Privacy after the GDPR

Abstract

Privacy is a fundamental right of individuals according to the General Data Protection Regulation. Yet, there are many examples of disregard of this right, one of the most famous ones being the Cambridge Analytica scandal. Privacy notices are ubiquitious, but how well do they perform in informing users about the services’ data practices? What actually happens before a user interacts with a consent banner and after making consent decision? This thesis introduces the key aspects of the regulation and examines its effects on online privacy by reviewing research articles on the subject between 2018 and 2022. The research articles selected for the review approach the topic from the following angles: 1) the gap between privacy notices and data collection, and processing and/or tracking without user’s approval, 2) measurement of the amount of cookies set and assessing whether the GDPR has affected the amount of third parties used, and 3) the design aspects of cookie banners and how users’ privacy decisions are affected by them. An empirical study is conducted to analyze the consent mechanisms and cookie usage of 20 Finnish news sites. To analyze the factors that may contribute to privacy related challenges the discussion chapter examines research on privacy engineering and developers’ attitudes and skills on privacy and security. The main findings of the thesis are that the GDPR has increased the presence of privacy notices but there are mixed results on the amount of tracking performed. The role of the biggest companies performing tracking has grown. Users encounter consent notices that apply dark patterns and fail to encompass users’ data rights or fall short of enabling informed consent.