Faculty & Research -Regulatory Spillovers and Data Governance: Evidence from the GDPR

Regulatory Spillovers and Data Governance: Evidence from the GDPR

We document short-run changes in websites and the web technology industry with the introduction of the European General Data Protection Regulation (GDPR). We follow more than 110,000 websites and their third-party HTTP requests for 12 months before and 6 months after the GDPR became effective and show that websites substantially reduced their interactions with web technology providers. Importantly, this also holds for websites not legally bound by the GDPR. These changes are especially pronounced among less popular websites and regarding the collection of personal data. We document an increase in market concentration in web technology services after the introduction of the GDPR: Although all firms suffer losses, the largest vendor—Google—loses relatively less and significantly increases market share in important markets such as advertising and analytics.

Privacy protection in Europe has traditionally been strong for historical, cultural, political, and legal reasons. The GDPR is the cornerstone of European privacy law and is considered the most comprehensive, globally leading privacy regime. It establishes common rules on data processing throughout the EU and is directly binding for companies and residents in the EU and beyond. With the GDPR, the European legislator intended to harmonize privacy law and enforcement throughout the EU and increase the protection of individuals’ privacy while maintaining the benefits of data processing.

In a recent paper, we ask two questions in the context of the EU’s recently introduced privacy regulation, the General Data Protection Regulation (GDPR):

– Did the GDPR lead to extraterritorial websites (websites with no EU-based top-level domain) making changes that are in line with stricter privacy requirements?

– Did the GDPR, which tackled issues of privacy and personal data, affect other domains of public and regulatory interest, such as competition or trade policy?

Our analyses show that the answer to both questions is that EU privacy regulation did indeed spill over both outside of its territorial limits and of the policy domain it was designed to address.

With data covering 12 months before and 6 months after the GDPR came into force, we can document the short- run changes in how websites interact with web technology providers, as well as changes in the web technology market in the same time frame.  We investigate empirically whether and how the way websites, web technology providers, and consumers interact has changed with the GDPR both within and outside the EU and explore changes in the structure of markets for web technologies. Websites may use web technologies to raise advertising revenues, observe user behavior, share information through social media, or host audiovisual content.

We observe whether a website uses such technologies through the HTTP requests the website makes to external servers and map these requests to third-party firms. We also collect the stated privacy policies of these vendors.

As a result, we provide robust large-scale evidence on the changes occurring around the time when the GDPR came into force in the context of websites and web technology providers.

We show how websites—within a time frame of six months—reduce their compliance risks after the GDPR: they reduce the number of third-party web technology providers they use, in particular relating to third-party cookies.

We offer empirical evidence of the Brussels effect in European privacy law: Websites and web technology providers that are located outside the EU, cater to non-EU audiences, and are therefore not subject to the GDPR still comply with it.

Finally, we demonstrate that, although markets for web technologies shrunk in size after the enactment of the GDPR, the dominant firm—Google—increased its market share vis-a`-vis competing web technology providers.


We follow more than 110,000 websites of which about 20% cater to audiences in the EU, from May 2017 to November 2018. We measure interactions between websites and third parties by the HTTP requests that websites send. We collect information about the identity and location of third parties that a website interacts with, the total number of third-party requests, and the number of third- and first-party cookies and combine these data with demographic information about website audiences.

Applications and beneficiaries

Our findings suggest that some of the key implications of the GDPR may not relate to privacy, but to antitrust policy and regulatory competition. Although such regulatory spillovers have general implications for debates on how to govern data and AI, we leave the implications for the theoretical relationship between privacy and antitrust laws to future research.

Reference to the research

Christian Peukert, Stefan Bechtold, Michail Batikas, Tobias Kretschmer (2022) Regulatory Spillovers and Data Governance: Evidence from the GDPR. Marketing Science 41(4) pp. 318-340

Consult the research paper

Link to media

Christian Peukert, Stefan Bechtold, Michail Batikas, Tobias Kretschmer. Regulatory export and spillovers: How GDPR affects global markets for data. VoxEU & CEPR 30 September 2020

Regulatory export and spillovers: How GDPR affects global markets for data | CEPR


Michail Batikas, Stefan Bechtold, Tobias Kretschmer, Christian Peukert. Regulatorischer Export – Wie die europäische Datenschutzgrundverordnung globale Datenmärkte beeinflusst. Ökonomenstimme, 19 October 2020 Ökonomenstimme: Home (oekonomenstimme.org)

Forbes article