GDPR works, but only where someone enforces it
A new measurement study of web tracking across ten countries offers a reality check for anyone working on privacy compliance.
Researchers crawled the same set of globally popular websites from virtual machines located in Australia, Brazil, Canada, Germany, India, Singapore, South Africa, South Korea, Spain, and California. The results show that European privacy law does reduce tracking, and that most of the reduction happens in the two jurisdictions where regulators bring cases.
The headline numbers
Visitors from Germany and Spain see less tracking than visitors from elsewhere on the identical set of global sites. On a shared list of 525 globally popular sites, users in EU countries encountered 50.5% fewer tracker connections on average than users in non-EU countries. German users saw the lowest exposure at 4.2 average tracker connections per site. Spanish users saw 5.3. California users saw 11.7, and Australian users saw 11.2.
A smaller experiment on 36 of those global sites produced an even sharper result. In Germany, a user who simply ignored the cookie banner saw 48.5% fewer tracker connections than a user who clicked accept. In California, the same behavior produced only a 21.1% reduction, which aligns with the opt-out design of the California Consumer Privacy Act.
On locally popular sites, the range widens considerably. Only 44.6% of the most popular German country-coded sites made any tracker connection at all. In Australia, 96% did.
Enforcement is the variable
Seven of the ten studied jurisdictions require opt-in consent for tracking cookies. Three permit tracking until the user opts out. On paper, Brazil, India, Singapore, South Korea, and South Africa all have opt-in regimes comparable to the GDPR. In the data, their tracking levels sit much closer to the opt-out jurisdictions than to Germany and Spain.
The authors categorize only Germany and Spain as high-enforcement jurisdictions. German data protection authorities have been active since the 1970s, and the Spanish authority recently fined SEAT for placing non-essential cookies without consent. Across the EU, regulators have issued 833 fines totaling €3.01 billion for insufficient legal basis for data processing.
Medium-enforcement jurisdictions include Australia, Canada, South Korea, and California. These regulators pursue individual high-profile cases. The California Attorney General recently settled with Disney for $2.75 million over failures to honor opt-out signals. The new California Privacy Protection Agency has brought actions against PlayOn Sports and Ford.
Low-enforcement jurisdictions include Brazil, India, Singapore, and South Africa. Brazil’s LGPD closely mirrors the GDPR, and its first enforcement actions have focused on data breaches in the public sector. India’s DPDP Act is too new for meaningful enforcement. Singapore and South Africa have had laws on the books for more than a decade without strong action on consent.
South Korea illustrates the gap. Its Personal Information Protection Act requires opt-in consent comparable to the GDPR. Among the most popular Korean sites, 75.9% connect to at least one tracker, and 1.8% deploy a cookie banner of any kind.
The Brussels shield
The study’s more original contribution is its framing of a “Brussels shield” effect. The widely discussed Brussels effect predicts that EU rules export themselves globally because multinational companies find it cheaper to apply the strictest standard everywhere. The data shows something more limited.
When operators of the globally popular sites decide where to deploy cookie banners, their behavior falls into three groups. About a quarter deploy banners in every country studied. A roughly equal share deploy banners nowhere. The remaining sites deploy banners selectively, and when they do, the selection is almost always Germany and Spain, sometimes paired with Brazil or California. The EU-only pattern is the dominant selective strategy by a wide margin.
The 28% that deploy everywhere do reflect a genuine Brussels effect. For the larger population of sites that geofence their compliance to EU visitors, the law functions as a shield for Europeans without improving matters for users elsewhere.
What the tracking layer looks like
Advertising is the dominant category of tracking on the web, accounting for about two-thirds of recorded connections. Analytics and social trackers make up the rest. The advertising category has a long tail of vendors, and the social category is concentrated in four companies: Facebook, LinkedIn, X, and Reddit. Across every country in the study, the same handful of parent companies sit at the top of the rankings: Google, Facebook, LinkedIn, Microsoft, Adobe, and X.
The consent management layer is consolidating around a small number of platforms, with OneTrust appearing on a large share of sites the crawler visited. For security and compliance teams, this means the behavior of a few vendors largely determines whether a given site’s banner is compliant and whether trackers fire before consent is captured.
One finding deserves attention from anyone auditing their own properties. On the globally popular list, sites without a visible cookie banner carried more trackers on average than sites with one. The quieter user experience was the more tracker-heavy one. A missing banner is a stronger signal of non-compliance than a present one.
Caveats worth keeping in mind
The study measures tracker connections, which is a proxy for potential data sharing. A connection is a necessary condition for third-party data collection. It is not a sufficient one. Some recipients may discard data server-side. The study also cannot capture tracking that happens through server-to-server channels, fingerprinting techniques outside the Disconnect block lists, or other mechanisms that leave no network trace on the client. The tracker categorization depends on the accuracy of the Disconnect Tracker Protection lists.
The “US” jurisdiction in this study is specifically California under the CCPA. Results would differ in states with weaker or no comprehensive privacy law. The country-specific site lists rely on country-code top-level domains, which under-represent sites that operate locally on .com addresses. The interaction sub-study covered 36 sites.
What to take from this
For compliance leaders, the study supports a few working conclusions. A privacy law without active regulators produces tracking behavior close to having no law at all. The gap between Brazil’s LGPD text and Brazilian tracker exposure is the clearest example in the dataset. Opt-in legal regimes do produce lower tracker exposure when enforced, and the combination of the GDPR and the ePrivacy Directive is the only combination in the study that produces a large gap between consenting and ignoring a banner.
For architects, the concentration of the ad and analytics markets around roughly six parent companies means that privacy improvements at the platform layer propagate widely. The consolidation around a small number of consent management platforms has a similar effect. Decisions made at OneTrust or its competitors now determine baseline compliance for a large share of the web.
For anyone operating across jurisdictions, the trimodal deployment pattern reflects the dominant strategy in practice. Apply GDPR-grade controls in the EU, lighter controls elsewhere, and accept the resulting complexity. The study suggests this approach will grow harder as more countries adopt opt-in laws with local variations, and as California and its sister states push opt-out preference signals like Global Privacy Control into broader use.
Web tracking exists because the ad-financed content model requires it. Privacy law can shape the terms of that exchange, and the evidence from this study indicates that it does so where regulators follow through.
Secure by Design: Building security in at the beginning