU-websites and Non-EU-users), effectively creating a “control group.” Thus, we can use a panel differences estimator similar in spirit to a difference-in-differences (DiD) estimation (e.g., Janakiraman et al. 2018, Kumar et al. 2016, Goldstein et al. 2014). We combine the panel differences estimator with a synthetic control group (SCG) approach (Abadie et al. 2015) to isolate the effect of the GDPR on our metrics of interest. We obtain the following results: 1) Among websites to which the GDPR is applicable, the average number of visits per website decreases by almost 5% in the short-term and about 10% in the long-term; about two-thirds of websites continue to be negatively affected by the GDPR in the long-term. We similarly observe short-term decreases of 0.8%-3% in the average number of unique visitors, page impressions, and amount of time on the website, and longterm decreases of 6.6%-9.7%.

24 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 2) Among websites that suffer from a reduction in user quantity, the remaining users exhibit an increase in usage intensity – for example, the number of visits per user increases, on average, by about 4.8% at 18 months post-GDPR. Conversely, among websites that gain users after the GDPR, usage intensity decreases; e.g., the number of visits per user decreases, on average, by about 9.1% at 18 months post-GDPR. 3) The effects of the GDPR vary across websites; for example, less-popular websites lose more total visits (10%-21% drop) than more-popular websites (2%-9% drop), suggesting that the GDPR increases market concentration. The effects also vary across industries, with Entertainment and Leisure websites being most negatively affected (-12.5 to -13.8% after 18 months). In contrast, Business and Consumer Service websites even experience a positive effect (+4.7% after 18 months). 4) User characteristics (i.e., a user’s country of origin) have only a small effect on how the GDPR affects user behavior.

1.2 Knowledge on Effects of Privacy Changes on Online User Behavior We draw from and contribute to two main streams of literature. Through surveys and lab experiments, the first stream attempts to illuminate users’ attitudes towards data privacy and their responses to different levels of privacy or control over their data. The second stream uses field studies to examine the effects of privacy laws on various outcomes of interest. 1.2.1 User Attitudes and Behavior with Regard to Privacy Lab experiments and survey-based studies have examined how users’ attitudes and website usage behavior are affected by websites’ handling of user privacy. The results of these studies point to a nuanced relationship between privacy and user behavior. For example, several studies based on consumer surveys suggest that when users perceive themselves as having more control over their privacy – specifically, more options to regulate their privacy – they experience lower privacy concerns (Martin 2015), a higher level of trust in a website, an increase in purchase intentions (Martin et al. 2017) and a higher willingness to disclose data to websites (Brandimarte et al. 2013; Acquisti et al. 2013; Malhotra et al. 2004; Culnan and Armstrong 1999). They can even react more positively to personalized ads (Tucker 2013).

25 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Other studies, in contrast, find that different privacy levels do not affect user behavior: For example, Belanger and Crossler (2011) show that users share data with companies despite privacy concerns. This result may have been induced by users’ feelings of powerlessness regarding their privacy (Few 2018). Acquisti et al. (2012) further show that users’ privacy concerns and preferences for the same level of privacy are not stable. The willingness to disclose data can depend on other factors like the amount and order of such data requests. These findings align with the privacy paradox, indicating that users’ stated privacy preferences often differ from their actual behavior (e.g., Acquisti 2004). Still, other studies suggest that including more privacy control options for users might negatively affect website usage. In particular, privacy features, such as requesting users’ explicit consent for data collection and more transparency (as required by GDPR), can make users aware of data disclosure that they were not previously aware of (Dinev and Hart 2006), increase privacy concerns and thus reduce ad effectiveness (Kim et al. 2018). This awareness may lead users to feel warier about using the site and thus diminish their usage. Dinev and Hart (2006) proposed the privacy calculus theory, which provides a framework encompassing all these different responses to privacy controls. Specifically, the theory suggests that the extent to which a user values privacy on a particular website depends on the user’s privacy concerns, the user’s trust in the website, and the value that the user derives from the website’s offerings. Users with higher privacy concerns or lower trust towards a website may be more likely than others to respond favorably to more stringent privacy measures. In turn, when users attribute a high value to the website’s offerings, they may be willing to sacrifice privacy in exchange for convenient access to those offerings and thus may be indifferent to privacy levels – or even respond unfavorably if privacy hurts the website’s accessibility. This theory suggests that users’ responses to changes in a website’s handling of privacy may vary across users and websites. Indeed, several studies show that differences in privacy perceptions and expectations depend on a user’s country and cultural background (e.g., Dinev et al. 2006; Steenkamp and Geyskens 2006; Miltgen and Peyrat-Guillard 2014) and on the device used by a user to access a website (Melumad and Meyer 2020). The current study extends these findings by comparing how users in different countries vary in their responses to privacy laws and by considering variations across websites with different characteristics.

26 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.2.2

Field Studies: Effects of Privacy Laws on Various Outcomes

The findings outlined above suggest that it is likely to be challenging to predict how large populations of users will respond to the enforcement of new privacy laws. Accordingly, several studies use field data to construct event studies of users’ revealed behavior after enforcing such laws. Examples that predate the GDPR are the work of Goldfarb and Tucker (2011a), who show that implementing the EU Privacy and Electronic Communications Directive reduces ad effectiveness on websites, making it more challenging for ad-financed websites to generate revenues, and of Campbell et al. (2015) who show that privacy laws especially hurt smaller online companies. At the same time, Goldfarb and Tucker (2011b) further show that irrespective of privacy laws, ad effectiveness can diminish for strongly obtrusive and targeted ads, suggesting a positive effect of privacy laws on user welfare. Several recent studies have specifically sought to characterize various effects of the GDPR. Some of these works focus on websites’ actions in response to the law, showing that many update their privacy policies (Degeling et al. 2019) and increase their privacy policy length (Linden et al. 2020). Furthermore, an apparent reduction in third-party cookies occurs (Libert et al. 2018; Hu and Sastry 2019). Partly due to the anticipated reduction in third-party cookies, Mirreh (2018) predicts that websites could lose almost half of their traffic because of an inevitable shift of retargeting strategies, making it more challenging for companies to get users to their websites. A study that is particularly relevant to our research is that of Goldberg et al. (2021), who measure how the GDPR affected recorded web traffic and e-commerce sales four months after the enforcement of the regulation. The authors show an average 11.70% drop in recorded page views from EU-users (Goldberg et al. 2021). Our empirical study delivers insights that greatly extend Goldberg et al.’s research. Primarily, our study adopts a long-term orientation for a substantially larger website sample, providing a more comprehensive analysis of GDPR. Given that the GDPR was the first major new privacy law in the EU since the e-Privacy Directive in 2002, users may have needed some time to adjust their behavior to the GDPR. Therefore, the full effect of the privacy law might only become observable after some time. Furthermore, our study examines differences in the effects across websites and users. Finally, the data sample of our study enables an empirical estimation of metrics covering actual traffic, whereas Goldberg et al.’s available data only allow an examination of recorded traffic. As the authors mention in their study, a change in recorded traffic after GDPR is, in fact, a combination of two changes:

27 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior A change in the number of consenting users and a change in the actual traffic that these consenting users generate.

1.3 Description of Empirical Study Our empirical study aims to analyze the effects of the enforcement of the GDPR on online user behavior, as reflected in measures of user quantity and usage intensity; to understand how these effects evolve over time (distinguishing between short-term effects – 3 months after enforcement –, up to long-term effects – 18 months after enforcement); and to reveal how these effects vary as a function of website and user characteristics. 1.3.1

Background on the GDPR

The GDPR, which came into effect on May 25th, 2018, is the first major privacy law in Europe since the e-Privacy Directive in 2002. The GDPR regulates any activity performed on personal data from users located in the EU. As a regulation, the law is further binding for all websites based in EU countries; according to Article 3 of the GDPR, a website’s “base” (and thus the applicability of the GDPR) is determined according to the geographical location where the website’s data processing takes place. Websites within the scope of GDPR that do not comply with the privacy law face significant fines of up to 4% of the website’s global annual turnover or €20 million, depending on the severity of the infringement. The GDPR handles various privacy aspects that can affect how a user engages with a website. Similar to other approved or enforced privacy laws such as Brazil’s Lei Geral de Protecao de Dados Pessoais (LGPD), India’s Personal Data Protection Bill (PDPB), or Thailand’s Personal Data Protection Act (PDPA), the GDPR has stringent privacy protection requirements (Lucente and Clark 2020). For example, the mentioned privacy laws all require websites to obtain a user’s explicit consent for data processing like the GDPR, i.e., they all follow an optin approach for consent. Given the similar nature of GDPR compared with other privacy laws, the findings of this study likely mirror the effects of other privacy laws on user quantity and usage intensity on websites. At the same time, for privacy laws that are less strict than GDPR, such as the California Consumer Privacy Act (Lucente and Clark 2020), the findings of this study might serve as an upper bound of the effects.

28 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.3.2

Description of Set-Up of Empirical Study

Before the GDPR becoming effective, users could not anticipate how websites would react to the diverse set of requirements imposed by GDPR. In our empirical study, we examine the effect of the enforcement of GDPR, i.e., the GDPR coming into effect, on the user behavior on websites. Most likely, websites complied with GDPR to different degrees. So, we do not measure the effect of all websites behaving entirely according to GDPR. Instead, we observe the effect of the websites’ interpretation of the privacy law. Thus, we measure what happened after GDPR came into effect – the intention-to-treat effect of GDPR. Therefore, our treatment “enforcement of GDPR” refers to “GDPR coming into effect” (on May 25, 2018) and not to a situation in which GDPR was enforced such that all websites behaved entirely with GDPR. The GDPR provides a useful setting for quantifying the effect that the enforcement of privacy laws has on user behavior because it implicitly divides website-user interactions (here referred to as “website-instances”) into a treatment group (i.e., GDPR is applicable) and a control group (i.e., GDPR does not apply), as depicted in Figure 1.1. Figure 1.1: Scope of GDPR and Resulting Assignment to Treatment and Control Group

As noted above, the GDPR’s scope includes all websites based in the EU and further encompasses the processing of personal data from all users located in the EU. Thus, the treatment group comprises website-instances corresponding to EU-users visiting any website or to NonEU-users visiting EU-websites. The control group consists of website-instances corresponding to Non-EU-users visiting Non-EU-websites. In line with Article 3 of the GDPR, we use the website’s server location (retrieved from https://check-host.net) to determine the respective website’s data processing location and the GDPR’s applicability. We use the enforcement date of GDPR (May 25th, 2018) to construct a before-and-after analysis, comparing the treatment

29 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior group to the control group to quantify the intention-to-treat effect of GDPR. This approach allows us to construct a panel differences estimator that is similar in spirit to a DiD estimator and rests upon two critical assumptions: the stable unit treatment value assumption (SUTVA) and the parallel pre-treatment trends of the control and the treatment group. Several factors might bias the treatment effect that we observe using the described methodology. For example, there might be concerns regarding the possible late or early compliance of websites with GDPR or the potential existence of confounding factors. The major concern, however, might be regarding the validity of our control group. This concern stems from the possible situation that websites in our control group might voluntarily comply with GDPR. Furthermore, the mere knowledge of Non-EU-users about the GDPR already represents a “treatment” that affects our control group as well. Both situations would represent a violation of the SUTVA that is integral to our analysis. We thoroughly examine the robustness of our results to all of those factors, i.e., late or early compliance, confounding factors, and the possibility that GDPR also treats our control group. All robustness checks indicate that the mentioned factors do not bias our results (see Sections 1.9.4, 1.9.5, and 1.9.7 in the Appendix). Thus, even if a potential bias existed within our results, its impact is likely relatively small. Furthermore, such an effect only yields to underestimating GDPR’s actual effect because the treatment might also impact the control group. 1.3.3

Overview of Data

1.3.3.1 Description of Data Sample. This study utilizes data from SimilarWeb for the Top 1,000 websites – as listed in Alexa Top Sites in April 2018 – of two Non-EU countries (Switzerland and USA) and 11 EU countries (Austria, Denmark, France, Germany, Hungary, Italy, Netherlands, Poland, Spain, Sweden, and the UK3). The authors choose the USA and Switzerland as Non-EU-countries as both countries are culturally similar to the EU. SimilarWeb draws on a diversified and rich global user panel to measure online user behavior. Companies (e.g., Google, Alibaba, eBay, P&G) primarily use data from SimilarWeb, but also researchers in top-tier academic journals (e.g., Calzada and Gill 2020, Lu et al. 2020). The websites in our sample span diverse industries (see

3

During the time of our study, the United Kingdom (UK) was still a member of the EU. Its membership ended on January 31th, 2020.

30 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure A1 - 1 in Section 1.9.1 in the Appendix), audiences, and popularity levels (here measured by SimilarWeb ranks). For each website in our sample, the dataset includes information about the website industry as well as the global, country, and industry rank, based on the website’s popularity worldwide, in the analyzed country, and within the website’s industry. For each website in the sample, the dataset further includes information on the user quantity metrics of users accessing that website from one EU country: the one in which the website is most popular. Additionally, for each website, user quantity data are available for users accessing the website from the US. Thus, if a website does not appear in the Top 1,000 of any EU country, data are available only for US users. These data span the period between July 1st, 2017 and December 31st, 2019 – i.e., almost a year before GDPR’s enforcement (May 25th, 2018) and 1.5 years after the enforcement – and can therefore be used for a before-and-after analysis as outlined above. We start with 13 countries with 1,000 websites each. Our initial sample includes 7,332 unique websites after we removed duplicate websites. For example, “google.com” is a duplicate website as it is among the Top 1,000 websites in all 13 countries. Instead of occurring 13 times, google.com just occurs once in our sample. For each of these 7,332 websites, we have user behavior data corresponding to Non-EU-users. For 6,460 websites of those 7,332 websites, the dataset additionally includes user behavior data of EU-users. Thus, for 6,460 websites, we have two sets of observations, corresponding, respectively, to the Non-EU-user base and to the EU-user base of that website. For the remaining 872 websites, we only observe the Non-EU-user base. In what follows, we consider each website’s Non-EU and EU-user bases separately and refer to each combination of a website with one of the two user bases, for convenience, as a “website-instance.” For example, for a website such as “zeit.de” that is based in an EU country (here, Germany), we observe two website-instances: One website-instance corresponds to the set of observations for the EU-user base of “zeit.de.” The second website-instance corresponds to the set of observations for the Non-EU-user base of “zeit.de.” As “zeit.de” is EU-based, GDPR applies to both its website-instances, and both website-instances belong to the treatment group (Figure 1.1). Accordingly, for a website such as “nzz.ch” that is based in a Non-EU country (here: Switzerland), we observe two website-instances: one website-instance corresponding to the set of observations for the Non-EU-user base of “nzz.ch” and the second website-instance corresponding to the set of observations for the EU-user base. As the website of this second example

31 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior is not EU-based, GDPR applies only to the website-instance that corresponds to the EU-user base of “nzz.ch,” which belongs to the treatment group, but not to the Non-EU-user base, which belongs to the control group (see Figure 1.1). Overall, the initial sample includes 7,332 website-instances corresponding to a set of observations of the Non-EU-user base and 6,460 website-instances corresponding to a set of observations of the EU-user base, totaling 13,792 website-instances. We then drop website-instances for which the user base generated, on average, fewer than 1,000 visits per week or not a single visit for more than an entire month in the observation period. We also drop websiteinstances that exhibited strong traffic drops or peaks at some point in time that our available data cannot explain. Especially the website-instances that include visits to EU-websites from Non-EU-users exhibit a low average number of visits due to many EU-websites not being popular in Non-EU countries. This procedure results in a final sample of 9,683 website-instances, corresponding to 6,286 unique websites (Table 1.1). For 3,397 websites, we have two website-instances (EU and Non-EU-user bases), and for 2,889 websites, we have one website-instance (EU or Non-EU-user base). Overall, as we also show in Table 1.2, 5,683 websites, corresponding to 7,982 website-instances, belong to our treatment group, encompassing over 1.15 trillion total website visits from the EU. Table 1.1: Derivation of Final Sample of Website-Instances Website-Instances with EU-user data

Website-Instances with Non-EU-user data

Sample of (non-unique) websites (top 1,000 websites of 11 EU countries, CH and US)

11,000

13,000

Sample after removal of duplicated and non-existent websites (e.g., fraudulent pop-ups)

6,460

7,332

Sample after additional removal of website-instances with average weekly visits 1 month or strong outliers

5,494 (3,643 EU websites, 1,851 Non-EU websites)

4,189 (2,488 EU websites, 1,701 Non-EU websites)

Final sample (only for unique visitor analysis) after additional removal of website-instances with monthly unique visitors 5,000 unique visitors throughout the entire observation period.

32 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior SimilarWeb does not report unique visitor information for websites with less than 5,000 unique visitors in a month. Therefore, the unique visitor analysis contains a smaller set of 5,198 treated websites. Our control group consists of 1,701 websites, corresponding to the same number of website-instances (see Table 1.2), encompassing almost 1.8 trillion total website visits from Switzerland and the US. Table 1.2: Distribution of Website-Instances in Treatment and Control Groups

1.3.3.2 Description of User Quantity and Usage Intensity Metrics In what follows, we define our variables of interest, namely, our user quantity and usage intensity metrics. The examined variables are connected to some extent. Specifically, all metrics correspond with the weekly total number of visits, which is our main metric of interest. Still, despite the connectivity between the user quantity metrics, each provides a slightly different insight into the effects of the GDPR on user behavior. Furthermore, examining the user quantity metrics in relation to our main metric enables an examination of the different usage intensity metrics on websites. We, therefore, compare the respective effects of GDPR on the user quantity metrics for each website to examine GDPR’s effect on the usage intensity metrics. More specifically, we calculate the effect of GDPR on the usage intensity metrics based on the changes of the respective user quantity metrics corresponding to a specific usage intensity metric. For an overview of the relationship between the metrics, see Table 1.3.

33 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table 1.3: Relationship between the User Quantity and Usage Intensity Metrics User Quantity Metric

Corresponding Formula

Weekly Total Number of Visits

Main Metric Corresponds to all usage intensity metrics

Number of visits to a website in a week Measure of website’s traffic volume

Monthly Number of Unique Visitors Number of unique users visiting a website in a month Measure of website’s reach

Visits per Unique Visitor Total Number of Visits = Number of Unique Visitors

Weekly Number of Page Impressions Number of pages visited per week on a website by the entire user base Measure of website’s ability to spark engagement

Page Impressions per Visit =

Number of Page Impressions Total Number of Visits

Weekly Time on Website

Time per Visit

Time in minutes spent in a week on a website by the entire user base Measure of website’s ability to spark interest

=

Weekly Number of Bouncing Visitors Number of visits to a website in a week in which the user views only one page Measure of website’s ability to retain traffic

Usage Intensity Metric

Time on Website Total Number of Visits Bounce Rate

=

Number of Bouncing Visitors Total Number of Visits

Visits per Unique Visitor Average number of visits per unique visitor

Page Impressions per Visit Average number of pages viewed per visit

Time per Visit Average time spent on a website per visit

Bounce Rate Share of visitors leaving a website after just one page

We analyze all user quantity metrics on a weekly level, except for the number of unique visitors, for which data are only available on a monthly level. Due to large differences in the values of each metric across websites and countries, we convert all user quantity metrics (+1 to avoid zero values) to their natural logarithm so that we capture relative (i.e., percentage) effects. Figure 1.2 depicts the mean comparison (before and after GDPR) of the log-transformed user quantity variables for the 7,892 treated website-instances and the 1,701 control website-instances. We calculate the effects for the user quantity metrics per website-instance. We then determine the effect of GDPR on a website as follows: If only one website-instance corresponds to a specific website, i.e., only data for one user base is available for that website, the effect of GDPR on that website comprises only the effect of that one website-instance. All Non-EUwebsites (for these websites, only one website-instance belongs to the treatment group, see Figure 1.1) and about 30% of the EU-websites correspond with only one website-instance.

34 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure 1.2: Comparison of Logarithm of User Quantity Metrics between Treatment and Control Group and Pre- and Post-GDPR Period

For 70% of the EU-websites, two treated website-instances correspond to the same website, i.e., data for the EU and Non-EU-user base are available. For these websites, the overall effect of GDPR comprises the effects of both website-instances. Hereby, we consider the relative sizes of the two website-instances before GDPR when merging the two effects into one. For example, the website “zeit.de,” a reputable German online news website, received 98.94% of its visits from German (EU) users. Thus, GDPR’s effect on the number of visits on the website “zeit.de” comprises 98.94% of its effect on the website-instance corresponding to the EU-user base of “zeit.de,” and 1.06% of GDPR’s effect on the website-instance corresponding to the Non-EU-user base of “zeit.de.” This weighting procedure results in the same effects as we would have determined if we had combined the two website-instances from the beginning of the calculation. We then compare the respective effects of GDPR on the user quantity metrics for each website to examine GDPR’s effect on the usage intensity metrics that are calculated based on the changes of the user quantity metrics.

35 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.3.4

Description of Methodology to Analyze Data

We do not observe a control group for some website-instances, primarily due to the GDPR affecting both website-instances for a large share of our websites. Thus, we examine the effect of the GDPR on the various user behavior metrics using a combination of a panel differences estimation and the SCG approach and exploit the enforcement of the GDPR as the “treatment” event. The panel differences estimation is similar in spirit to a DiD approach (e.g., Janakiraman et al. 2018, Kumar et al. 2016, Goldstein et al. 2014) and aims to isolate the effect of treatment by comparing the differences before and after treatment (here GDPR) across two panels (here the treatment and control group). Combining the two approaches enables us to examine the differential impact that the enforcement of GDPR had on user behavior compared to our SCG. 1.3.4.1 Description of Methodology to Analyze User Quantity Metrics Using the regression formula below and the control and treatment group assignment described in Figure 1.1, we calculate the treatment effect (ߚଷ,௤,௪௜ ) for every website-instance wi for each user quantity metric q. To determine the development of the treatment effect over time t (here measured in weeks for all user quantity metrics except unique visitors where we measure t in months), we rerun our analysis several times, extending the duration of the postGDPR observation period in each analysis. We first consider a post-treatment period of 3 months after GDPR (up to August 25th, 2018, thus including observations from week 1 to week 60), then periods of 6 (week 1 to 73), 9 (week 1 to 86), 12 (week 1 to 99) and 18 (week 1 to 125) months. These analyses enable us to determine the GDPR’s short- up to the long-term effects. (1) ݈݊൫ܻ௤,௧,௪௜ + 1൯ = ߚ଴,௤,௪௜ + ߚଵ,௤,௪௜ ‫ܷܧ כ‬௪௜ + ߚଶ,௤,௪௜ ‫݀݋݅ݎ݁݌ݐݏ݋ܲ כ‬௧ + ߚଷ,௤,௪௜ ‫݀݁ݐܽ݁ݎܶ כ‬௧,௪௜ + ߳௤,௧,௪௜ Yq,t,wi:

Value of user quantity metric q in week t on website-instance wi

EUwi:

EU-Dummy, i.e., binary variable for which a value of 1 indicates that the users or website of website-instance wi are EU-based, else 0

Postperiodt:

Postperiod-Dummy, i.e., binary variable for which a value of 1 indicates that the observation in week t lies in the post-treatment period, else 0

Treatedt,wi:

= EUwi * Postperiodt; Treatment-Dummy, i.e., binary variable for which a value of 1 indicates that in week t, website-instance wi needs to consider GDPR, otherwise 0

߳ q,t,wi:

Error term for user quantity metric q in week t for website-instance wi

We rely on the SCG method (Abadie et al. 2015), which entails a synthetic construction of a control group whose pre-treatment patterns are comparable to those of the treatment group.

36 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior We construct this matched control group by selecting, for each treated website-instance, a weighted combination of several control website-instances. Thus, this approach requires (i) choosing a set of control website-instances to use and (ii) weighing each website-instance. We weigh such that the weighted combination of control website-instances, referred to collectively as the “synthetic control website-instance,” minimizes the pre-treatment mean squared error between the resulting synthetic control website-instance and the treated website-instance (following the approach outlined in Xu (2017)). Thus, this approach fulfills the parallel pre-treatment condition by construction. Then, we calculate the post-treatment metric of interest for the synthetic control website-instance that serves as the treated website-instance’s counterfactual. For each metric, we follow Abadie (2021) and Abadie et al. (2015) and carefully choose the control website-instances to obtain a reasonable control for the treated website-instance. The set of controls should (i) avoid the risk of overfitting, i.e., not be too large, and (ii) avoid the risk of bias, i.e., not exhibit large differences in (un-)observed factors compared to the treated website-instance. Thus, we select (i) five website-instances that (ii) belong to the same industry as the treated website-instance and (iii) have the highest pre-treatment correlations with the respective metric of the treated website-instance. Using these five control website-instances, we follow the approach outlined above to calculate the weights of these website-instances to create a synthetic control website-instance that exhibits a similar pre-treatment pattern as the treated website-instance. We then use the weights and observed values of the five website-instances to calculate a synthetic time series for the synthetic control website-instance, spanning the post-treatment period. The outcomes of these calculations serve as the control group to determine the effect of the treatment on the metric of interest for all website-instances. We repeat the process for each user quantity metric q and website-instance wi. We then determine the effect of GDPR on a website, referred to as ', as described above: If only one website-instance corresponds to a website, the GDPR’s effect on that website-instance and user quantity metric (ߚଷ calculated in Equation (1)) determines the GDPR’s effect on that website ('). If two website-instances correspond to a website, the effects of GDPR on both website-instances for the user quantity metric (two treatment effects ߚଷ,௪௜ ) determine the GDPR’s effect on that website ('), taking the relative sizes of the two website-instances for that one website into account. We determine these relative sizes for that one website based on the average sizes of the two website-instances over the entire pre-treatment period.

37 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.3.4.2 Description of Methodology to Analyze Usage Intensity After these steps, we have determined the effect of interest, the treatment effect ߚଷ , for all treated websites-instances, user quantity metrics, and post-treatment periods, and merged the treatment effects of the website-instances to obtain the treatment effects ' for all corresponding websites and user quantity metrics. We then use these treatment effects for all websites and post-treatment periods to examine the change in our usage intensity metrics for each website over time. For this examination, we take advantage of two aspects: First, each usage intensity metric is a function of two user quantity metrics, as shown in Table 1.3. For example, the number of visits per unique visitor is a function of the number of unique visitors and the total number of visits on a website w (see Table 1.3): ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ (2) ܰ‫ݎ݋ݐ݅ݏܸ݅ ݁ݑݍܷ݅݊ ݎ݁݌ ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑ‬௪ = ே௨௠௕௘௥ ௢௙ ௎௡௜௤௨௘ ௏௜௦௜௧௢௥௦

ೢ

Second, the treatment effects calculated with Equation (1) are relative (i.e., approximately percentage) changes of our user quantity metrics for each post-treatment period p. Thus, to visualize the relative change of the number of visits per unique visitor due to GDPR for a particular website w for a particular post-treatment period p, we include the GDPR’s effect in Equation (2): (3) ܰ‫ݎ݋ݐ݅ݏܸ݅ ݁ݑݍܷ݅݊ ݎ݁݌ ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑ‬௪ ‫ כ‬൫1 + οܰ‫ݎ݋ݐ݅ݏܸ݅ ݁ݑݍܷ݅݊ ݎ݁݌ ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑ‬௣,௪ ൯ = ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ ‫(כ‬ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ ) ே௨௠௕௘௥ ௢௙ ௎௡௜௤௨௘ ௏௜௦௜௧௢௥௦ೢ ‫כ‬൫ଵାοே௨௠௕௘௥ ௢௙ ௎௡௜௤௨௘ ௏௜௦௜௧௢௥௦೛,ೢ ൯

We use Equation (1) to calculate the GDPR’s effect, reflected in ', for the two user quantity metrics (number of unique visitors and total number of visits). To determine the effect on the usage intensity metric (number of visits per unique visitor), we rearrange Equation (3): ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦

೛,ೢ (4) οܰ‫ݎ݋ݐ݅ݏܸ݅ ݁ݑݍܷ݅݊ ݎ݁݌ ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑ‬௣,௪ = ଵାοே௨௠௕௘௥ ௢௙ ௎௡௜௤௨௘ ௏௜௦௜௧௢௥௦ െ1 ೛,ೢ

¨Number of Visits per Unique Visitorp,w: ¨Total Number of Visitsp,w: ¨Number of Unique Visitorsp,w:

GDPR’s effect in period p on the number of visits per unique visitor for website w GDPR’s effect in period p on the total number of visits for website w GDPR’s effect in period p on the number of unique visitors for website w

This process (see Section 1.9.2 in the Appendix for a detailed derivation of Equations (3) and (4)) enables us to reveal the GDPR’s effects on the number of visits per unique visitor for each website (within the final sample for the unique visitor analysis) and each post-treatment period p (i.e., after 3, 6, 9, 12, and 18 months of GDPR). We calculate the GDPR’s effects on

38 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior the other usage intensity metrics i (i.e., page impressions per visit, time per visit, and bounce rate) with the same procedure. However, these usage intensity metrics are a function of the total number of visits and different user quantity metrics q (see Table 1.3). Therefore, we need to adjust Equation (4) slightly: ଵାο௎௦௘௥ ொ௨௔௡௧௜௧௬ ெ௘௧௥௜௖

(5) οܷ‫ܿ݅ݎݐ݁ܯ ݕݐ݅ݏ݊݁ݐ݊ܫ ݁݃ܽݏ‬௜,௣,௪ = ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,೜,ೢ െ 1 ೛,ೢ

¨Usage Intensity Metrici,p,w: ¨User Quantity Metricp,q,w:

¨Total Number of Visitsp,w:

GDPR’s effect on the usage intensity metric i (Page Impressions per Visit, Time per Visit, Bounce Rate) in period p for website w GDPR’s effect in period p on the corresponding user quantity metric q (Number of Page Impressions, Time on Website, Number of Bouncing Visitors) for website w GDPR’s effect in period p on the total number of visits for website w

1.3.4.3 Description of Methodology to Analyze Variations of Effects across Websites After calculating the GDPR’s effects on user quantity and usage intensity for each website, we subsequently classify the websites according to a particular feature of interest – namely, website industry, popularity (measured by the ranks within SimilarWeb’s global, country, and industry rankings of websites), and the country of origin of the predominant user base – and examine whether specific website or user characteristics are associated with positive or negative as well as stronger or weaker effects due to GDPR.

1.4 Results of Empirical Study The following subsections outline the distribution of the GDPR’s effect across websites for user quantity and usage intensity. GDPR does not affect all websites the same way. While some websites experience negative effects, others are not affected by GDPR or even experience positive effects. The size of GDPR’s effects further differs across websites. As we later show, the GDPR’s effects on the analyzed metrics result in significant economic effects for websites. 1.4.1 GDPR’s Effect on User Quantity Metrics We visualize in Figure 1.3 the distribution of the GDPR’s effect on our main metric, the weekly total number of visits, over time. Figure 1.3 includes all websites, irrespectively of whether GDPR affects them significantly.

39 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure 1.3: Distribution of the Effect of GDPR on Weekly Total Number of Visits over Time

On average, in the 3 months after the GDPR, treated websites experience an average decline in visits of about 4.88%. Over time, this decrease becomes even stronger: After 1.5 years of GDPR, the number of visits to the treated websites is 10.02% lower due to GDPR. We further find that 3 months after the GDPR, the privacy law affects 59.31% of all websites negatively (the solid line plot in Figure 1.3 indicates the share of negatively affected websites). The share of websites that experience a decrease in visits increases to 66.70% after 18 months. For the rising share of websites that GDPR affects negatively, the corresponding negative effect becomes even more negative over time. At the same time, while there are websites that benefit from GDPR, particularly shortly after GDPR, the effect sizes corresponding to these positive effects decrease over time. For some of the initially positively affected websites, the effects even become negative after 12 or 18 months. Still, not all websites experience significant (i.e., statistically different from zero) effects by GDPR. Three months after GDPR, only about half of the websites (49.93%) experience significant effects (the dashed line plot in Figure 1.3 indicates the share of significantly (on the 5%-level) affected websites). Still, the share of significantly affected websites rises to 78.83% after 18 months of the GDPR. Overall, after 18 months for total visits, GDPR has had a significant positive effect for 23.96%, a significant negative effect for 54.87%, and no significant effect for 21.17% of all websites. 40 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table 1.4 summarizes the GDPR’s effect directions, the share of negatively affected websites, the share of significantly affected websites, and the development of the effects over time for our main user quantity metric, the total number of visits, and the four other user quantity metrics (see Section 1.9.1 in the Appendix for more details on the other metrics). Table 1.4: Summary of Results for User Quantity Metrics Metric

3 months

6 months

9 months

12 months

18 months

Total

Median:

-3.49%

-5.54%

-7.54%

-8.24%

-8.91%

Visits

Mean:

-4.88%

-7.22%

-9.07%

-9.57%

-10.02%

Share of significant effects:

49.93%

62.78%

70.64%

74.05%

78.83%

Share of negative effects:

59.31%

63.79%

66.94%

67.41%

66.70%

Unique

Median:

-1.24%

-3.50%

-5.60%

-6.04%

-6.65%

Visitors

Mean:

-0.77%

-3.27%

-5.50%

-6.18%

-6.61%

Share of significant effects:

54.15%

66.14%

73.43%

75.82%

80.52%

Share of negative effects:

53.40%

58.63%

61.64%

62.41%

61.73%

Page

Median:

-2.75%

-3.92%

-5.44%

-6.04%

-9.29%

Impres-

Mean:

-3.12%

-4.83%

-6.33%

-6.48%

-9.28%

sions

Share of significant effects:

46.53%

58.56%

66.21%

70.51%

76.06%

Share of negative effects:

56.25%

58.69%

60.06%

60.61%

64.19%

Time on

Median:

-4.51%

-6.07%

-8.42%

-9.19%

-9.50%

Website

Mean:

-4.72%

-6.84%

-8.89%

-9.87%

-9.68%

Share of significant effects:

43.88%

55.71%

64.30%

67.72%

74.18%

Share of negative effects:

59.46%

61.84%

64.89%

65.95%

63.55%

Bouncing

Median:

-4.14%

-6.77%

-8.94%

-9.48%

-10.16%

Visitors

Mean:

-4.35%

-7.28%

-9.48%

-9.94 %

-10.16%

Share of significant effects:

47.22%

59.92%

68.73%

73.10%

79.00%

Share of negative effects:

59.27%

64.57%

67.80%

67.43%

66.27%

The table shows a summary of GDPR’s effect on the user quantity metrics. The table shows the mean and median values of the change in the metrics due to GDPR over all websites in each of the analyzed periods. The shares of negative effects and of significantly different effects (on the 5%-level) from zero are reported for each period. For example, the 3-month effect of GDPR for total visits over all websites (second row / third column) was on average -4.88%, the median effect was -3.49%, 59.31% of the websites were negatively affected, and 49.93% of the websites were significantly affected.

The results for our other four user quantity metrics are all substantively similar to our main user quantity metric, the total number of visits. For example, the GDPR affects the average treated website negatively for all user quantity metrics in all examined time points. Furthermore, the share of negatively affected websites increases over time (between 53.40% and 59.46% after 3 months; between 61.73% and 66.70% after 18 months), and the share of significantly affected websites increases over time (between 43.88% and 54.15% after 3 months; between 74.18% and 80.52% after 18 months).

41 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior The most prominent – albeit small – differentiating factor across the user quantity metrics is the size of the effects. Most notably, GDPR affects treated websites’ page impressions, time on the website, and bouncing visitors similarly as total visits (on average -3.12% to -4.88% after 3 months; -9.28% to -10.16% after 18 months). Contrastingly, GDPR’s effect on unique visitors is smaller than our main metric: Three months after GDPR, the number of unique visitors decreases by 0.77% and 6.61% after 18 months of GDPR. 1.4.2

GDPR’s Effect on Usage Intensity Metrics

The differences in the effect sizes across the user quantity metrics reveal that while there are dependencies among the user quantity metrics, additional metrics influence the observed effect sizes – the usage intensity metrics (see Table 1.3 for the relationship between the user quantity and usage intensity metrics). If the usage intensity for an average user on a website had stayed the same post-GDPR, there would be no difference in the effect sizes for the different user quantity metrics. Thus, the differences in the user quantity metrics uncover that the underlying usage intensity changes due to GDPR, which we examine in what follows. Table 1.5 shows a summary of GDPR’s effects on the four usage intensity metrics. Unlike the user quantity metrics, which all exhibited the same average direction of effects, we observe different effect directions across the usage intensity metrics. For example, after 3 months of GDPR, there is a decrease in the average number of visits that a unique visitor conducts to a website (-1.62%), the average time per visit (-0.83%), and the bounce rate (+0.81%; note that an increase in the bounce rate is an undesired development). At the same time, the page impressions per visit increase post-GDPR (+2.44% after 3 months). We further observe that over time, the GDPR’s effect becomes more positive: The initial average reduction in the time per visit becomes positive after 18 months of GDPR (+0.09%), the page impressions per visit increase even more after 18 months of GDPR (+2.15%), and the reduction of visits per unique visitor becomes weaker (-0.59%). However, the bounce rate increases over time (+2.51% after 18 months of GDPR). Given the substantial differences in effect sizes and directions across websites for our user quantity metrics, we further examine the usage intensity by dividing the websites into groups that experienced an increase or decrease in the user quantity due to GDPR. Particularly, 46.60% and 38.27% of websites increased unique visitors after respectively 3 and 18 months; total visits increased for respectively 40.69% and 33.30% (Table 1.5).

42 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table 1.5: Summary of GDPR’s Effect on Usage Intensity Metrics 3 months Metric Visits per Unique Visitor

Page Impressions per Visit

Time per Visit

Bounce Rate

Share of Websites

Median Effect

18 months Mean Effect

Share of Websites

Median Effect

Mean Effect

All Treated Websites

100.00%

-2.62%

-1.62%

100.00%

-2.81%

-0.59%

Treated Websites that Gain Unique Visitors

46.60%

-6.19%

-6.46%

38.27%

-9.37%

-9.09%

Treated Websites that Lose Unique Visitors

53.40%

+1.23%

+2.56%

61.73%

+1.39%

+4.77%

All Treated Websites

100.00%

+0.56%

+1.97%

100.00%

+0.28%

+2.15%

Treated Websites that Gain Total Visits

40.69%

-2.92%

-2.44%

33.30%

-4.87%

-4.58%

Treated Websites that Lose Total Visits

59.31%

+3.07%

+5.05%

66.70%

+3.11%

+5.53%

All Treated Websites

100.00%

-1.96%

-0.83%

100.00%

-0.93%

+0.09%

Treated Websites that Gain Total Visits

40.69%

-3.92%

-3.18%

33.30%

-4.40%

-4.02%

Treated Websites that Lose Total Visits

59.31%

-0.09%

+0.82%

66.70%

+1.25%

+2.14%

All Treated Websites

100.00%

-0.57%

+0.81%

100.00%

-0.58%

+2.51%

Treated Websites that Gain Total Visits

40.69%

-3.36%

-2.86%

33.30%

-4.81%

-3.76%

59.31% +1.36% +3.38% 66.70% +1.36% +5.67% Treated Websites that Lose Total Visits The table shows a summary of GDPR’s effect on the usage intensity metrics. The table shows the mean and median values of the change in the metrics due to GDPR 1) over all websites, 2) over the websites that experience positive user quantity effects, and 3) over the websites that experience negative user quantity effects in each of the analyzed periods. For example, the average 3-month effect of GDPR for visits per unique visitor over all websites (third row / fifth column) was -1.62%, and the median effect (third row / fourth column) was -2.62%.

Using this division, we observe that the effect direction of all usage intensity metrics aligns for the two groups: Websites that experience an increase in user quantity exhibit a decrease in usage intensity of the average user, and websites that experience a decrease in user quantity exhibit an increase in usage intensity. Thus, among websites that lose unique visitors, the remaining visitors visit those websites more often. However, websites that gain unique visitors gain visitors who re-visit less frequently and have a lower usage intensity for these visits in terms of page impressions and time. The corresponding effects become even stronger over time for all usage intensity metrics, i.e., the positive effects become more positive, and the negative effects become more negative. For example, 3 months after GDPR, the websites that gain unique visitors experience a 6.46% decrease in the number of visits per unique visitor compared with pre-GDPR levels; 18 months after GDPR, unique visitors decreased by 9.09%. Yet, the websites that lose unique visitors experience a 2.56% increase in the number of visits per unique visitor after 3 months, and 4.77% after 18 months. We observe the same effect directions and similar – albeit smaller – 43 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior effect sizes for the other usage intensity metrics: For websites that increase total visits, after 3 (18) months of GDPR, the average number of page impressions decreases by 2.44% (4.58%), the time per visit by 3.18% (4.02%), and the bounce rate by 2.86% (3.76%). For the websites that lose total visits, after 3 (18) months of GDPR, the average number of page impressions increases by 5.05% (5.53%), the time per visit by 0.82% (2.14%), and the bounce rate by 3.38% (5.67%). 1.4.3

Variation in GDPR’s Effects as a Function of Website and User Characteristics

The previous section examined the distribution of GDPR’s effect across websites on the user quantity and usage intensity, showing that GDPR has affected websites differently. In what follows, we analyze how the effects of the GDPR on user quantity metrics vary as a function of website characteristics – website industry and website popularity – and user characteristics, namely, users’ country of origin. For each of these analyses, we classify the websites according to the focal feature of interest (e.g., website industry) and calculate the average effect of GDPR on our main user quantity metric, i.e., the total number of visits, across all websites within each category (e.g., same industry). 1.4.3.1 Variation in the GDPR’s Effects as a Function of the Industry of the Website Figure 1.4 shows that the GDPR affects websites from different industries in very different ways. Websites within the “Heavy Industry and Engineering” and “Gambling” industries show the most negative effects, losing an average of almost 50% and 20% of their total visits 3 months after GDPR, followed by “Lifestyle,” “Games,” “Arts and Entertainment,” “Reference Materials” and “Hobbies and Leisure.” Websites in the “Business and Consumer Services” and “Vehicles” industries experience positive effects throughout the entire observation period. Some industries exhibit positive effects shortly after the GDPR and subsequently experience negative effects, such as “Travel and Tourism” and “E-Commerce and Shopping.”

44 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

Reading example: The value of 4.31% in the upper left panel (i.e., the figure with the GDPR’s 3-month effect across website industries) means that, on average, GDPR increases the total number of visits of the websites in the industry “Business and Consumer Services” by 4.31%.

Figure 1.4: Distribution of the Effect of GDPR across Website Industries

45 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.4.3.2 Variation in the GDPR’s Effects as a Function of Website Popularity To examine the role of website popularity in GDPR’s effect distribution, we split the websites into deciles according to their global, country, and industry ranks. While the country and industry ranks are initially reported separately for each country and industry that a website belongs to, we group the corresponding ranks for all countries and industries together, respectively, for the assignment into deciles. That way, the 10% most popular websites (i.e., the ones with the lowest rank numbers) worldwide, across all countries and industries, are part of the 1st decile, while the 10% least popular websites are part of the 10th decile. Figure 1.5 shows the distribution of the average effect of GDPR on the websites based on the industry rank deciles. Analyses based on the global and country ranks result in similar distributions. Website popularity plays an important role in the effect distribution: Less-popular websites suffer from more negative effects than popular ones. Specifically, websites within the four bottom deciles exhibit far more negative effects than websites within other deciles. While the least popular websites (i.e., those in the bottom decile) suffer the most from GDPR (up to a 21% drop in total visits 18 months after the GDPR), websites within the 6th-9th industry-rank deciles exhibit a drop in the number of visits by, on average, 4.30%-6.23% after 3 months, and by 10.31%-11.51% after 18 months. Interestingly, the websites in the top decile (i.e., the most popular websites) show more negative effects, and even more so over time (3.74% after 3 months; 9.04% after 18 months), than websites in the 2nd-5th deciles (1.82%-2.96% after 3 months; 5.82%-7.25% after 18 months). Still, the overall trend shows that users react less negatively to the changes induced by GDPR on more popular websites than the less popular ones, suggesting that the market is more concentrated after GDPR. This increase in market concentration is strongest in the first 3-9 months after GDPR but still exists 1.5 years after the GDPR. At the same time, research suggests that companies can employ several methods to mitigate the negative effect of privacy laws on the competition by, e.g., reducing privacy concerns (Bleier et al. 2020; Turjeman and Feinberg 2020). Such mitigations might even result in companies experiencing a positive effect from privacy laws. While we observe that there are websites that experience such positive effects, we also observe that, on average, GDPR affects websites negatively. Thus, the increased market concentration we observe post-GDPR suggests that websites should consider employing the methods discussed in the literature cited above to mitigate such negative effects.

46 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Reading example: The value of -3.74% in the upper left panel (i.e., the figure with the GDPR’s 3-month effect across industry rank deciles) means that, on average, GDPR reduces the total number of visits across the most popular (i.e., those in the top-decile) websites in each industry by -3.74%. The results of the top-decile reflect the change of the 10% highest-ranked websites over the 24 industries.

The Impact of Privacy Laws on Online User Behavior

Figure 1.5: Distribution of the Effect of GDPR across Deciles of Industry Ranks

47

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.4.3.3 Variation in the GDPR’s Effects as a Function of Users’ Country of Origin To examine the relationship between users’ country of origin and the effect of GDPR, we categorized each website according to its most popular user base’s country of origin (recall that our dataset provides user behavior data corresponding to the country in which the website is most popular, as well as data corresponding to users in the US). Figure 1.6 suggests that the effects of the GDPR vary as a function of users’ country of origin. Websites whose primary user base is from Denmark, Poland, or Germany suffered the least from GDPR over the analyzed period: 3 months after GDPR, the number of visits from users based in these countries decreased, on average, by 1%, 2.3%, and 2.9%, respectively. The strongest drops in website visits were associated with users from Austria, the Netherlands, UK, Hungary, Sweden, and Switzerland.

48 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

Reading example: The value of -1.06% in the upper left panel (i.e., the figure with the GDPR’s 3-month effect across user countries) means that, on average, GDPR reduces the total number of visits of users coming from Denmark by 1.06%

Figure 1.6: Distribution of the Effect of GDPR across User Countries

49 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.4.4

Robustness of Results

Our analysis required us to make several decisions, which may have impacted our findings. We categorize these decisions into five groups: website selection, control group, data, confounding factors, and SCG method. In Sections 1.9.3 to 1.9.8 in the Appendix, we examine how strongly our decisions impact our results. Here, we summarize the analyses’ main results. 1.4.4.1 Robustness Checks with Respect to Website Selection We selected a threshold of an average of 1,000 visits per week and removed all websites with fewer visits from our sample. To examine the sensitivity of the results for the chosen threshold, we conduct two robustness checks: 1) reduce the threshold to 700, and 2) increase the threshold to 2,000. As we show in Section 1.9.3 in the Appendix, our findings are robust to decreasing the threshold to 700 visits per week and increasing it to up to 1,700 visits per week – but not further. So, it does not look like our chosen threshold impacted our results. 1.4.4.2 Robustness Checks with Respect to Control Group For our control group, we use website-instances corresponding to Non-EU-websites and Non-EU-users. Still, Non-EU-websites could voluntarily comply with GDPR for Non-EUusers, resulting in a potential spillover effect of GDPR to our control group (i.e., the so-called Brussels effect). Such a spillover effect would reduce the suitability of our control group as some control websites would be treated as well. This spillover effect of voluntary compliance could take two potential forms: First, websites could adapt their data storage systems to accommodate GDPR requirements for all users. Second, websites could adapt their user interface (e.g., privacy policy, consent banners) for all users. While rumors exist for the first form (e.g., Microsoft), they do not exist for the second form. Instead, websites show different user interfaces depending on a user’s location (e.g., The Washington Post). As we measure the effect of websites implementing GDPR on their website, we only capture the second form of spillover effects in our analysis. Still, we further examine our control group. The incentive for voluntary compliance is likely higher for Non-EU-websites if the share of EU-users is higher (i.e., websites must comply with the GDPR for a large share of users). Thus, we divide Non-EU-websites into deciles based on their EU-user-share and examine the results for our main metric. Section 1.9.5 in the Appendix shows that our main metric increases post-GDPR across all deciles for the control group. We further find no relation between the

50 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior EU-user-share of control websites and the log-difference between the Non-EU-user base before and after the GDPR.

.

Furthermore, a spillover effect of GDPR to our control group would become apparent if the behavior of Non-EU-users on EU-websites (part of our treatment group) does not differ from their behavior on Non-EU-websites (control group). Similarly, a spillover effect would be likely if the behavior of EU-users on the Non-EU-websites (part of our treatment group) does not differ from the behavior of Non-EU-users on the same websites (control group). Section 1.9.5 in the Appendix shows that these differences in user behavior occur. A manual inspection of the user interface on a subsample of control websites further indicates no voluntary compliance. Overall, a spillover effect is not present or not large enough to change our results in size or directions. Furthermore, websites based in the EU before GDPR could have decided to relocate to a Non-EU location to avoid having to comply with GDPR for Non-EU-users. These strategic shifts would reduce the suitability of our control group as some websites would have selfselected themselves to belong to the control group. Thus, we examine these possible strategic shifts performed by websites: We re-calculate the GDPR’s effect on our main metric for a subsample with a stricter control group that includes only websites with domain suffixes indicating a Non-EU location. Section 1.9.5 in the Appendix shows no significant difference in the GDPR’s effect for the two approaches. 1.4.4.3 Robustness Checks with Respect to Data We utilize a dataset provided by SimilarWeb. Although companies (e.g., Google, Alibaba) and researchers (e.g., Calzada and Gill 2020, Lu et al. 2020) use SimilarWeb’s data, SimilarWeb is not very transparent about its data collection procedures and whether GDPR affects SimilarWeb in its data collection methods. Therefore, we compare the quality of the SimilarWeb data for a subset of websites with another data source (German AGOF, https://www.agof.de/en). AGOF is a highly reliable and certified data source trusted by the German media market, making it the official traffic source in Germany. Additionally, it is very transparent in its data collection procedure. The analysis within Section 1.9.6 in the Appendix shows no significant difference in terms of the number of unique visitors and number of page impressions between those two data sources after GDPR. AGOF states that GDPR does not

51 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior directly impact its metrics but that users might change their interaction with websites due to GDPR– which is what we want to measure in this article. 1.4.4.4 Robustness Checks with Respect to Confounding Factors The enforcement of GDPR might have coincided with other changes in potentially confounding factors, such as an increase in internet speed that differs between our control and treatment groups and changes in user behavior on websites, affecting the estimated treatment effect. Therefore, in Section 1.9.7 in the Appendix, we investigate whether there have been substantial changes in confounding factors for Non-EU-users and EU-users (i.e., internet speed, the share of the population with internet access/laptop/smartphone). We find no evidence for a difference between the user groups in the pre- and post-GDPR comparison across the factors mentioned above that could substantially increase the control group’s user behavior. 1.4.4.5 Robustness Checks with Respect to the Synthetic Control Method When calculating GDPR’s effects in our analysis, we had to make several decisions regarding the method used, the requirement of the control and treated websites belonging to the same industry, and the number of control websites. As these decisions might impact our results, we examine the sensitivity of our estimates to the selected specifications. Firstly, regarding the method used, we re-calculate the GDPR’s effect for our main metric for a subsample using the original SCG method (Abadie et al. 2015; Bell et al. 2017), applied in the R package “synth” – instead of the R package “gsynth.” Secondly, our SCG consisted of five websites within the same industry as our treated website with the highest pre-treatment correlations. To reveal the impact of these decisions, we repeated the analysis with the SCG consisting of 1) five websites with the highest pre-treatment correlations irrespectively of the industry (instead of belonging to the same industry), 2) five websites that are matched based on the EU-traffic share (instead of belonging to the same industry), and 3) ten websites (instead of 5). Section 1.9.8 in the Appendix shows no significant difference in the observed effects, indicating that our results are robust to these specifications.

52 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

1.5 Discussion 1.5.1

Summary of Results: User Quantity and Usage Intensity

The results of our user quantity and usage intensity analyses show that, on average, and at each time point investigated, the GDPR negatively affected most user quantity and usage intensity metrics (except for the page impressions per visit). We further observe that the negative effects of GDPR become stronger over time: 3 months after the GDPR, the user quantity metrics of treated website-instances drop on average by 0.8%-4.9%; 18 months after the GDPR, the average values of these metrics are 6.6%-10.2% below their pre-GDPR levels. These findings highlight the importance of investigating the effects of the GDPR over a longer period. Overall, though GDPR affected some websites positively, it affected most (62%-67%, depending on the user quantity metric) of the websites negatively after 18 months. As outlined in Table 1.3, our user quantity metrics depend on one another: All user quantity metrics are a function of the total number of visits and one corresponding usage intensity metric. Thus, it is not too surprising that the directions of the effects of the user quantity metrics are aligned. The predominant difference between the GDPR’s effect on the user quantity metrics is the effect sizes – differences driven by the usage intensity metrics. Concerning usage intensity, we observe that the average effect of GDPR on usage intensity is generally negative in the first 3 months of GDPR (i.e., the bounce rate rises by 0.8%, the number of visits per unique visitor and the time spent per website visit decrease by 1.6% and 0.8%, respectively; only the page impressions per visit show a positive effect with a 2.0% increase), but the negative effects become less strong over time. After 18 months of GDPR, the number of visits per unique visitor is only 0.6% below the pre-GDPR baseline, and the number of page impressions and the time spent per visit even increase by 2.2% and 0.1%, respectively. Only the bounce rate shows a negative trend – it increases by 2.5%. The effect distribution across websites reveals that the GDPR’s effects on usage intensity metrics partly balance out the effects on user quantity, i.e., an increase in user quantity usually goes along with a decrease in usage intensity and vice versa. For example, among websites that lose unique visitors after GDPR, the remaining visitors use the website more intensively than they did pre-GDPR: The average user generates more visits to those websites (e.g., 4.8% more visits per unique visitor 18 months post-GDPR), and engages more with the websites in each visit, as reflected in increases in the number of page impressions (+4.6%) and the time spent

53 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior per visit (+2.1%). However, the user base exhibits an increased bounce rate, although the absolute number of bouncing visitors decreases. Websites that gain unique visitors experience the opposite effect: The number of visits per unique visitor is lower post-GDPR than pre-GDPR (e.g., 9.1% lower at 18 months postGDPR), and these unique visitors spend less time on each visit (-4.0%) and view fewer pages per visit (-4.6%), as compared with pre-GDPR unique visitors. Together with the increasing number of visits, the number of bouncing visitors rises, although the bounce rate decreases slightly. Together, these results suggest that the GDPR negatively affects the average website in one of two major ways: Either the website experiences difficulties in attracting users, or, having attracted users, it struggles to keep them engaged and get them to return. Existing literature shows similar effects of privacy laws. For example, Goldberg et al. (2021) show that GDPR reduces the page impressions by about 12%, on average, for affected websites in the first 6 months of GDPR. We observe a weaker but still strong negative effect of GDPR. Furthermore, we discussed the potential reasons for the positive and negative effects in our literature review and show that GDPR affects websites differently: For some websites, the user base shows positive effects due to the website’s adjustment to GDPR, potentially due to lower privacy concerns (e.g., Martin 2015) or higher trust in the website (e.g., Martin et al. 2017). The user base reacts negatively for other websites, potentially due to the new awareness of data disclosure activities or increased privacy concerns (e.g., Dinev and Hart 2006). Again, the user base does not change the behavior for other websites, potentially due to the actual behavior not reflecting the stated privacy preferences (e.g., Acquisti 2004) or a continued feeling of powerlessness (Few 2018) even after the enforcement of GDPR. The diverse reactions from users shown in the literature and observed in this study show the complex relationship between the user’s attitudes towards privacy and the resulting user behavior. Following the GDPR, users might not only change their website visiting behavior, but also their reaction to online advertising or targeting, or their general attitudes towards websites – especially those that react negatively to the GDPR adjustments by websites (as discussed by Kim et al. (2018) in the case of websites’ transparency regarding data disclosure).

54 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.5.2

Differential Effects of the GDPR as a Function of Website and User Characteristics

Our results show that that the effects of the GDPR varied across different websites. In particular, less popular websites were hurt the most: 18 months post-GDPR, the 10% least popular websites experienced an average drop of 21% in the total number of visits. The 10% most popular websites, in contrast, experienced an average drop of only 9% in total visits. These results suggest that the GDPR increased market concentration. These effects may reflect users’ stronger motivation to continue using more popular and valued websites despite any potential disadvantages created by the GDPR – including, for example, users’ heightened awareness of data disclosure or diminished convenience of use due to website compliance. For less popular websites, users may be less likely to feel that the benefits of continued use outweigh the disadvantages. We further observed that the effects of the GDPR varied across websites from different industries. For example, the most negatively affected websites included those in the Entertainment and Lifestyle segment (7.4%-13.8% decrease in visits after 18 months of GDPR). Other types of websites experienced positive effects (e.g., Vehicles with an increase of 3.9% in total visits after 18 months). These effect differences may indicate differences in users’ expectations regarding privacy across industries. For example, users visiting entertainment websites may previously have been less aware of data collection than users on, e.g., e-commerce websites, where it is necessary to provide information to purchase products. Consequently, highlighting data collection practices may have been more “surprising” to users of entertainment websites and had a stronger effect on their behavior. Likewise, as in the case of more popular websites, users seeking services in domains that they deem more necessary may feel that the advantages of continuing to use the website outweigh the disadvantages – and in some cases, they may even value the added safeguards on their privacy. Finally, we observed that the GDPR’s effects differed across users from different countries of origin, reflecting cultural differences across countries. For example, users from Denmark, Poland, Germany, Italy, and Spain reacted less negatively to the GDPR than users from the Netherlands, Sweden, and the UK.

55 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

1.6 Analysis of GDPR’s Economic Effect on Websites Our study focused on quantifying the effect of the GDPR on user quantity and usage intensity. However, what is also of interest in policymakers’ tradeoffs is the extent to which the GDPR damages companies’ revenue, as this damage is likely to cause negative societal effects. In what follows, we outline a back-of-the-envelope estimation of the magnitude of possible economic effects on the websites resulting from changes in user behavior due to GDPR. In these estimations, we rely on the average effects of GDPR after 18 months as the basis for our calculations. We present two different estimations corresponding to two kinds of websites: 1) websites that earn money by selling products, i.e., e-commerce websites, and 2) websites that earn money by displaying ads. 1.6.1

Analysis of GDPR’s Economic Effect on E-Commerce Websites

For the e-commerce websites within this study’s sample, the average drop in total visits at 18 months post-GDPR amounted to 3.37% (see Figure 1.4). The determining revenue factors of an e-commerce website w are the number of visits (i.e., non-unique visitors), the conversion rate (i.e., the share of visits resulting in a purchase), and the revenue per purchase: (6) ܴ݁‫݁ݏ݄ܽܿݎݑܲ ݎ݁݌ ݁ݑ݊݁ݒܴ݁ כ ݁ݐܴܽ ݊݋݅ݏݎ݁ݒ݊݋ܥ כ ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑܰ = ݁ݑ݊݁ݒ‬ Based on the Q1 2020 e-commerce benchmarks by Monetate (2020), the revenue per purchase globally is $105.99, and the average conversion rate per visit is 1.91%. Looking at the ecommerce websites within the website sample of this study, the average yearly total number of visits across all countries amounted to 70,461,862. Thus, the average yearly revenue for an ecommerce website within this study’s sample before GDPR amounts to: (7) ܴ݁‫݁ݑ݊݁ݒ‬௔௩௚. = 70,461,862 ‫ כ‬1.91% ‫ כ‬$105.99 = $142,643,623.54. The average drop in total visits 18 months (=1.5 years) after the GDPR to the e-commerce websites within the study’s sample represents the respective drop in website visits: (8) ܴ݁‫݄݁݃݊ܽܥ ݁ݑ݊݁ݒ‬ଵ଼ ௠௢௡௧௛௦ = െ3.37% ‫ כ‬$142.643.623,54 ‫ כ‬1.5 = െ$7,209,722.73. A decrease of 3.37% in total visits due to GDPR can thus decrease the revenue of an average e-commerce website by over $7 million in the first 18 months after enforcement of the GDPR.

56 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.6.2

Analysis of GDPR’s Economic Effect on Ad-Based Websites

For an ad-based website, the determining factors for the revenue are the number of page impressions, the number of ads displayed per page impression, and the price per ad impression. (9) ܴ݁‫݋ܰ = ݁ݑ݊݁ݒ‬. ‫݁ܿ݅ݎܲ ݀ܣ כ ݊݋݅ݏݏ݁ݎ݌݉ܫ ݃ܽܲ ݎ݁݌ ݏ݀ܣ כ ݏ݊݋݅ݏݏ݁ݎ݌݉ܫ ݁݃ܽܲ ݂݋‬ As an example of an ad-based industry, we examine the economic effect of the GDPR on websites within the News and Media industry. In our sample, the average number of yearly page impressions on a news and media website across all regions was 358,859,344. A random sample of the homepages and article pages of 7 important news websites (nytimes.com, huffpost.com, washingtonpost.com, news.yahoo.com, bbc.com, wsj.com, and cnn.com) shows an average of 7.6 ads per page. Based on both ComScore (2010) and TheBrandOwner (2017), the average CPM (cost for a thousand ad impressions) for news websites lies between $7 and $8 (here $0.0075 per impression). Using these values, the total yearly revenue for an average news website before the GDPR for the analyzed website sample amounts to: (10)

ܴ݁‫݁ݑ݊݁ݒ‬௔௩௚. = 358,859,344 ‫ כ‬7.6 ‫ כ‬$0.0075 = $20,454,982.61.

The average effect of GDPR on page impressions after 18 months on our sample of news and media websites is a drop of 8.05%. This reduction in the number of page impressions decreases the revenue of news websites significantly: (11)

ܴ݁‫݄݁݃݊ܽܥ ݁ݑ݊݁ݒ‬ଵ଼ ௠௢௡௧௛௦ = െ8.05% ‫ כ‬$20,454,982.61 ‫ כ‬1.5 = െ$2,469,953.43.

A decrease in page impressions of 8% due to the GDPR can thus decrease the revenue of an average news and media website by almost $2.5 million in the first 1.5 years after the GDPR.

1.7 Concluding Remarks Our analysis reveals that, during the 1.5 years following the GDPR’s enforcement, the privacy law affected user quantity and usage intensity (among the websites to which the privacy law applied) negatively, on average. Furthermore, the effects increase over time, highlighting the importance of examining the effects of the privacy law’s enforcement over time as it might take some time for their full effect to become apparent. Our results further suggest that the effects were not evenly distributed across websites, with less-popular websites and websites within certain industries being more strongly affected than others – and in fact, some websites

57 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior were positively affected. We have shown how to use our findings to assess the economic loss that websites might suffer due to the enforcement of new privacy laws. Our results rest upon the assumption that our control group is unaffected by GDPR. We provide support for this assumption but cannot entirely exclude that the treatment also impacted the control group. If that were the case, the actual treatment effect would be even larger than our estimated treatment effect so that our results would represent a lower bound of GDPR’s effect. Our results provide policymakers with an assessment of how the GDPR becoming effective has changed users’ interactions with websites, the financial outcomes of websites, and the competitive landscape. This information is of interest in itself and can assist policymakers and companies in making inferences and predictions about similar upcoming privacy laws. In particular, policymakers might use our results to adjust privacy laws in the drafting stage or issue guidelines and frameworks complementing already enforced or approved privacy laws. In this regard, we note that, given the novelty of the GDPR (as the first major European privacy law since the e-Privacy Directive in 2002), coupled with its strict nature, users’ reactions to the GDPR might be stronger than their reactions to other, less strict privacy laws. Thus, the effect sizes found in this article may represent an upper bound for the effects of other privacy laws. It is important to acknowledge that underlying our results is a complex pattern of user behavior, reflecting users’ responses to changes in websites’ privacy policies and consent banners (e.g., requests for consent to data collection), influenced by a calculus of the benefits and disadvantages of continuing to use particular websites, given these new policies. Yet, it seems reasonable to assume that overall use of the internet is unlikely to change due to a privacy law such as GDPR. Consequently, users might reallocate their usage to spend more time on the websites they value or trust. Indeed, our results are compatible with this type of reallocation. The sunk-cost effect could explain this change in usage allocation across websites (Arkes and Blumer 1985), which states that 1) users tend to use a product or service more if they know what it cost them, and 2) users want to use paid-for services more to not feel like they wasted their money. In this scenario, a privacy law may make users aware of the “cost” of a website’s services – i.e., users pay with their data – leading users to prefer websites to which they have already provided data. These underlying patterns of user behavior are outside the scope of the current research. Still, the empirical exploration of the mechanisms underlying our observed behavioral trends opens up further research opportunities.

58 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

1.8 References Abadie, A. (2021): “Using Synthetic Controls: Feasibility, Data Requirements, and Methodological Aspects”, Journal of Economic Literature, 59 (2), 391-425. Abadie, A.; Diamond, A.; Hainmueller, J. (2015): “Comparative Politics and the Synthetic Control Method”, American Journal of Political Science, 59 (2), 495-510. Acquisti, A. (2004): “Privacy in Electronic Commerce and the Economics of Immediate Gratification”, Proceedings of the 5th ACM Conference on Electronic Commerce, USA. Acquisti, A.; John, L. K.; Loewenstein, G. (2013): “What is Privacy Worth?”, Journal of Legal Studies, 42 (2), 249-274. Acquisti, A.; John, L. K.; Loewenstein, G. (2012): “The Impact of Relative Standards on the Propensity to Disclose”, Journal of Marketing Research, 49 (2), 160-174. Arkes, H. R.; Blumer, C. (1985): “The Psychology of Sunk Cost”, Organizational Behavior and Human Decision Processes, 35 (1), 124-140. Belanger, F.; Crossler, R. E. (2011): “Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems”, MIS Quarterly, 35 (4), 1017-1041. Bell, D. R.; Gallino, S.; Moreno, A. (2017): “Offline Showrooms in Omnichannel Retail: Demand and Operational Benefits”, Management Science, 64 (4), 1629-1651. Bleier, A.; Goldfarb, A.; Tucker, C. (2020): “Consumer Privacy and the Future of DataBased Innovation and Marketing”, International Journal of Research in Marketing, 37 (3), 466-480. Brandimarte, L.; Acquisti, A.; Loewenstein, G. (2013): “Misplaced Confidences: Privacy and the Control Paradox”, Social Psychological and Personality Science, 4 (3), 340-347. Calzada, J.; Gil, R. (2020): “What Do News Aggregators Do? Evidence from Google News in Spain and Germany”, Marketing Science, 39 (1), 134-167. Campbell, J.; Goldfarb, A.; Tucker, C. (2015): “Privacy Regulation and Market Structure”, Journal of Economics and Management Strategy, 24 (1), 47-73.

59 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior ComScore (2010): “ComScore Media Metrix Data”, https://www.comscore.com/Insights/Press-Releases/2010/6/The-New-York-Times-Ranks-as-Top-Online-Newspaper-According-to-May-2010-U.S.-comScore-Media-Metrix-Data?cs_edgescape_cc=DE, last accessed on October 05, 2021. Culnan, M. J.; Armstrong, P. K. (1999): “Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation”, Organization Science, 10 (1), 104-115. Degeling, M.; Utz, C.; Lentzsch, C.; Hosseini, H.; Schaub, F.; Holz, T. (2019): “We Value Your Privacy … Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy”, Proceedings of the Network and Distributed System Security Symposium 2019. Dinev, T.; Bellotto, M.; Hart, P.; Russo, V.; Serra, I.; Colautti, C. (2006): “Privacy Calculus Model in E-Commerce: A Study of Italy and the United States”, European Journal of Information Systems, 15 (4), 389-402. Dinev, T.; Hart, P. (2006): “An Extended Privacy Calculus Model for E-Commerce Transactions”, Information Systems Research, 17 (1), 61-80. Few, S. (2018): “Big Data, Big Dupe. A Little Book About a Big Bunch of Nonsense, El Dorado Hills, CA: Analytics Press. GDPR 2016/679: Regulation (EU) 2016/679, Official Journal of the European Union. Goldberg, S.; Johnson, G.; Shriver, S. (2021): “Regulating Privacy Online: An Economic Evaluation of the GDPR”, Working Paper, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3421731, last accessed on October 05, 2021. Goldfarb, A.; Tucker, C. E. (2011a): “Privacy Regulation and Online Advertising”, Management Science, 57 (1), 57-71. Goldfarb, A.; Tucker, C. E. (2011b): “Online Display Advertising: Targeting and Obtrusiveness”, Marketing Science, 30 (3), 389-404. Goldstein, D. G.; Suri, S.; McAfee, R. P.; Ekstrand-Abueg, M.; Diaz, F. (2014): “The Economic and Cognitive Costs of Annoying Display Advertisements”, Journal of Marketing Research, 51 (6), 742-752. Holvast, J. (1993): “Vulnerability and Privacy: Are We on the Way to a Risk-Free Society?”, Proceedings of the IFIP-WG 9.2 Conference.

60 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Hu, X.; Sastry, N. (2019): “Characterising Third Party Cookie Usage in the EU After GDPR”, Proceedings of the 11th ACM Conference on Web Science, 137-141. Janakiraman, R.; Lim, J. H.; Rishika, R. (2018): “The Effect of a Data Breach Announcement on Customer Behavior: Evidence from a Multichannel Retailer”, Journal of Marketing, 82 (2), 85-105. Kim, T.; Barasz, K.; John, L. K. (2018): “Why Am I Seeing This Ad? The Effect of Ad Transparency on Ad Effectiveness”, Journal of Consumer Research, 45 (5), 906-932. Kumar, A.; Bezawada, R.; Rishika, R.; Janakiraman, R.; Kannan, P. K. (2016): “From Social to Sale: The Effects of Firm-Generated Content in Social Media on Customer Behavior”, Journal of Marketing, 80 (1), 7-25. LGPD 13.709/2018: General Personal Data Protection Law, National Congress of Brazil. Lecher, C. (2018): “Major US News Websites are Going Down in Europe as GDPR Goes into Effect”, The Verge, https://www.theverge.com/2018/5/25/17393894/gdpr-news-websites-down-europe, last accessed on October 05, 2021. Libert, T., Graves, L., Nielsen, R. K. (2018): “Changes in Third-Party Content on European News Websites After GDPR”, Reuters Institute for the Study of Journalism. Linden, T.; Khandelwal, R.; Harkous, H.; Fawaz, K. (2020): “The Privacy Policy Landscape After the GDPR”, Proceedings on Privacy Enhancing Technologies, 2020 (1), 47-64. Lu, S.; Wang, X. S.; Bendle, N. (2020): “Does Piracy Create Online Word of Mouth? An Empirical Analysis in the Movie Industry”, Management Science, 66 (5), 2140-2162. Lucente, A.; Clark, J. (2020): “Data Protection Laws of the World”, DLA Piper, https://www.dlapiperdataprotection.com, last accessed on October 05, 2021. Malhotra, N. K.; Kim, S. S.; Agarwal, J. (2004): “Internet Users’ Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model”, Information Systems Research, 15 (4), 336-355. Martin, K. D. (2015): “Privacy Notices as Tabula Rasa: An Empirical Investigation into How Complying with a Privacy Notice is Related to Meeting Privacy Expectations Online”, Journal of Public Policy & Marketing, 34 (2), 210-227.

61 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Martin, K. D.; Borah, A.; Palmatier, R. W. (2017): “Data Privacy: Effects on Customer and Firm Performance”, Journal of Marketing, 81 (1), 36-58. Melumad, S.; Meyer, R. (2020): “Full Disclosure: How Smartphones Enhance Consumer Self-Disclosure”, Journal of Marketing, 84 (3), 28-45. Miltgen, C. L.; Peyrat-Guillard, D. (2014): “Cultural and Generational Influences on Privacy Concerns: A Qualitive Study in Seven European Countries”, European Journal of Information Systems, 23 (2), 103-125. Mirreh, M. (2018): “Brands Could Lose Nearly Half of Website Traffic Under GDPR”, PerformanceIn, https://performancein.com/news/2018/04/19/brands-could-lose-nearly-halfwebsite-traffic-under-gdpr/, last accessed on October 05, 2021. Monetate (2020): “Q1 2020 Ecommerce Quarterly Benchmarks”, Monetate. PDPA B.E: 2562 (2019): Personal Data Protection Act, Government Gazette. PDPB (2018): The Personal Data Protection Bill. Pew Research Center (2019): “Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information”, https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-controlover-their-personal-information/, last accessed on October 05, 2021. Steenkamp, J.-B. E. M.; Geyskens, I. (2006): “How Country Characteristics Affect the Perceived Value of Web Site”, Journal of Marketing, 70 (3), 136-150. TheBrandOwner (2017): “Average CPM of News Websites”, https://www.thebrandowner.com/average-cpm-of-news-websites/, last accessed on October 05, 2021. Tucker, C. E. (2013): “Social Networks, Personalized Advertising, and Privacy Controls”, Journal of Marketing Research, 51 (5), 546-562. Turjeman, D.; Feinberg, F. (2020): “Our Data-Driven Future: Promise, Perils, and Prognoses”, Review of Marketing Research, 17 (2020), 105-121. Xu, Y. (2017): “Generalized Synthetic Control Method: Causal Inference with Interactive Fixed Effects Models”, Political Analysis, 25 (1), 57-76.

62 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior

1.9 Appendix 1.9.1

Appendix A: Additional Figures

Figure A1 - 1 shows the number of websites for the different industries within our final sample. The sample includes websites that span diverse industries, with the industries “Computers, Electronics and Technology,” “News and Media,” and “Arts and Entertainment” being the most represented. Figure A1 - 1: Distribution of Websites across Industries

63 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure A1 - 2 shows the distribution of GDPR’s effect for the websites’ number of unique visitors over the different post-treatment periods. The solid line plot indicates the share of websites that GDPR affects negatively, and the dashed line plot the share of websites that GDPR affects significantly (on the 5%-level). Figure A1 - 2: Distribution of the Effect of GDPR on Monthly Number of Unique Visitors over Time

64 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure A1 - 3 shows the distribution of GDPR’s effect for the websites’ number of page impressions over the different post-treatment periods. The solid line plot indicates the share of websites that GDPR affects negatively, and the dashed line plot the share of websites that GDPR affects significantly (on the 5%-level). Figure A1 - 3: Distribution of the Effect of GDPR on Weekly Number of Page Impressions over Time

65 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure A1 - 4 shows the distribution of GDPR’s effect for the weekly time on the websites over the different post-treatment periods. The solid line plot indicates the share of websites that GDPR affects negatively, and the dashed line plot the share of websites that GDPR affects significantly (on the 5%-level). Figure A1 - 4: Distribution of the Effect of GDPR on Weekly Time on Website over Time

66 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Figure A1 - 5 shows the distribution of GDPR’s effect on the websites’ number of bouncing visitors over the different post-treatment periods. The solid line plot indicates the share of websites that GDPR affects negatively, and the dashed line plot the share of websites that GDPR affects significantly (on the 5%-level). Figure A1 - 5: Distribution of the Effect of GDPR on Weekly Number of Bouncing Visitors over Time

67 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.2

Appendix B: Derivation of Analysis of Usage Intensity Metrics

Every usage intensity metric is a function of two user quantity metrics, as shown in Table 1.3. For example, we calculate the number of visits per unique visitor on a website w by dividing the number of unique visitors on the website w by the total number of visits on website w; the other usage intensity metrics follow the same logic (see Table 1.3): (A1)

ܰ‫ݎ݋ݐ݅ݏܸ݅ ݁ݑݍܷ݅݊ ݎ݁݌ ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑ‬௪ =

(A2)

ܲܽ݃݁ ‫ݐ݅ݏܸ݅ ݎ݁݌ ݏ݊݋݅ݏݏ݁ݎ݌݉ܫ‬௪ =

(A3)

ܶ݅݉݁ ‫ݐ݅ݏܸ݅ ݎ݁݌‬௪ =

(A4)

‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௪ =

்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ ே௨௠௕௘௥ ௢௙ ௎௡௜௤௨௘ ௏௜௦௜௧௢௥௦ೢ

ே௨௠௕௘௥ ௢௙ ௉௔௚௘ ூ௠௣௥௘௦௦௜௢௡௦ೢ ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ

்௜௠௘ ௢௡ ௐ௘௕௦௜௧௘ೢ ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ

ே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦ೢ ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ

We use Equations (A1)-(A4) to examine the GDPR’s effect on the usage intensity metrics in the following manner: 1) We use Equation (1) to calculate the GDPR’s effect (') for all user quantity metrics. Our methodology to derive this effect ' capturing the relative changes of each user quantity metrics for each website w and each post-treatment period p. 2) We then incorporate the GDPR’s effect ' for all the metrics for each post-treatment period p in Equations (A1)-(A4). As we capture the relative changes for the metrics, we can incorporate the GDPR’s effect ' for each post-treatment period p for each website w by multiplying the metrics’ pre-treatment values with (1+'p,w). 3) Finally, we rearrange the equations to isolate the GDPR’s effect ' on the usage intensity metric of interest. We now use the described process to derive the formula for the GDPR’s effect on the usage intensity metric “bounce rate”. The other usage intensity metrics follow the same logic and can be derived accordingly. GDPR’s effect ' for post-treatment period p for website w for all metrics within Equation (A4): (A5)

ܰ‫ݏݎ݋ݐ݅ݏܸ݅ ݃݊݅ܿ݊ݑ݋ܤ ݂݋ ݎܾ݁݉ݑ‬௣,௪ = ܰ‫ݏݎ݋ݐ݅ݏܸ݅ ݃݊݅ܿ݊ݑ݋ܤ ݂݋ ݎܾ݁݉ݑ‬௪ ‫ כ‬൫1 +

οܰ‫ݏݎ݋ݐ݅ݏܸ݅ ݃݊݅ܿ݊ݑ݋ܤ ݂݋ ݎܾ݁݉ݑ‬௣,௪ ൯

(A6)

ܶ‫ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑܰ ݈ܽݐ݋‬௣,௪ = ܶ‫ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑܰ ݈ܽݐ݋‬௪ ‫ כ‬൫1 +

οܶ‫ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑܰ ݈ܽݐ݋‬௣,௪ ൯

(A7)

‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ = ‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௪ ‫ כ‬൫1 + ο‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ ൯

68 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Incorporation of GDPR’s effect ' (Equations (A5)-(A7) into Equation (A4): ே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦೛,ೢ

(A8)

‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ =

(A9)

‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௪ ‫( כ‬1 + ο‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ ) =

்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ

ே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦ೢ ‫(כ‬ଵାοே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦೛,ೢ ) ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ ‫(כ‬ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ )

Rearranging Equation (A9): ே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦ೢ ‫(כ‬ଵାοே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦೛,ೢ )

(A10) 1 + ο‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ = ்௢௧௔௟ ே௨௠௕௘௥ ௢ ௏௜௦௜௧௦

ೢ ‫כ‬൫ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ ൯‫כ‬஻௢௨௡௖௘ ோ௔௧௘ೢ

ே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦ೢ ‫(כ‬ଵାοே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦೛,ೢ )

(A11) ο‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ = ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦

ೢ ‫כ‬൫ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ ൯‫כ‬஻௢௨௡௖௘ ோ௔௧௘ೢ

(A12)

ο‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ =

ே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦ೢ ்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦ೢ

‫כ‬

ଵ ஻௢௨௡௖௘ ோ௔௧௘ೢ

‫כ‬

െ1

ଵାοே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦೛,ೢ ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ

െ1

Inserting Equation (A4) into Equation (A12): (A13) ο‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௣,௪ = ‫݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬௪ ‫ כ‬஻௢௨௡௖௘ଵ ோ௔௧௘ ‫כ‬

ଵାοே௨௠௕௘௥ ௢௙ ஻௢௨௡௖௜௡௚ ௏௜௦௜௧௢௥௦೛,ೢ

ೢ

ଵାο்௢௧௔௟ ே௨௠௕௘௥ ௢௙ ௏௜௦௜௧௦೛,ೢ

െ1

Final rearranging of Equation (A13): (A14)

ο‫݌݁ݐܴܽ ݁ܿ݊ݑ݋ܤ‬,‫= ݓ‬

1+οܰ‫݌ݏݎ݋ݐ݅ݏܸ݅ ݃݊݅ܿ݊ݑ݋ܤ ݂݋ ݎܾ݁݉ݑ‬,‫ݓ‬ 1+ο்௢௧௔௟ ܰ‫݌ݏݐ݅ݏܸ݅ ݂݋ ݎܾ݁݉ݑ‬,‫ݓ‬

െ1

In Equation (A14), we have isolated the GDPR’s effect on the bounce rate and can examine this effect using the observed effects on the corresponding user quantity metrics, i.e., the number of bouncing visitors and the total number of visits. We can use Equation (A14) for the calculation of GDPR’s effect on the bounce rate – and, in the same manner, for all usage intensity metrics – for each website and each post-treatment period p (i.e., a period that covers 3, 6, 9, 12, and 18 months after the enforcement of GDPR).

69 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.3

Appendix C: Robustness Checks with Respect to Website Selection

In our analysis, we selected a threshold of an average of 1,000 visits per week for our sample. So, we removed all websites that had an average number of visits per week below this threshold. The chosen threshold might impact our results. Thus, we examine the sensitivity of the results for the chosen threshold with two robustness checks. 1) We decrease the threshold of visits and examine whether the findings of this study change significantly. More specifically, we decrease the threshold in steps of 100 visits per week until we reduce our initial threshold to 700 visits per week. 2) We increase the threshold of visits and examine whether the findings of this study change significantly. More specifically, we increase the threshold in steps of 100 visits per week until we double our initial threshold, i.e., we reach 2,000 visits per week. 1.9.3.1 Decreasing the Threshold for Website Filtering Table A1 - 1 shows how many additional websites we include when decreasing the filtering threshold. We further examine whether the inclusion of the additional websites results in the distribution of the obtained data sample’s total visits being significantly different from the distribution of the original data sample’s total visits. We find that reducing the threshold to 700 leads to the inclusion of 27 additional website-instances with EU-user data and 405 additional website-instances with Non-EU-user data. The additional website-instances, however, do not significantly affect the composition of websites within our data sample. Consequently, our findings are robust to decreasing the threshold, and it does not look like our chosen threshold eliminates too many websites with low traffic. 1.9.3.2 Increasing the Threshold for Website Filtering Table A1 - 2 shows how many websites we remove when increasing the filtering threshold. We further examine whether removing the additional websites yields a distribution of the obtained data sample’s total visits that is significantly different from the distribution of the original data sample’s total visits. We find that increasing the threshold to 1,700 results in removing 40 website-instances with EU-user data and 550 additional website-instances with Non-EUuser data. Increasing the threshold up to 1,700 does not significantly affect the composition of websites within our data sample. However, increasing the threshold to 1,800 or higher would significantly affect the composition of websites within our data sample. Thus, our findings are

70 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior robust to increasing the threshold to 1,700. While a substantially higher threshold of 1,800 or higher results in removing too many websites with low traffic, it does not look like our chosen threshold eliminated too many websites with low traffic.

71 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

+10

+17

+27

900

800

700

15,804,678

Total Visits: Std. Deviation

15,791,435

0.95

-

P-Value of TTest

15,782,190

0.91

15,769,008

0.86

Original vs. new sample: No significant difference

1,698,450

Original vs. new sample: No significant difference

1,701,254

Original vs. new sample: No significant difference

1,703,242

Original sample

1,706,008

Total Visits: Mean

Websites with EU-User Data

+405

+245

+110

+/-0

54,603,917

Total Visits: Std. Deviation

2,509,291

54,052,980

Original sample

2,560,706

Total Visits: Mean

0.74

-

P-Value of TTest

53,399,093

0.46

52,654,007

0.23

Original vs. new sample: No significant difference

2,381,041

Original vs. new sample: No significant difference

2,448,846

Original vs. new sample: No significant difference

No. of Additional Websites

Websites with Non-EU-User Data

Notes: Significance level based on t-tests comparing the original sample with the newly obtained sample. Original sample refers to the sample of the main analysis with a threshold of 1,000 visits per week, as shown in Table 1.1.

+/-0

No. of Additional Websites

1,000

Threshold

The Impact of Privacy Laws on Online User Behavior

Table A1 - 1: Effect of Threshold Reduction on Number of Websites and Difference of Composition of Original and New Sample

72

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

-3

-11

-13

-21

-28

-35

-40

-46

-53

-57

1,100

1,200

1,300

1,400

1,500

1,600

1,700

1,800

1,900

2,000

15,804,678

15,808,661

0.98

-

15,819,288

0.94

15,821,946

0.93

15,832,591

0.89

15,841,931

0.85

15,851,283

0.82

15,857,986

0.79

15,866,027

0.76

15,875,422

0.73

15,880,798

0.71

Original vs. new sample: No significant difference

1,722,026

Original vs. new sample: No significant difference

1,720,868

Original vs. new sample: No significant difference

1,718,852

Original vs. new sample: No significant difference

1,717,139

Original vs. new sample: No significant difference

1,715,880

Original vs. new sample: No significant difference

1,713,875

Original vs. new sample: No significant difference

1,711,915

Original vs. new sample: No significant difference

1,709,594

Original vs. new sample: No significant difference

1,709,014

Original vs. new sample: No significant difference

1,706,811

Original sample

1,706,008

Total Visits: Total Visits: Std. P-Value of TMean Deviation Test

Websites with EU-User Data

-732

-677

-621

-550

-490

-428

-363

-282

-197

-98

+/-0

54,603,917

2,608,369

55,109,208

Original sample

2,560,706

0.76

-

Total Visits: Total Visits: Std. P-Value of TMean Deviation Test

55,634,171

0.53

56,097,071

0.37

56,549,116

0.24

56,919,877

0.17

57,280,410

0.11

57,635,926

0.07

58,065,293

0.04

58,410,794

0.03

58,756,199

0.02 Original vs. new sample: Significant difference

2,964,009

Original vs. new sample: Significant difference

2,929,203

Original vs. new sample: Significant difference

2,894,595

Original vs. new sample: No significant difference

2,852,213

Original vs. new sample: No significant difference

2,817,770

Original vs. new sample: No significant difference

2,782,440

Original vs. new sample: No significant difference

2,746,250

Original vs. new sample: No significant difference

2,702,767

Original vs. new sample: No significant difference

2,658,303

Original vs. new sample: No significant difference

No. of Additional Websites

Websites with Non-EU-User Data

Notes: Significance level based on t-tests comparing the original sample with the newly obtained sample. Original sample refers to the sample of the main analysis with a threshold of 1,000 visits per week, as shown in Table 1.1.

+/-0

No. of Additional Websites

1,000

Threshold

The Impact of Privacy Laws on Online User Behavior

Table A1 - 2: Effect of Threshold Increase on Number of Websites and Difference of Composition of Original and New Sample

73

Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.4

Appendix D: Robustness Checks with Respect to Early and Late Compliance

We use the enforcement date of GDPR (May 25th, 2018) to construct a before-and-after analysis, comparing the treatment group to the control group to quantify the intention-to-treat effect of GDPR. Although very few websites were compliant before the enforcement date (Hochstadt 2018), we examine whether websites were possible early or late with their compliance with GDPR. Such early or late compliance might affect the validity of our results as the timing of the treatment effect would differ from the GDPR’s enforcement date. In our robustness check, we perform the same calculations as we describe in our methodology section. The only difference is that we did not use the entire observation period for the analysis but removed the observations 30 days before the enforcement of GDPR and 30 days after. We then calculate the GDPR’s short- and long-term effect on our user quantity metrics for all websites. We observe no significant differences between the GDPR’s effect across the websites for the short- or long-term for all our user quantity metrics. We show the results of the robustness check for our main metric, the total number of visits, in Table A1 - 3. Thus, there is no cause for concern that early or late compliance of websites might influence our findings. Table A1 - 3: Summary of Results for Total Visits with and without Inclusion of 30-DayPeriod before and after GDPR Total Visits

Original Results (entire observation period)

3 months

Median -3.49%

6 months

-5.54%

9 months

-7.54%

12 months

-8.24%

18 months

-8.91%

Robustness Results (omitting 30 days before and after enforcement date) Mean Median Mean -4.88% -4.55% -5.49% p-value of t-test: 0.26 No significant difference between original and robustness results -7.22% -6.38% -7.91% p-value of t-test: 0.17 No significant difference between original and robustness results -9.07% -8.24% -9.74% p-value of t-test: 0.20 No significant difference between original and robustness results -9.57% -8.78% -10.09% p-value of t-test: 0.35 No significant difference between original and robustness results -10.02% -9.56% -10.30% p-value of t-test: 0.65 No significant difference between original and robustness results

74 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.5

Appendix E: Robustness Checks with Respect to Control Group

For the control group specification, we use website-instances of Non-EU-websites and Non-EU-users. However, there might be a concern about a potential spillover effect of GDPR to website-instances that are not within the applicable scope of the privacy law. For instance, Non-EU-websites with visitors from EU locations have to comply with GDPR for those visitors. It could be that differentiating between EU- and Non-EU-users is more costly than simply complying with GDPR for all users, i.e., even for Non-EU-users. As a result, a website might voluntarily treat Non-EU-users with GDPR compliance (i.e., the so-called Brussels effect). This spillover effect of voluntary compliance could take two potential forms: First, websites could adapt their data storage systems to accommodate GDPR requirements for all users. Second, websites could adapt their user interface (e.g., privacy policy, consent banners) for all users. While rumors exist for the first form (e.g., Microsoft), they do not exist for the second form. While we would only capture the second form in our analysis, such a spillover effect might influence the adequacy of our control group as some websites within the control group would be treated. The incentive for voluntary compliance is likely higher for Non-EU-websites if the share of EU-users is higher (i.e., websites must comply with the GDPR for a large share of users). A potential spillover effect of GDPR to our control group will also become apparent if the behavior of Non-EU-users on EU-websites (part of our treatment group) does not differ from their behavior on Non-EU-websites (control group) and if the behavior of EU-users on the Non-EUwebsites (part of our treatment group) does not differ to the behavior of Non-EU-users on the same websites (control group). Thus, to examine whether potential spillover effects influence our findings, we perform four robustness checks: 1) We conduct a closer examination of our control websites based upon their share of EUtraffic (using a decile analysis as well as a linear regression). 2) We conduct a closer comparison of EU-websites and Non-EU-websites for Non-EUusers. 3) We conduct a closer comparison of EU-users and Non-EU-users for Non-EU-websites. 4) We examine the Non-EU-user interface on a subsample of control websites. 75 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Another potential cause of concern might be that websites based in the EU could have shifted their geographic location. For example, shifting the location from an EU location to a Non-EU location would result in a website strategically evading the need for GDPR compliance for Non-EU-users. Such strategic shifts would again harm the validity of our control group as some websites would self-select themselves into the control group. To examine whether potential strategic shifts performed by websites influence our findings, we conduct the following robustness check: We re-calculate the results of the GDPR’s effect on websites for our main metric for a subsample of websites using a stricter control group that includes only websites with Non-EU-based domain suffixes. 1.9.5.1 Closer Examination of the Non-EU-Websites based on Share of EU-Traffic Although GDPR does not apply to Non-EU-websites when catering to Non-EU-users, websites might find it too costly to treat EU- and Non-EU-users differently and decide to comply with GDPR for Non-EU-users voluntarily. This voluntary compliance would represent a spillover effect of GDPR. From a logical perspective, such voluntary compliance is more likely for Non-EU-websites with a high share of EU-users. In contrast, if very few EU-users visit a NonEU-website, that website likely has a much lower incentive to comply with GDPR for all users voluntarily. Thus, a spillover effect is more likely to exist for Non-EU-websites with a higher EU-user share. In the first robustness check, we divide our control websites into deciles based on their pretreatment EU-user traffic share for our main metric, the total number of visits. We can then examine whether a spillover effect exists for our control group by comparing the average number of visits before and after GDPR for each decile. As Table A1 - 4 outlines, the number of visits from Non-EU-users to Non-EU-websites (the control group) increases after GDPR for all deciles, i.e., irrespectively of the EU traffic share. Thus, we find no cause for concern for a potential spillover effect within our control group.

76 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table A1 - 4: Examination of Control Group based on EU Traffic Share No. of Websites

EUShare

Decile 0

594

0%

Decile 1

111

Decile 2

111

Decile 3

111

Decile 4

111

Decile 5

111

Decile 6

111

Decile 7

111

Decile 8

111

Decile 9

111

Decile 10

108

Decile No EUtraffic observed

EU-traffic observed

0.08% 7.06% 7.11% 15.82% 16.11% 26.49% 26.60% 52.58% 53.91% 89.71% 90.16% 98.49% 98.50% 99.25% 99.26% 99.55% 99.56% 99.74% 99.74% 99.95%

Average Non-EU-Traffic Pre-GDPR Post-GDPR Difference 137,992,462

250,139,478

+112,147,017

350,064,747

713,672,061

+363,607,314

297,563,325

587,272,620

+289,709,295

157,924,186

310,701,515

+152,777,330

41,281,851

83,942,652

+42,660,801

21,881,908

41,162,307

+19,280,399

2,552,483

5,300,178

+2,747,695

746,537.4

1,306,281.9

+559,744.5

404,036.1

803,807.5

+399,771.4

253,280.1

554,742.7

+301,462.6

163,518.2

389,103.4

+225,585.3

We further perform the following linear regression: (A15) log(1 + ܶ‫ݏݐ݅ݏܸ݅ ݈ܽݐ݋‬௉௢௦௧ିீ஽௉ோ ) = Ⱦ଴ + Ⱦଵ ‫ כ‬log(1 + ܶ‫ݏݐ݅ݏܸ݅ ݈ܽݐ݋‬௉௥௘ିீ஽௉ோ ) + ߚଶ ‫݁ݎ݄ܽܵ ܷܧ כ‬௉௥௘ ீ஽௉ோ + ߳ Table A1 - 5 displays the result: While Ⱦଵ is significant at the 0.01%-level, Ⱦଶ is not significant at the 5%-level. Thus, overall, the robustness check indicates that GDPR does not affect the results in a large enough way to pose a concern for a substantial change in effect sizes, and most certainly not in a potential change in the effect direction of our findings.

77 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table A1 - 5: Coefficients of Regression Analysis based on Control Websites’ EU-Share Intercept Log(1+Total VisitsPre-GDPR) EU-Share

Estimate 0.928 *** (0.101) 0.980 *** (0.006) 0.044 (0.037)

p-value 0.000 0.000 0.229 0.9767 0.9766

R² Adj. R² Notes: Standard errors are reported in parentheses. Significance level: *** 0.1%-level ** 1%-level * 5%-level

1.9.5.2 Closer Comparison of EU-Websites and Non-EU-Websites for Non-EU-Users In the second robustness check, we examine the average traffic development of Non-EUusers on EU-websites (part of the treatment group) compared to Non-EU-websites (our control group). This examination can provide insights into whether there are spillover effects present for our control group. For the traffic examination, we focus on our main metric, the total number of visits. The mean comparison shown in Table A1 - 6 shows that Non-EU-users visit EU websites (GDPR applies) less after GDPR. At the same time, the Non-EU-users visit Non-EU websites more after GDPR (GDPR does not apply). For those users, GDPR could only have an effect via a spillover effect. Table A1 - 6: Closer Comparison of EU- and Non-EU-Websites’ Total Visits for Non-EUUsers Website Location

User Location

EU Non-EU Non-EU

Pre-/PostGDPR Pre-GDPR Post-GDPR Pre-GDPR Post-GDPR

Average weekly visits 3,159,196 2,837,259 2,190,523 2,424,430

Difference

Difference-inDifference

-321,937.4 -555,845 +233,907.6

1.9.5.3 Closer Comparison of EU-Users and Non-EU-Users for EU-Websites The third robustness check follows a similar approach and compares the traffic that NonEU-websites get from EU-users (part of the treatment group) compared to Non-EU-users (control group). As shown in Table A1 - 7, Non-EU-users visit Non-EU websites (GDPR does not

78 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior apply) more after GDPR, while the EU-user base visit Non-EU websites less after GDPR (GDPR applies). Table A1 - 7: Closer Comparison of EU- and Non-EU-Users’ Total Visits for Non-EUWebsites Website Location

User Location EU

Non-EU Non-EU

Pre-/PostGDPR Pre-GDPR Post-GDPR Pre-GDPR Post-GDPR

Average weekly visits 1,578,877 1,567,548 2,190,523 2,424,430

Difference

Difference-inDifference

-11,328.5 -245,236.1 +233,907.6

The two robustness checks together show that both EU-users and Non-EU-users visit EUwebsites less after GDPR. For EU-websites, GDPR applies to both user groups. Thus, both robustness checks show the same observation: For the website-instances for which GDPR applies, the traffic decreases after GDPR. For the website-instance for which GDPR does not apply, i.e., would only apply if websites voluntarily decided to comply (= spillover effect), the traffic increases after GDPR. Due to the contrarian development of our treatment group and our control group, the two robustness checks together show that it is unlikely that GDPR’s effect spilled over to Non-EU-users on Non-EU-websites, at least on average. Overall, the three robustness checks indicate that there is no cause for concern for the adequacy of our control group and a potential influence of a spillover effect on our findings. 1.9.5.4 Examination of Non-EU-User Interface on Subsample of Control Websites As a last robustness check to examine the potential spillover effect of GDPR to websiteinstances in the control group, we manually examine the user interface that a random sample of control websites displays to Non-EU-users. More specifically, we use the publicly available Internet Archive's Wayback Machine (https://web.archive.org/) for 5% of the control websites, i.e., 85 control websites. Using the Wayback Machine, we accessed the past versions of websites via a crawler located in the US. Thus, these past versions represent the displayed content to Non-EU-users. We accessed the past version of 69 control websites on the last day of our observation period, i.e., November 30th, 2019. For the remaining 16 control websites, that date’s version is

79 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior not available. Thus, we accessed those websites on the first available date before November 30th, 2019. We further accessed all websites on GDPR’s enforcement date, i.e., May 25th, 2018. We observe that 94.12% of the control websites did not adjust their user interface in terms of the level of privacy after GDPR. Only 5.88% of the control websites slightly adjusted their user interface regarding the level of privacy between the GDPR’s enforcement date and the end of our observation period. However, the observed changes do not result in the websites being compliant with GDPR. Thus, we observe no voluntary compliance to GDPR on the subsample of control websites within our observation period. Furthermore, spillover-effects known to the public only correspond with a voluntary consideration of the GDPR requirements regarding data storage and data security – and do not directly affect the user interface, e.g., displaying a consent banner or adjusting the privacy policy. 1.9.5.5 Usage of Stricter Control Group with Websites with Definitive Non-EULocation The last robustness check aims to account for a potential effect of possible strategic shifts performed by websites in their location. For instance, websites based in the EU before GDPR might have relocated their data processing location to a Non-EU location. Such a relocation would result in websites not having to comply with GDPR for Non-EU-users. While such relocations are not publicly known or observable, we examine the potential effect of such relocations. More specifically, we construct a stricter control group and examine whether the observed effects of GDPR change significantly for our main metric. We construct the stricter control group by investigating the domain suffixes of websites (e.g., “.de,” “.com”). We divide these domain suffixes for our original control websites according to whether the domain suffix 1) indicates an EU location, 2) indicates a Non-EU location, or 3) does not indicate a certain location. For the stricter control group, we only include the control websites of our original sample with domain suffixes that indicate a Non-EU location. The intuition behind this stricter control group is as follows: Websites with a domain suffix indicating a Non-EU location have a high probability of being a website not based in the EU, whereas websites with an EU-domain suffix have a higher probability of actually being a EU-based website. The latter had an incen-

80 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior tive to shift their location to a Non-EU one. Thus, including only Non-EU-based suffixes ensures that the stricter control group includes only websites with a very low probability of having an EU-location before GDPR. In our robustness check, we perform the same calculations as for our original control group except that we only use the control websites within the stricter control group. We then calculate the GDPR’s short- and long-term effect on our main metric for a subsample of 225 websites. We observe that there is no significant difference between the GDPR’s effect across the websites for our main metric for the short-term (average effect for the stricter control group for the subsample: -4.56%; average effect for the original control group for the subsample: -7.64%; no significant difference on 5%-level) or long-term (average effect for the stricter control group for the subsample: -19.90%; average effect for the original control group for the subsample: 18.64%; no significant difference on 5%-level) effects, irrespectively of whether we use our original or stricter control group. Thus, there is no cause for concern that strategic shifts might influence the validity of our control group.

81 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.6

Appendix F: Robustness Checks with Respect to Data

We use a dataset provided by SimilarWeb. Although companies (e.g., Google, Alibaba) and researchers in top-tier academic journals (e.g., Calzada and Gill 2020, Lu et al. 2020) use SimilarWeb’s data, it is not entirely clear how SimilarWeb collects its data and whether GDPR affects SimilarWeb in its data collection methods. For instance, if GDPR had affected SimilarWeb in its data collection methods post-GDPR, the validity of the data source, and thus our results, would be reduced. Accordingly, we examine the quality and validity of SimilarWeb’s data post-GDPR in two robustness checks. More specifically, we compare the quality of our data source SimilarWeb for a subset of websites with another highly reliable data source (German AGOF) for the: 1) number of unique visitors and 2) number of page impressions. AGOF (https://www.agof.de/en/) collects high-quality and certified data on German websites, is widely used for media planning purposes, and is very transparent in its data collection procedure. AGOF can thus be considered the official gold-standard web traffic measurement in Germany. AGOF states that although GDPR does not directly impact its metrics, GDPR might affect its metrics due to users changing their interaction with the website due to changes that the website performed due to GDPR – which we aim to capture in our study. 1.9.6.1 Comparison of SimilarWeb Data with AGOF Data for Unique Visitors We compare AGOF’s reported data with our available data from SimilarWeb for the metric for the websites, period, and user base that overlap across the two datasets: The number of unique visitors for 23 websites for 2018. We perform a linear regression between the two data sources of the following form: (A16) log(1 + ݈ܵ݅݉݅ܽ‫ = )ܾܹ݁ݎ‬Ⱦ଴ + Ⱦଵ ‫ כ‬log(1 + ‫ )ܨܱܩܣ‬+ ߚଶ ‫ ݀݋݅ݎ݁݌ݐݏ݋ܲ כ‬+ ߳ We find the following results shown in Table A1 - 8: While Ⱦଵ is significant at the 0.01%level, Ⱦଶ is not significant at the 5%-level. Thus, overall, the robustness check indicates that GDPR does not affect the results in a large enough way to pose a concern for a substantial change in effect sizes, and most certainly not in a potential change in the effect direction of our findings.

82 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table A1 - 8: Results of Regression Analysis comparing the Number of Unique Visitors for SimilarWeb and AGOF Intercept Log(1+AGOF) Postperiod

Estimate 4.444 *** (0.124) 0.755 *** (0.009) 0.039 (0.022)

Number of observations R² Adj. R²

p-value 0.000 0.000 0.082 23 0.8697 0.8695

Notes: Standard errors are reported in parentheses. Significance level: *** 0.1%-level ** 1%-level * 5%-level

1.9.6.2 Comparison of SimilarWeb Data with AGOF Data for Page Impressions We compare AGOF’s reported data with our available data for the metric for the websites, period, and user base that overlap across the two datasets: The number of page impressions for 23 websites for 2018. We perform a linear regression between the two data sources of the following form: (A17) log(1 + ݈ܵ݅݉݅ܽ‫ = )ܾܹ݁ݎ‬Ⱦ଴ + Ⱦଵ ‫ כ‬log(1 + ‫ )ܨܱܩܣ‬+ ߚଶ ‫ ݀݋݅ݎ݁݌ݐݏ݋ܲ כ‬+ ߳ We find the following results shown in Table A1 - 9: While Ⱦଵ is significant at the 0.01%level, Ⱦଶ is not significant at the 5%-level. Thus, overall, the robustness check indicates that GDPR does not affect the results in a large enough way to pose a concern for a substantial change in effect sizes, and most certainly not in a potential change in the effect direction of our findings.

83 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table A1 - 9: Results of Regression Analysis comparing the Number of Page Impressions for SimilarWeb and AGOF Intercept Log(1+AGOF) Postperiod

Estimate 4.133 *** (0.098) 0.729 *** (0.006) -0.013 (0.022)

Number of observations R² Adj. R²

p-value 0.000 0.000 0.555 23 0.9304 0.9303

Notes: Standard errors are reported in parentheses. Significance level: *** 0.1%-level ** 1%-level * 5%-level

84 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.7

Appendix G: Robustness Checks with Respect to Confounding Factors

For our calculation of GDPR’s effect on websites, no other changes in potentially confounding factors should coincide with the enforcement of GDPR. Substantial changes in confounding factors other than GDPR might have affected only the traffic of Non-EU-users on Non-EU-websites and have not affected EU-users or Non-EU-users that visit EU-websites. Such changes could influence the validity of our findings. Therefore, we investigate whether there have been substantial changes in factors other than the regulatory framework (e.g., internet speed) for Non-EU-users and EU-users. More specifically, we examine any observable changes between the control website-instances and our treated website-instances other than the GDPR. We examine the internet speed, the share of people with access to the internet, the share of people using laptops, and the share of people using smartphones across our user base. These four potentially confounding factors might affect users’ browsing behavior because a higher speed might result in browsing more websites in a shorter period. A higher share of the population with access to the internet, laptops, or smartphones can affect the number of online users. While it is challenging to examine changes on the website-instance level, we examine changes on the user location level: As a proxy for the EU-user base, we examine German users and as a proxy for the Non-EU-user base, we examine US users. Although this separation does not account that GDPR affects Non-EU-users if they visit an EU-website, it can proxy whether there were changes between the two user groups. As shown in Table A1 - 10, we do not observe substantial differences between Non-EUusers and EU-users in the pre- and post-GDPR comparison for the selected confounding factors. If anything, the selected confounding factors indicate that EU-users should have exhibited an increased browsing behavior compared to the US group. Thus, this robustness check indicates that the above-mentioned other parameters did not negatively affect the user behavior and did not undermine the validity of our findings.

85 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior Table A1 - 10: User Group Comparison of Confounding Factors Confounding Factor Average Mobile Internet Connection Speed

User Group

Before GDPR: January 2018 26.43 Mbps

After GDPR: January 2019 EU 31.69 Mbps (Germany) (+20% YoY-Growth) Non-EU 27.22 Mbps 32.01 Mbps (USA) (+18% YoY-Growth) 91% 96% Penetration of In- EU (+5.49% YoY-Growth) ternet among Popu- (Germany) lation Non-EU 88% 95% (USA) (+7.95% YoY-Growth) 76% 76% Share of Population EU Using Laptops or (Germany) (+0.00% YoY-Growth) Desktop Non-EU 77% 77% (USA) (+0.00% YoY-Growth) 75% 75% Share of Population EU (+0.00% YoY-Growth) Using Smartphones (Germany) Non-EU 78% 78% (USA) (+0.00% YoY-Growth) Source: Datareportal Reports – Digital 2018 and Digital 2019

86 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.8

Appendix H: Robustness Checks with Respect to the Synthetic Control Method

When calculating GDPR’s effects in our analysis, we had to make several decisions: the method used, the requirement of the control and treated websites being in the same industry, and the number of control websites. As these decisions might impact our results, we examine the sensitivity of our estimates to the selected specifications. To calculate GDPR’s effect on websites, we used the SCG method and applied it using the R package “gsynth.” However, apart from the specific method used in the “gsynth” package, other packages and corresponding methods might result in different findings. Furthermore, within our chosen SCG method, we had to make several decisions and assumptions to select the control websites. More specifically, we limited the number of control websites to five to avoid overfitting and required the control websites to belong to the same industry as our treated website. If the results are sensitive to our chosen method and the different decisions, these two decisions might affect our findings and thus the validity of our results. We thus examine whether the usage of our chosen methodology and our decisions influence our findings. We perform four robustness checks: 1) We re-calculate the results of the GDPR’s effect on websites for our main metric using a different package for the SCG method: the “synth” package corresponding to the traditional SCG method (e.g., Abadie et al. 2015). 2) We calculate the GDPR’s effect on websites for our main metric for a subsample of the websites without requiring the control websites to be in the same industry as the treated website, i.e., only selecting the control websites based on their correlation with the respective treated website. 3) We re-calculate the results of the GDPR’s effect on websites for our main metric for a subsample of the websites requiring the control websites to have the same or a similar share of EU-traffic as the treated website. Thus, the treated and control websites would have similar incentives to be GDPR-compliant, as discussed in Section 1.9.4. 4) We re-calculate the results of the GDPR’s effect on websites for our main metric for a subsample of the websites with ten instead of five control websites for the SCG.

87 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.8.1 Usage of another Synthetic Control Method Our analysis applies the generalized SCG method corresponding to the “gsynth” package in R, a popular R package and method for SCG. In this first robustness check, we examine whether using another original SCG Method results in similar values of the observed effects. More specifically, we compare the results obtained when using the “gsynth” package to another popular SCG package: the “synth” package. We calculate the GDPR’s short- and long-term effects on our main metric for a subsample of 3,621 website-instances. We find no significant difference between the results of the “gsynth” and “synth” packages for the short-term effects (average effect for “synth”: -4.96%; average effect for “gsynth”: -6.88%; no significant difference on 5%-level) or long-term effects (average effect for “synth”: -18.39%; average effect for “gsynth”: -19.29%; no significant difference on 5%-level). 1.9.8.2 Calculation of Synthetic Control Group without Industry Specification We examine whether requiring the control websites of the SCG to be in the same industry as the treated website impacts our findings. Thus, we remove the industry specification and calculate the correlation of all possible control website-instances with the treated-website instance. The SCG thus includes the five control website-instances with the highest correlation with the treated website-instance irrespectively of the websites’ industry. We then calculate the GDPR’s short- and long-term effects for a subset of 100 treated website-instances. The robustness check shows that not requiring the control website-instances to be in the same industry as the treated website-instance results in no significant difference in the findings for the shortterm effects (average effect for new specification: -2.84%; average effect for original specification: -6.69%; no significant difference on 5%-level) or long-term effects (average effect for new specification: -5.65%; average effect for original specification: -8.50; no significant difference on 5%-level). 1.9.8.3 Calculation of Synthetic Control Group with EU-Traffic Share as Matching Variable As we discussed in the prior section in which we examined the validity of our control group, websites with a similar share of EU-traffic might have a similar compliance incentive. Thus, to account for this potential incentive-alignment with the EU-traffic share, we conduct the following robustness check: In our selection of the five control website-instances for the SCG calculation, instead of limiting the potential pool of control website-instances to the ones within

88 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior the same industry as the treated website-instance, we require the potential control websiteinstances to have the same or a similar EU-share as the treated website-instance. We then recalculate the GDPR’s short- and long-term effects for our main metric for a subsample of 393 websites. The robustness check shows that not requiring the control website-instances to be in the same industry but to have the same EU-share as the treated website-instance results in no significant difference in the findings for the short-term effects (average effect for new specification: -7.07%; average effect for original specification: -3.79%; no significant difference on 5%level) or long-term effects (average effect for new specification: -4.21%; average effect for original specification: -5.77%; no significant difference at 5%-level). 1.9.8.4 Calculation of Synthetic Control Group with a Higher Number of Control Websites We limit the number of control website-instances for the SCG calculation to the five website-instances that have the highest pre-treatment correlation with our treated website-instance to avoid overfitting. This robustness check examines whether our estimates are robust to an increase in the number of control website-instances selected for the SCG calculation. Thus, in selecting the control website-instances for the SCG calculation, we select the ten instead of five control website-instances with the highest pre-treatment correlation for a subsample of 60 treated website-instances. We then re-calculate the GDPR’s short- and long-term effects for our main metric for the subsample. The robustness check shows that our presented findings in this study are robust to an increase in the number of control website-instances to ten instead of five, i.e., there is no significant difference in the findings for the short-term (average effect for 10 control websites: -13.91%; average effect for 5 control websites: -12.62%; no significant difference on 5%-level) or long-term effects (average effect for 10 control websites: -17.36%; average effect for 5 control websites: -14.87%; no significant difference on 5%-level).

89 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

The Impact of Privacy Laws on Online User Behavior 1.9.9

Appendix References

Abadie, A.; Diamond, A.; Hainmueller, J. (2015): “Comparative Politics and the Synthetic Control Method”, American Journal of Political Science, 59 (2), 495-510. Calzada, J.; Gil, R. (2020): “What Do News Aggregators Do? Evidence from Google News in Spain and Germany”, Marketing Science, 39 (1), 134-167. Datareportal (2019): “Digital 2019: Global Digital Overview“, https://datareportal.com/reports/digital-2019-global-digital-overview, last accessed on October 05, 2021. Datareportal (2018): “Digital 2018: Global Digital Overview“, https://datareportal.com/reports/digital-2018-global-digital-overview, last accessed on October 05, 2021. Hochstadt, A. (2018): “Report: Only 34% of Websites in the EU Are Ready for GDPR”, vpnMentor, https://www.vpnmentor.com/blog/report-only-34-percent-of-websites-in-the-euare-ready-for-gdpr/, last accessed on October 05, 2021. Lu, S.; Wang, X. S.; Bendle, N. (2020): “Does Piracy Create Online Word of Mouth? An Empirical Analysis in the Movie Industry”, Management Science, 66 (5), 2140-2162.

90 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates

2 Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Julia Schmitt

ABSTRACT With the introduction of privacy laws such as GDPR, policymakers require websites to obtain users’ consent for tracking technologies. Websites obtain this consent via so-called consent banners. However, policymakers give websites freedom in the specific implementation of consent banners, resulting in a variety of consent banner designs online. Such design differences likely affect the consent rate that websites can achieve. Yet, websites and policymakers lack an empirical foundation to examine the existence and magnitude of such potential effects. This paper is the first to shed light on the effect of differences in compliant consent banner designs on the consent rate. Two field experiments testing three design characteristics, i.e., the position, presence of a close option, and button labels, show that each characteristic significantly affects the consent rate. Specifically, varying each characteristic changes the consent rate by between 1.60 and 14.90 percentage points. Accordingly, this article provides an empirical foundation for 1) websites to better select a consent banner with a high consent rate and 2) policymakers to evaluate their decision to give websites implementation freedom. Keywords: Online Privacy, GDPR, Consent Banner, Cookie Banner, Consent Rate

91 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates

2.1 Introduction Collecting data about users via tracking technologies such as cookies has become important for websites throughout the past years. Among others, websites utilize user data to uncover each user’s interests, to provide more personalized user experiences, and monetize the user data in other ways (e.g., Reinsel et al. 2018). For example, websites that display advertisements online earn revenue from advertisers that behaviorally target ads. However, the growing data collection online increased users’ privacy concerns (e.g., Pew Research Center 2019) and strengthened the need for policymakers to regulate the collection of user data. Consequently, policymakers worldwide have enforced new privacy laws to increase user privacy (e.g., EU’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Protecao de Dados (LGPD), Thailand’s Personal Data Protection Act (PDPA), and India’s Personal Data Protection Bill (PDPB)). A major way for privacy laws to regulate data collection is the consent requirement, i.e., privacy laws require websites to obtain users’ consent. When drafting privacy laws, policymakers have to trade-off 1) increasing user privacy and 2) limiting the economic harm for websites that results from restricting their ability to earn revenue with user data. In the case of the consent requirement, this trade-off resulted in policymakers 1) requiring strict conditions for consent and 2) giving websites freedom in the design of the consent request. The strict consent conditions (regulated in GDPR Art. 7; LGPD Art. 5 XII; PDPA Section 19; PDPB Section 11 (2)) require websites, amongst others, to obtain users’ explicit consent. Thus, users deny data collection per default and actively have to agree to it (Johnson et al. 2002). Obtaining users’ consent is crucial for websites to collect data via tracking technologies, as the Court of Justice of the European Union (CJEU) reinforces (e.g., Curia 2019). To accommodate the consent requirement, websites display so-called consent banners to users. Consent banners serve to inform the user about the data collection and enable users to deny or agree to this collection (see Figure 2.1’s buttons “Reject All” and “Accept All”) as well as to provide granular consent for different types of data collection (see Figure 2.1’s button “Manage Settings”).

92 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Figure 2.1: Example of a Consent Banner

At the same time, policymakers give websites the freedom to choose how to design the consent banner in a way that best fits websites’ specific needs (e.g., GDPR Recital 32) while acknowledging the boundaries of GDPR and recommendations of EU member states (e.g., CNIL 2019, AEPD 2019). This implementation freedom allows websites to decide which consent banner design to display to users. This opportunity is especially important as users’ consent decisions can depend on website characteristics (e.g., Malhotra et al. 2004) and the design of consent requests (Johnson et al. 2002). Thus, differences in consent banners likely affect the user decision to accept, reject or manage websites’ cookie usage, and therefore, the consent rate of websites. Websites’ consent rate directly corresponds with websites’ ability to monetize user data as websites can only collect and monetize the data of users that give consent. Thus, differences in the consent rate can affect websites economically (Goldfarb and Tucker 2011). Consequently, websites may need to finance their content differently, endangering the future of the free internet. Accordingly, websites need to consider the potential effect that different consent banner designs have on the user decision, and thus, the consent rate. Many websites might have the opportunity to conduct A/B-testing and strategically test different consent banner designs to select the design that increases the consent rate the most. However, there are two major problems for websites in this endeavor: 1) Smaller websites with less financial capabilities might not have the opportunity to conduct such A/B-tests. 2) If a website can afford such tests, it is still challenging to decide upon the set of designs to test due to the ample design space. Thus, websites need an empirical foundation that aids them in assessing the effects that different design characteristics of consent banners have on the consent rate. Websites need such knowledge to better 1) select the design that likely increases the consent rate the most if they

93 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates cannot afford A/B-testing, or 2) select a set of consent banner designs that likely lead to a high consent rate from which websites can select the best design via A/B-testing. Not only websites but also policymakers have to consider whether different consent banner designs affect the consent rate. More specifically, such different designs can influence the user decision (as, e.g., Johnson et al. 2002 suggest). As a result, differences in consent banner designs may affect users’ control over their data, and thus, user privacy. To best draft future privacy laws and to assess whether current privacy laws need to reduce the implementation freedom with additional guidelines, policymakers need to 1) assess the effects of the different consent banner designs on the user decision and 2) evaluate whether design differences can affect user privacy. Especially with studies showing considerable differences in consent banner designs online (e.g., Degeling et al. 2019; van Eijk et al. 2019), such an evaluation is necessary. Furthermore, if policymakers were to limit the freedom of consent banner designs via additional specifications, they would need to anticipate the effect that such specifications would have on websites’ ability to monetize user data. However, there is no empirical foundation for websites or policymakers to evaluate the effects that different consent banner designs have on the consent rate. That is, it is unclear whether such effects exist for the design differences that current privacy laws allow and how large the potential effects are. Accordingly, in this article, I provide websites and policymakers with an empirical foundation of whether and how GDPR-compliant design differences in consent banners affect the consent rate. More specifically, I examine the effect directions and sizes of three design characteristics of consent banners using two field experiments: 1) the position of the consent banner, 2) the existence of a close option, and 3) the button labels (accept, reject, and settings button). I conduct the two field experiments with a large consent management provider (CMP) that technically implements the consent banners. An analysis of variance (ANOVA) and post-hoc pairwise comparisons show the effect of each of the three design characteristics on the consent rate. The results uncover that differences of the three tested design characteristics have significant effects on the consent rate. Overall, differences in these three characteristics induce changes in the consent rate between 1.60 and 14.90 percentage points (pp). The strongest effects result from varying the position and presence of a close option on consent banners. 94 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Hence, in this article, I provide policymakers with an empirical foundation to assess the effects of different consent banner designs and evaluate their decision to give websites freedom to design consent banners. Furthermore, I provide guidance to websites on how to select consent banner designs in a legally compliant manner that likely result in a high consent rate. More specifically, the consent banner design that increases the consent rate the most has the following characteristics: 1) center position, 2) no close option, 3) button labels that all mention “cookies,” neutrally express agreement (accept button), and strongly express disagreement (reject button).

2.2 User Decision Behavior on Consent Banners 2.2.1

User Decision Behavior in Privacy Settings

Culnan and Armstrong (1999) introduced the privacy calculus theory to explain users’ decision processes in the case of privacy-related decisions. The privacy calculus theory combines the theory of planned behavior (Ajzen 1991) and research describing users’ cognitive decision processes in privacy decisions (e.g., Laufer and Wolfe 1977; Milne and Gordon 1993). The privacy calculus theory proposes that users conduct a cost-benefit analysis to weigh all potential decisions’ perceived gains and losses against each other. Users then make the decision that maximizes the perceived gains over the perceived losses (Dinev and Hart 2006). The theory further proposes that several factors influence the cost-benefit analysis. Amongst those factors are users’ privacy attitudes and the context of a decision (Dinev and Hart 2006). Several studies examined the effect of users’ privacy attitudes on the cost-benefit analysis, including the role of users’ privacy concerns, personality, characteristics, culture, and nationality (Chen and Chen 2015; Pentina et al. 2016; Kumar et al. 2014; Dinev et al. 2006). Additionally, for online settings, research shows the influence of context-specific factors on the cost-benefit analysis and thus user decision. Firstly, the user decision can depend on website-specific characteristics. For instance, users have fewer privacy concerns and are more willing to consent to data collection if they have more trust in a website (Malhotra et al. 2004) and if a website is more reputable (Xie et al. 2006; Bleier et al. 2020). Secondly, the user decision can depend on the characteristics of the consent request itself. For example, in the setting of a newsletter signup, Johnson et al. (2002) show that emphasizing the loss of not consenting leads to an increase in the consent rate. The authors further show that the default 95 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates setting in consent requests affects the user decision: Requesting implicit consent (default: user consents) leads to higher consent rates than requesting explicit consent (default: user does not consent). Studies from non-privacy-related fields confirm the observation that users tend to stick to the default option (e.g., Madrian and Shea 2001) and outline several reasons for this behavior. 1) The status quo bias of users (Samuelson and Zeckhauser 1988), 2) users see the default option as a recommendation by the policymaker (Bouckaert and Degrys 2013), and 3) the additional effort to change the default setting increases switching costs as users are convenience-driven (e.g., Berry et al. 2002; Anderson 1972). As research shows, the specific characteristics of consent requests affect the user decision. However, recent privacy laws such as the GDPR or LGPD prohibit websites from adjusting consent requests’ default settings, a characteristic that research finds to impact consent rates substantially. Additionally, consent banners’ nature and characteristics vary from a newsletter signup or an online consent form. Consequently, existing research on settings outside the realm of consent banners cannot provide insights into the presence or magnitude of the effect that different consent banner designs might have on the consent rate. 2.2.2

User Decision Behavior and Consent Banners

To date, almost no research exists about how users react to differences in consent banner designs, albeit being a highly relevant topic for websites, especially in the online advertising industry. Only two studies examine the effect of differences of consent banner designs on a specific outcome: Kulyk et al. (2018) examine the impact of the amount of information displayed on consent banners on the user perception, and Utz et al. (2019) of the number of choices and the existence of user nudging on the consent rate. Kulyk et al. (2018) use an online survey to investigate how users perceive consent banners with different contents. The authors show that users generally perceive consent banners as annoying and disruptive, predominantly if the consent banner blocks a large share of the websites’ content. However, as the study examines consent banners in the setting of an implicit consent, users did not have any options on the consent banners apart from closing them. Utz et al. (2019) examine the impact of two design characteristics of consent banners on the consent rate: the number of choices and the existence of user nudging. The authors find that the consent rate increases if consent banners offer an accept and reject button and nudges users by pre-selecting checkboxes or highlighting the accept option. Thus, the authors show that 96 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates consent banner designs can impact the consent rate. However, as, e.g., Johnson et al. (2002), the authors vary design characteristics that websites cannot legally vary any longer under GDPR and the accompanying official guidelines. Consequently, existing research does not aid policymakers in evaluating the impact of differences in consent banners possible under current privacy laws or websites in determining how to select a consent banner design that increases consent rates. However, existing research in other settings and the privacy calculus theory suggest that consent banner designs likely affect the user decision on consent banners and thus the consent rate. Currently, consent banner designs vary greatly (see, e.g., Degeling et al. 2019; van Eijk et al. 2019; Sanchez-Rola et al. 2019), and even the implementation of legally questionable designs has become prevalent, e.g., nudging users to accept cookies (e.g., Matte et al. 2020; Nouwens et al. 2020). Amongst others, consent banners vary concerning the effort that users have to put into making a decision. For example, the amount of content varies across consent banners (van Eijk et al. 2019) and, with it, the information processing costs resulting from users reading the information to understand the data collection (Bettman 1979). Furthermore, the number of clicks necessary to accept or reject cookies varies (Degeling et al. 2019; SanchezRola et al. 2019). For instance, requiring even one more click for a decision can significantly influence the user decision (Heimbach and Hinz 2018): In such a case, the decision requires a higher effort from the user (one more click), increasing the perceived losses while the perceived gains stay the same. Consequently, the perceived losses more likely outweigh the perceived gains, resulting in users tending to favor the decision that requires less effort (Dinev and Hart 2006). Overall, studies on consent banners show how differently websites react to the same legal requirement for explicit consent. The large diversity in consent banners further supports the importance for policymakers to evaluate the implementation freedom and whether differences in consent banners affect user privacy. The high number of non-compliant consent banners further supports the importance of examining how websites can use the implementation freedom for consent banners to their advantage to increase the consent rate compliantly. Potentially, being able to increase the consent rate compliantly might reduce the incentive of websites to implement non-compliant designs. Therefore, policymakers and websites must investigate and evaluate the effect of differences in compliant consent banners on the consent rate. This

97 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates article is the first one that aims to provide policymakers and websites with an empirical foundation for such effects.

2.3 Description of Empirical Study 2.3.1 Description of Consent Banners Consent banners serve to inform users about websites’ data collection and usage and request users’ consent. Generally, consent banners consist of up to two layers. Figure 2.1 above shows an example of the first layer of a consent banner, and Figure 2.2 below an example of the second layer. Figure 2.2: Example of a Consent Banner’s Second Layer

98 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Users see the first layer of consent banners immediately when visiting a website. The first layer of the consent banner in Figure 2.1 offers users the option to accept all cookies (accept button), reject all cookies (reject button), and customize the cookie settings in the second layer (accessed via the settings button). Sometimes, the first layer additionally offers a granular selection of cookies on which users can set their cookie preferences. The second layer, also known as the preference center, is not available to users immediately. Instead, users have to access the second layer by clicking on a button or link on the first layer (settings button) that directs users to the second layer. The second layer commonly offers a more detailed explanation about websites’ data collection and usage and a more granular selection for different cookie categories. The experiments in this article take place on a website that offers a consent banner with two layers. The website in this article utilizes four categories of cookies: strictly necessary, analytics, functional, and targeting cookies. In contrast to all other cookie categories, strictly necessary cookies provide basic functionalities of the website (e.g., store users’ consent decisions or enable users to fill in forms). The GDPR does not require consent for this cookie category, as reinforced by the CJEU (Curia 2019). Therefore, the cookie categories to which users can give or deny consent are analytics, functional, or targeting cookies. Given that the website of this article’s experiments utilizes a consent banner with three cookie categories for which users can make a consent decision, there are five possible user decisions on the consent banner. Table 2.1 depicts these possible decisions and the respective consequences for the website. Table 2.1: Possible User Decisions on Consent Banners and Consequences for Websites Scenario

User Decision

Consequence for Website

1

Ignore Consent Banner

2

Close Consent Banner

3

Reject All Cookies

4

Customize Cookies

Obtains consent for one or two cookie categories

5

Accept All Cookies

Obtains consent for all cookies

Does not obtain consent

99 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Overall, websites do not obtain users’ consent if users avoid a consent decision by ignoring or closing the consent banner and if users reject all cookies. The website obtains users’ consent for all cookie categories if users decide to accept all cookies. If users choose to go to the second layer and customize the cookie settings, the website obtains users’ consent to the one or two cookie categories that the user consents to. 2.3.2

Description of Experimental Design

This article contains two field experiments to quantify the effect of design characteristics of consent banners on the website’s consent rate. I conduct these experiments in cooperation with a CMP. A CMP technically implements consent banners and records the users’ consent decision for a website. The cooperating CMP is a major CMP delivered on thousands of websites. The experiments take place between 2019 and 2020 on an informational website about privacy-related topics owned by the CMP. Thus, due to its nature, it is likely that the users of that website are more privacy-sensitive and -knowledgeable than the average internet user. As a result, such users likely make more conscious privacy choices and potentially react less to visual differences on consent banners than the average internet user. Thus, a more privacy-sensitive user sample likely results in a lower bound estimation of effects. On average, 500k privacy-minded users visit the website per month, primarily visiting from an EU location (Source: Similarweb.com). As the website caters to EU users, all tested consent banner designs are compliant with GDPR and official guidelines. As other privacy laws enforce similar consent requirements as GDPR, identical or similar designs would be compliant with the privacy laws LGPD, PDPA, or PDPB. The experiments test three characteristics of consent banners: two in the first experiment and one in the second. The levels of these characteristics are the independent variables within the effect analysis. The dependent variable is the consent rate, i.e., the share of users consenting to cookies. ANOVA (e.g., Bhattacharjee and Mogilner 2014; Berman et al. 2015) serves to calculate the effect of design characteristics of consent banners on the consent rate. 2.3.3

Description of Dependent Variable

The dependent variable of interest for the experiments in this study is the consent rate, i.e., the share of users who consent to the usage of cookies.

100 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates The CMP records the user’s consent decision based on the three cookie categories that require consent on the website: analytics cookies, functional cookies, and targeting cookies. For each user, the CMP records the consent decision for each cookie category separately as a binary variable (“0” if a user does not consent to the respective cookie category, “1” if a user consents). Due to the low number of users customizing the cookie settings, I define “consent” as a user agreeing to all cookie categories (see decision 5 in Table 2.1). Thus, in this study, users give consent if they agree to all cookie categories. Accordingly, users do not consent if they reject all cookies, customize cookies, or close or ignore the consent banner. Consequently, based on the privacy calculus theory, a website can only increase the consent rate if the website implements a consent banner that 1) increases (decreases) the perceived losses (gains) of decisions 1-4 in Table 2.1 or 2) increases (decreases) the perceived gains (losses) of the decision to accept all cookies (decision 5 in Table 2.1). 2.3.4 Description of Independent Variables The experiments test the effect of different characteristics of consent banners on the consent rate. The cooperating CMP technically implements the tested consent banners. Therefore, the possible design space for consent banners depends on the characteristics for which the specific CMP enables variation. Given the cooperating CMP, the consent banner designs can differ in the major ways depicted in Table 2.2 (Position, Content, Text Style, Buttons, and Color). With these characteristics and corresponding levels, websites can choose from 512 possible consent banner designs for the cooperating CMP without accounting for content- and color-specific differences. The CMP further allows websites to configure various other characteristics, e.g., whether the website displays the CMP’s or the website’s logo on the consent banner, further expanding the spectrum of possible consent banner designs. As Table 2.2 shows, the GDPR does not restrict the position of the consent banner. All of the other mentioned characteristics, however, are subject to limitations by the GDPR: 1) Content: The consent banner’s content has to fulfill the information requirement imposed by GDPR. I.e., the user has to have information about, e.g., what data the website

101 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates collects and for what it uses the data. Official guidelines further advise websites to provide a privacy policy link to offer more information to the user (e.g., UK ICO 2020; French CNIL 2019). 2) Text Style: Websites need to choose the consent banner’s text so that it does not nudge the user – especially children – to accept the cookie usage (e.g., UK ICO 2020). For instance, websites must not present the option to reject the cookie usage to insinuate that, if selected, the user cannot visit the website. 3) Buttons: For the buttons on the consent banner, only the close button is optional. a. The GDPR requires that an opt-in be as easy as an opt-out (GDPR Article 7(3)), i.e., an accept and reject button must be present on the consent banner. Official guidelines further strengthen this requirement (e.g., French CNIL 2019; Irish DPC 2020; UK ICO 2019). b. Consent banners can offer a granular consent decision on the first or second layer. Official guidelines outline the need for such an option to be present on the second layer (e.g., Spanish AEPD 2019; Irish DPC 2020). 4) Color: Generally, websites can alter a consent banner’s general and text color. However, the button colors must not present the accept button as a better alternative. Otherwise, the color choice would be considered to nudge the user to accept cookies (e.g., UK ICO 2020). Thus, given the limitations imposed by the GDPR and official guidelines, the characteristics of consent banners that websites can vary are the x

position of a consent banner,

x

presence of the close button,

x

text positivity (while avoiding nudging), and

x

color (while avoiding nudging).

102 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Table 2.2: Possible Consent Banner Design Characteristics and Levels Consent Banner Characteristic

Level

Position

Top / Center / Bottom None Left / Bottom Right

Content

Title

Any Content

Text

Any Content

Link to Privacy Policy

Yes / No

Color

Information Requirement

Positive / Negative

No nudging

Close

Yes / No

None

Accept

Yes / No

Required

Reject

Yes / No

Required

Settings

Yes / No

Advised

Banner

Any

None

Text

Any

None

Button

Any

No nudging

Text Positivity Buttons

Imposed Limitation

In the two experiments, I test three of these four major design characteristics: The position of the consent banner, the presence of the close button, and text positivity. Each characteristic can increase the consent rate if it 1) decreases the perceived losses or increases the perceived gains of consenting to all cookies or 2) increases the perceived losses or decreases the perceived gains of the other four possible decisions in Table 2.1. Consequently, the consent banner’s position likely affects the user decision and the consent rate in the following manner: Prominent positions, e.g., in the center of a website, block more content of the website and pose more of a browsing disruption to the user than less prominent consent banners. Compared to a consent banner that blocks a small share of websites’ content, the perceived losses of ignoring a consent banner increase if the consent banner blocks a large share of a website’s content. Correspondingly, the perceived gains of removing the consent banner by either closing the consent banner, rejecting, customizing, or accepting cookies increase if consent banners block a large share of the content. Thus, prominent consent banners

103 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates might decrease users’ likelihood to ignore the consent banner, potentially increasing the consent rate. A similar effect might exist when varying the existence of the close option. The close option offers users the option to deny consent while requiring less effort in terms of information processing costs. At the same time, the consequence for users is the same as when making an active decision to accept, reject or customize cookies: The consent banner is removed and does not block any content anymore. Thus, when removing the close option from the realm of possible choices, the user can only accept, reject or customize cookies if the user does not want to ignore the consent banner. In that case, there is no difference in terms of information processing costs and clicks required for accepting and rejecting cookies. Thus, removing the close option potentially increases the consent rate. The effect might become even stronger in combination with the consent banner’s position as both aspects might reinforce each other. Thus, Experiment 1 tests the position and close option simultaneously. For the text positivity on consent banners which relates to the way that the consent banner presents the possible decisions, this study considers the findings of Kulyk et al. (2018), who show that users ignore the text on consent banners. Thus, variations in the general content of consent banners are unlikely to affect the user decision. Yet, the button labels might affect users’ evaluation of perceived losses and gains. Based on the privacy calculus theory, the consent rate increases if the accept button label decreases the perceived losses or increases the perceived gains of accepting all cookies. Similarly, the consent rate increases if the label for the reject or settings button increases the perceived losses or decreases the perceived gains of rejecting all or customizing cookies. Compared to neutral button labels, button labels that emphasize the consequence of accepting or rejecting cookies might make users more hesitant to select the respective options, as Johnson et al. (2002) show for newsletter signups. This potential effect would be desirable on the reject button, while the same effect on the accept button would be detrimental. Thus, neutral labels on the accept button and reject button labels that emphasize the consequences of rejecting likely increase the consent rate. Experiment 2 tests the effect of button labels on the consent rate.

104 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates 2.3.4.1 Description of Experiment 1: Consent Banner Position and Close Option In Experiment 1, the design characteristics that vary are the consent banners’ position on the website and the existence of a button to close the consent banner (see Table 2.3). Table 2.3: Consent Banner Design Characteristics Tested in Experiment 1 Characteristic

Level

Position

Top Center Bottom Left Bottom Right

Close Option

Close Option Exists No Close Option Exists

Together with varying the existence of a close option, the possible user decisions vary. In Experiment 1, and with a close option present on the consent banner, users can make the following decisions: They can ignore or close the consent banner or accept or customize cookies (see Table 2.1 for all possible user decisions on consent banners). Without a close option, users cannot make the choice to close the consent banner – an action that would lead to the user rejecting cookies without having to process the consent banner’s content. I further note that in Experiment 1, the consent banners do not have a reject option available. This missing reject option is due to official guidelines not specifying this matter at the point of Experiment 1. However, as the reject option is missing on all consent banners in Experiment 1, inferences about the effect of the variables of interest are still possible. The different characteristics – i.e., four possible positions and two close option variations – result in eight possible consent banner designs. Experiment 1 tests all of them. For an overview of the different consent banner designs, see Figure 2.3 that shows the displayed consent banner designs with a close button each. The version without the close button looks the same as presented in Figure 2.3, except the consent banners do not have an “X” on the upper right.

105 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Figure 2.3: Consent Banner Designs with a Close Button in Experiment 1

Experiment 1 includes 7,589 consent requests and the resulting user decisions from August 20th, 2019, to September 4th, 2019. The website shows the variations randomly to the users, and none of the users are aware of the ongoing experiment. The users included in the experiment are non-unique, i.e., if a recurring user has deleted cookies after an initial visit, the user interacts with a consent banner again. This new consent decision involves a new evaluation of perceived gains and losses; thus, the experiment considers each consent decision a separate decision, independent of whether the user is unique or recurring. 2.3.4.2 Description of Experiment 2: Consent Banner Button Labels In Experiment 2, the labels of the buttons on the consent banner vary. There are three buttons on each consent banner design: The accept button, reject button, and settings button. The difference between the labels is the level of expressing (dis-)agreement to cookies, i.e., the extent to which the buttons emphasize the respective decision’s consequences. The “action word” of the button label captures this level of the consequence emphasis by varying the level of (dis-)agreement on the accept and reject button. For the settings button, the action word varies in terms of whether one is present or not. The button labels further differ in the consequence emphasis by whether they specify the decision with the word “Cookies.” 106 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates I test only commonly used labels based on the industry knowledge of the cooperating CMP. Table 2.4 gives an overview of the labels tested in Experiment 2. The labels “Accept All," “Reject All,” and “Manage Settings” are the default labels and serve as the reference categories in the analysis. Only one of the labels varies at a time, while the other two buttons display the default labels. Thus, the website displays a set of nine consent banner designs (the design with the default labels and the eight designs with label variations) in Experiment 2. Figure 2.4 shows the different button labels randomly tested within Experiment 2. All consent banner designs in Experiment 2 are positioned at the website’s bottom right, and they have no close button. Overall, 40,158 users participated in Experiment 2 from June 22nd, 2020, to November 19th, 2020. Again, the participants are not aware of the experiment. Table 2.4: Consent Banner Design Characteristics Tested in Experiment 2 Characteristic

Tested Level

Action Word

Cookies

Accept Button Label

“Accept All”

“Accept”

No

“Accept Cookies”

“Accept”

Yes

“Yes, I Agree”

“Agree”

No

“Approve Cookies”

“Approve”

Yes

“Reject All”

“Reject”

No

“Reject Cookies”

“Reject”

Yes

“Deny All”

“Deny”

No

Settings Button La- “Manage Settings” bel “Cookie Settings”

“Manage”

No

-

Yes

“Manage Cookies”

“Manage”

Yes

“More Information”

-

No

Reject Button Label

107 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Figure 2.4: Button Labels in Experiment 2

2.4 Results of Consent Banner Design Variations 2.4.1

Results of Experiment 1: Impact of Consent Banner Position and Close Button Existence

In Experiment 1, users can make an active consent decision to accept or customize cookies and avoid an active consent decision by ignoring the consent banner or closing it if a close option is available. Table 2.5 shows the number of observations for the possible user decisions in Experiment 1. Table 2.5 shows an average consent rate across all consent banner designs tested in Experiment 1 of 37.98%. Users denying consent predominantly ignore (42.97%) or close (18.73%) the consent banner. Only 0.33% of the users customize cookies, an observation that is in line with the expected effect: Accepting one or two cookie categories requires 3-4 clicks, whereas the other possible decisions only require 0-1 click(s).

108 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates Table 2.5: Number of Observations per User Decision in Experiment 1 Consequence for Website User denies Consent

User gives Consent

User Decision

No. of Observations in Experiment 1

Ignore Consent Banner

3,262 (42.97%)

Close Consent Banner

1,422 (18.73%)

Customize Cookies

25 (0.33%)

Accept All Cookies

2,882 (37.98%)

To examine whether the position and existence of a close option affect the consent rate, i.e., the share of users consenting to all cookies, I apply a two-way (position x close option) ANOVA. Figure 2.5 visualizes the average consent rate achieved by each of the four positions of the consent banners combined with the presence of a close option. Figure 2.5: Average Consent Rates for Consent Banner Designs in Experiment 1

109 Dieses Werk ist copyrightgeschützt und darf in keiner Form vervielfältigt werden noch an Dritte weitergegeben werden. Es gilt nur für den persönlichen Gebrauch.

Choose Wisely: The Impact of Consent Banner Designs on Consent Rates The graph indicates that differences in both the position and the close option affect the consent rate individually. Additionally, the interaction between the two variables likely affects the consent rate as well. The ANOVA confirms the visually observed effects and shows a significant impact of the consent banner’s position (F(3, 7581)=44.29, p < 0.001), the presence of a close option (F(1, 7581)=151.97, p < 0.001), as well as an interaction effect between the two variables (F(3, 7581)=35.44, p < 0.001). Thus, both variables and their interaction significantly affect the consent rate. A post-hoc-test for the variables using the Tukey honestly significant difference (HSD) test for multiple comparisons (as, e.g., Klein and Melnyk (2016) or Goldstein et al. (2014) used) further shows that the sizes of these effects are substantial. Table 2.6 shows the pairwise comparisons resulting from the Tukey HSD test (see Table A2 - 1 in Appendix for the pairwise comparisons of the interactions between the two variables). Table 2.6: Pairwise Comparisons of Position and Close Option Characteristic Pairwise Comparison Position

Close

Difference

Significance Level

Bottom Right vs. Bottom Left

-0.043