Regulatory Spillovers and Data Governance: Evidence from the GDPR

. We document short-run changes in websites and the web technology industry with the introduction of the European General Data Protection Regulation (GDPR). We follow more than 110,000 websites and their third-party HTTP requests for 12 months before and 6 months after the GDPR became effective and show that websites substantially reduced their interactions with web technology providers. Importantly, this also holds for websites not legally bound by the GDPR. These changes are especially pronounced among less popular websites and regarding the collection of personal data. We document an increase in market concentration in web technology services after the introduction of the GDPR: Although all ﬁ rms suffer losses, the largest vendor — Google — loses relatively less and signi ﬁ cantly increases market share in important markets such as advertising and analytics. Our ﬁ ndings contribute to the discussion on how regulating privacy, arti ﬁ cial intelligence and other areas of data governance relate to data minimization, regulatory competition, and market structure.


Introduction
The Internet has revolutionized global trade and data flows.In many aspects of our daily life, it has torn down national borders and facilitated communication and trade across the globe.Regulating such a world is challenging.As international coordination mechanisms have often proven ineffective, individual countries and regions have enacted legal regimes to govern the datadriven world.In the area of privacy, examples of such regimes include the European Union (EU)'s General Data Protection Regulation of 2018 (GDPR) and the California Consumer Privacy Act of 2020 (CCPA).
Privacy protection in Europe has traditionally been strong for historical, cultural, political, and legal reasons (Bradford 2020, p. 136-141;Schwartz and Peifer 2017, p. 123-127).The GDPR is the cornerstone of European privacy law and is considered the most comprehensive, globally leading privacy regime.It establishes common rules on data processing throughout the EU and is directly binding for companies and residents in the EU and beyond.With the GDPR, the European legislator intended to harmonize privacy law and enforcement throughout the EU and increase the protection of individuals' privacy while maintaining the benefits of data processing.
We investigate empirically whether and how the way websites, web technology providers, and consumers interact has changed with the GDPR both within and outside the EU and explore changes in the structure of markets for web technologies.Websites may use web technologies to raise advertising revenues, observe user behavior, share information through social media, or host audiovisual content.We observe whether a website uses such technologies through the HTTP requests the website makes to external servers and map these requests to third-party firms.We also collect the stated privacy policies of these vendors.We follow more than 110,000 websites from May 2017 to November 2018.With data covering 12 months before and 6 months after the GDPR came into force, we can document the shortrun changes in how websites interact with web technology providers, as well as changes in the web technology market in the same time frame.
We highlight three key findings.First, websites have reduced the number of third-party domains they request after the GDPR became effective.Importantly, these changes also apply to websites which are not legally subject to the GDPR.Although the GDPR may apply to firms in the EU catering to consumers outside the EU and to firms outside the EU catering to consumers in the EU, it does not, de jure, apply to firms outside the EU catering to consumers outside the EU.Nevertheless, we observe a de facto change by websites located outside the EU serving consumers outside the EU in our empirical setting.This hints at a "Brussels effect," which has long been described in the legal literature on regulatory competition and the EU (Bradford, 2012(Bradford, , 2020)): Our findings suggest that the EU has shaped the global privacy regime beyond the boundaries of the EU, thus exporting the EU's regulatory framework to other countries.
Second, the number of third-party domains requested by websites is reduced immediately after the GDPR becomes effective, but the decades-long general upward trend remains unchanged.However, focusing on a specific type of request-cookies-we find that websites' use of third-party technologies that interact with consumers' privacy has changed effectively with the GDPR: There is a sustained decrease in third-party cookies after the introduction of the GDPR.The change in the interactions between websites and third-party vendors is especially pronounced for vendors disclosing that they collect personal data.Together with the finding that the stated privacy policies of technology vendors become more informative about collection, processing and sharing of personal data, this seems in line with the GDPR's data minimization principle.
Third, the market for web technologies has changed substantially after the introduction of the GDPR.Although the market overall is shrinking as websites send less requests to third-party vendors, the dominant firm in many markets for web technologies, Google, increases its market share.This indicates that privacy regulation may have unintended consequences for market structure and competition.
We make several contributions.First, by carefully analyzing the institutional arrangement of the GDPR, we disentangle its implications for firms and consumers located within or outside the European Union.Second, using a unique data set with information on the location of both firms and consumers, we observe how various geographical markets evolve differently after the GDPR becomes effective.Third, we study changes to pre-existing trends following the GDPR.With the caveat of a relatively short observation period of six months after the GDPR, we can speculate about the longer-run impact of the GDPR when comparing immediate changes (intercept) versus changes in the growth rate (slope).Fourth, using data on the privacy policies of web technology vendors, we document changes in the disclosure of collection and sharing of personal data.Finally, we find that privacy law interacts with other policy dimensions.Even websites outside the legal scope of the GDPR at least temporarily change operations, and the market structure of web technology vendors changes.Hence, we add to the discussion on how regulating privacy and other areas of data governance, for example, artificial intelligence, relates to data minimization, regulatory competition, and market structure.

Institutional Background and Related Literature
With the GDPR, European legislators intended to harmonize privacy law and enforcement throughout the EU and increase the protection of individuals' privacy while maintaining the benefits of data processing.The GDPR became applicable on May 25, 2018 (European Union 2016) and is binding for firms and residents in the EU and beyond.Three aspects of the GDPR are especially relevant for our paper: territorial application, increased compliance risks, consent and data minimization.

Territorial Application
Any empirical study on the evolution of various geographical web markets after the GDPR became effective faces the challenge of the territorial applicability of the GDPR.Countries are typically entitled to enact laws and exercise authority within their geographical boundaries.The Internet has challenged the concept of geography-based rule setting.Users in one country can browse, communicate, and shop on any website located anywhere around the globe, calling into question where the service takes place.In the context of the GDPR, this leads to situations in which users located within or outside the EU access websites located within or outside the EU.In theory, the GDPR clearly regulates in which of these cases the regulation is applicable or not.As Table 1 illustrates, the GDPR applies, first, in the standard case in which both the user accessing a website and the website processing the user's personal data are located in the EU (Art.3(1) GDPR, top left cell in Table 1).We will refer to this as Case 1.In this context, the user's citizenship, residence, or legal status is irrelevant (European Data Protection Board 2019a, p. 14-16); only the user's location matters.Second, the GDPR applies if users located outside the EU access a website in the EU that processes their personal data (Case 2, following the so-called "establishment principle," Art.3(1) GDPR, bottom left cell in Table 1; European Data Protection Board 2019a, p. 8-13).Third, the GDPR applies if users in the EU access a website located outside the EU which processes their personal data (Case 3, so-called "effects doctrine," Art.3(2) GDPR, top right cell in Table 1).It is sufficient that a firm intentionally offers goods or services to people located in the EU, or if it monitors or predicts behavior, personal preferences, or attitudes within the EU (Art.3(2) and Recital 24 GDPR;European Data Protection Board 2019a, p. 15-20).Whether a firm targets persons located in the EU is decided on a case-bycase basis.This involves, inter alia, assessing the website's language, the currency used, and the firm's marketing efforts (Recital 23 GDPR).
As the discussion of these three situations illustrates, the EU has designed the GDPR to be widely applicable to a range of activities within and outside the territorial boundaries of the EU.The GDPR can effectively apply to websites and web technology providers regardless of their business location or legal incorporation as long as they are accessed by and used for users in the EU.Websites and web technology providers not located in the EU but subject to the GDPR must designate a representative in the EU (Art.27 GDPR).They are bound by all rules of the GDPR, including its damages and fines regime.Compared with former European privacy law, this is a drastic expansion of the global reach of European privacy protection.Under Art.4(1)(c) of the former Data Protection Directive (European Union 1995), EU privacy law only applied if the data controller used equipment located in the EU, applying a territoriality doctrine.The GDPR broadened its territorial scope by switching to an effects-based doctrine.
The only situation in which the GDPR does not legally apply is if users located outside the EU access a website located outside the EU that processes their personal data (Case 4, bottom right cell in Table 1).Although de jure, the GDPR does not apply in this situation, the proponents of the so-called Brussels effect argue that the GDPR de facto does apply in this situation as well. 1 Our analysis in Section 5.1.1 can be seen as an empirical test whether such a Brussels effect exists with regard to the GDPR: Do websites which are not required by law to obey the GDPR follow GDPR rules nevertheless?
Defining the boundaries between the four cases in Table 1 can be a challenging endeavor in its own right.As it may take years to resolve issues of territorial application questions, 2 the GDPR left firms outside the EU with considerable legal uncertainty during our period of empirical observation whether and to what extent the GDPR applied to them.

Increased Compliance Risks
The GDPR has drastically increased compliance risks for privacy violations for several reasons.First, under pre-GDPR European privacy law, maximum fines for privacy violations varied between e12,000 and e600,000 and were set at the EU member state level with considerable heterogeneity in enforcement.Fines are now up to e20 million or 4% of the total worldwide annual turnover, whichever is higher (Art.83 ( 5) and (6) GDPR).European privacy law now resembles European antitrust law, where the European Commission has issued several multibillion dollar fines over the last decade.The GDPR also initiated far-reaching changes for the competence and cooperation of national data protection authorities responsible for monitoring GDPR compliance.
Second, under the GDPR, a website cannot easily dispose of its liability for privacy violations by outsourcing the processing of personal data-for example, for behavioral monitoring or consumer profiling-to third-party web technology providers.This is not only because the website must inform its users about any transfer of personal data to third-party providers (Art.13 (1)(e) GDPR) and because the website must make sure that the third-party providers' data processing will adhere to the GDPR as well (Art.28 (1) GDPR).The website may also be jointly responsible with the web technology provider for violating provisions of the GDPR. 3 This legal framework of joint responsibilities can have important implications for websites.For example, it is the websites and Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR not just Google or Facebook which have to gather user consent to process personal data.Also, users can sue a website for damages caused by GDPR violations committed by its web technology provider within the joint responsibility framework. 4Although websites may be able to outsource tasks such as analytics to third-party providers, they are-to a considerable extent-still responsible and potentially liable for privacy violations that occur while cooperating with the technology provider.
Third, the GDPR has put compliance with privacy laws high up on firms' agendas not only because of its stricter enforcement regime and broader territorial scope, but also because the GDPR has led to novel problems in interpreting the GDPR and its relationship to other bodies of EU and member state privacy laws.For example, during the period of our study, it was difficult to observe a standard pattern on how European data protection authorities calculated fines, how the territorial scope of the GDPR was determined in individual cases (Tobin 2019), or whether a non-EU website "targeted" users located in the EU (see Section 2.1).
Such questions can only be resolved by data protection authorities providing guidelines on how to interpret the GDPR-which may take considerable time 5and ultimately by courts deciding disputes.As this process typically takes several years at least, firms were left with increased legal uncertainty and considerable compliance risks after the GDPR was introduced (Bessen et al. 2020). 6

Consent and Data Minimization
If a website uses web technologies such as cookies, 7 scripts, images, or fingerprinting technologies to identify users, the website complies with the GDPR if it gathers the consent of the users whose personal data it processes (Art.6(1)(a) GDPR). 8For cookies, the revised e-Privacy Directive (European Union 2002) had mandated websites to gather user consent for placing cookies on their devices since 2009 (Article 5 (3) of the revised e-Privacy Directive). 9The GDPR goes much further as it covers the processing of any kind of personal data, including but not exclusively through cookies.In addition, the drastic expansion of the sanctions regime under the GDPR and the broad expansion of the territorial reach of the GDPR acted as a game-changer.With its wide-ranging, technologyneutral rule on consumer consent, the GDPR gave European privacy authorities a powerful tool to enforce consumer consent across the EU and beyond.
Furthermore, the GDPR implements a data minimization principle (Art.5(1)(c), 25(1) and Recitals 78, 156 GDPR), where personal data collection needs to be limited to what is necessary for legitimate processing purposes.Although it is difficult to measure data minimization in general, our empirical context lets us study some aspects consistent with data minimization in the sense of the GDPR.We observe whether websites engage in less interactions with third-party technology providers after the introduction of the GDPR.Such interactions can, from a technical perspective, be considered means to collect and share personal data.Whether a relative decline implies data minimization is impossible to establish, but it would at least be informative of data reduction.

Related Literature
We add to an emerging empirical literature on the technical and commercial implications of the GDPR.Related to our study, Johnson et al. (2020) also report a decrease of third-party requests by 15% and an increase in the concentration in the industry of web technologies by 17% after the introduction of the GDPR.In contrast to our work, they use a shorter pre-GDPR period and only follow the top websites per country.As we show, the change in interactions with third-party web technology vendors is more pronounced in the tail than the top of the popularity distribution, suggesting that the GDPR has disproportionately affected smaller organizations.Moreover, our rich data set yields additional insights on changes in the web technology industry after the introduction of the GDPR.We show that the increase in concentration can be traced back to an increase in the market share of the dominant vendor.We document that the market as a whole shrinks, that is, the dominant vendor also receives less third-party requests, but as its decline is relatively less pronounced, it takes a bigger piece of a shrinking pie.Our paper therefore provides detailed insights consistent with some of the results in other works, including Johnson et al. (2020), industry reports (WhotracksMe 2018), and recent academic work in computer science and communication (Libert et al. 2018, Dabrowski et al. 2019, Degeling et al. 2019, Hu and Sastry 2019, Solomos et al. 2019, Sørensen and Kosta 2019, Urban et al. 2020).It is worth mentioning that our work also confirms theoretical work from the pre-GDPR era (Gopal et al. 2018), in which the authors show that increased privacy concerns decrease the number of third parties to which websites are connected, resulting in higher concentration in the third party industry.Moreover, our work identifies websites with different regulatory exposure to the GDPR based on target audience and geographical location of the organizations behind websites.This lets us provide important evidence on the extraterritorial reach of the EU's regulation.Finally, we find suggestive evidence that the GDPR's goal of data minimization seems to have been reached: Web technology providers that use cookies are requested less following the GDPR, and web technology providers tend to adopt more transparent privacy policies following the GDPR.
We add to a stream of literature linking the enactment of the GDPR to different outcomes.It has been reported that the GDPR had a negative impact on publishers' performance (Lefrere et al. 2019, Aridor et al. 2020, Schmitt et al. 2020, Goldberg et al. 2021) and on European firms' ability to attract investment (Jia et al. 2021).In line with these results, Sharma et al. (2019) found that in stricter privacy regimes, small publishers, and small advertisers see their profit decline.Moreover, the GDPR seems to have negatively impacted innovation, because AI startups are reallocating their limited resources to deal with the implications of the GDPR (Bessen et al. 2020).Furthermore, the GDPR has decreased the entry rate of new mobile apps in the market (Janssen et al. 2021).However, some studies find a neutral or even positive effect of the GDPR.Godinho de Matos and Adjerid (2021) show that consumers' opt-in decisions have increased after the GDPR, leading to an increase in sales because of more effective targeted advertising, whereas Zhuo et al. (2021) finds that the GDPR had no impact on Internet interconnection.Finally, theoretical work shows that, although the GDPR can increase consumer surplus, it can negatively affect firm profits, especially in competitive markets (Ke and Sudhir, 2020).
Our study also contributes and relates to theoretical work on the antitrust implications of the GDPR (Jia et al. 2021, Gal and Aviv 2020, Geradin et al. 2021, Economides and Lianos 2021) and on regulatory competition (Bradford 2012(Bradford , 2020;;Goldfarb and Trefler 2018;Frankenreiter 2022).We show that regulating privacy can affect market structure and competition.In this respect, our paper relates to work suggesting that larger firms can disproportionately benefit from data-enabled learning (Farboodi et al. 2019, Hagiu andWright 2020) and that privacy regulation can increase market concentration by restricting data flows across firms (Campbell et al. 2015, Acemoglu et al. 2019, Jin and Wagman 2020, Jones and Tonetti 2020).This also speaks to the literature on heterogeneous effects of regulation (Elliehausen and Kurtz 1988, Elliehausen 1998, Dahl et al. 2016).

Web Technologies and Personal Data
Modern websites and web applications tend to be highly modular, and website operators can access a plethora of web technologies provided by third-party vendors.These technologies are usually offered in a software-as-a-service model, making them distinct from the traditional licensing of software libraries or packages that can be installed and run on premise.The fundamental concept is one of outsourcing.Applications running on external hardware are accessed over the Internet and integrated into the own technology stack.Early discussions on the business implications of the underlying technological concepts ("XML Web Services" and "Application Programming Interfaces") name interoperability and scalability as key characteristics, which at the time added "another dimension to the Web; instead of just person-to-person or personsystem, it also handles system-to-system" (Lim and Wen 2003, p. 50).Most importantly for the commercial Internet, these advances enabled the emergence of online advertising as a means to generate website revenues.In general, however, web technologies span a wide variety of functions, serving different technological and business purposes.
First-order choices in the development of websites and web applications include frameworks and libraries where and how functionality and content is hosted, and the monetization model. 10These choices are correlated with the categories of third-party web technologies a website would adopt.More generally, the reasons for outsourcing rather than relying on in-house technology have been discussed in the large information technology (IT) outsourcing literature (starting with Loh and Venkatraman 1992), including price and relative cost advantages (Ang and Straub 1998), service quality (Grover et al. 1996), and strategic considerations (Watjatrakul 2005) as drivers and success factors of IT outsourcing.
We focus on web technologies that require real-time interaction across entities.These include technologies that optimize content delivery to a particular user, provide personalized content, help publishers and advertisers understand their audience, and services connecting publishers to advertisers.These interactions can be observed via the HTTP requests that a website makes as content is loaded.Using HTTP requests, websites can display content controlled by other parties, and this content can differ for each request and user.Figure 1 illustrates a stylized example of thirdparty requests: the page hosted on techcrunch.commakes requests to third-party domains such as google-analytics.comand wordpress.com,embedding content hosted on third-party servers, such as scripts and images.
Over the last 20 years, the web technology service industry has grown by a factor of 50 in terms of the number of distinct services on the market and by a factor of 4 in terms of the median number of distinct services used per website (Lerner et al. 2016).About 88% of the top 1 million most popular websites operate with at least one third-party web technology service, and out of those, the average site requests about nine distinct third-party domains (Libert 2015).The long-run trend of an increasing number of third-party requests can be linked to the increasing modularity and complexity of modern web applications (Cheng et al. 2006, Yoo et al. 2012).At the same time, the web technology industry has become considerably concentrated with the top 20 services covering about a third of the market (Gill et al. 2013, Schelter andKunegis 2018).Supply-side economies of scale, network effects, and the vertical integration of large vendors into more service categories can reinforce the cost and quality benefits from consolidation (Currie 2000).Furthermore, the broader literature on IT outsourcing suggests that regulation-mostly on IT security and risk management-drives firms to choose larger vendors and bundled service offers for compliance reasons (Willcocks et al. 2010).
The web technology industry is an ideal setting for studying firm responses to privacy regulation.First, historical data on third-party requests of a large number of websites is publicly available and can be matched with meta-information on service categories and privacy policies of vendors.Second, all thirdparty services called in real-time as a user navigates to the website can be used to collect and share personal data.For example, a service can trace back the IP address from which an HTTP request originated (i.e., the IP address of the user).It can also respond to a request by sending a cookie to be stored on the user's machine, which lets the service recognize the same machine in the future, even if the IP address has changed.The technological possibility-independent of whether specific services actually do collect, process or share personal data-implies compliance risks for website operators interacting with third-party services.We distinguish between third-party requests in general as technologies that could be used to collect, process, and share personal data and third-party requests that respond with cookies.The latter, by definition, collect information that allows identification of a device, and thus (with varying degrees of accuracy; Díaz-Morales 2015) the user of the device.

Data
We combine various public and proprietary data sources to study the behavior of websites, web technology providers, and consumers before and after the GDPR became effective.Table 2 provides an overview.We describe the data sources' content and some key descriptive statistics here. 114.1.1.Main Data Set: HTTPArchive.Our main data set contains historical information about websites' HTTP requests to third parties.The documentation project HTTPArchive periodically crawls the homepages of about half a million hosts.We mostly use data from May 2017 to November 2018, with a longer pre-GDPR period as a robustness check.With a few exceptions, these data are available on a biweekly basis, stemming from a crawl at the beginning and in the middle of the month. 12The length of our panel lets us capture preexisting trends and study longer-run dynamics.The level of observation is a "website-host," for example, subdomain.domain.com,mostly of the form www.domain.com. 13We construct a balanced sample of hosts present throughout our study period, resulting in 110,706 hosts over 33 points in time-21 data points before the introduction of the GDPR and 12 data points after, resulting in 3,653,298 observations in total. 14 We collect information about the total number of requests to third-party domains (mean, 15.6), 15 the identity of these domains, and the number of domains that respond to a request by sending a cookie (mean, 6.7).There is substantial variation in these numbers across websites with (non)EU audiences and (non)EU  , 2022, vol. 41, no. 4, pp. 318-340, © 2022 The Author(s) 323 Downloaded from informs.org by [91.212.128.251]locations and over time-in particular, before and after the GDPR came into force.

Website Location.
Although our level of analysis is at the website host, the location information can only be measured at the domain level.Hence, we make the assumption that the company/owner behind subdomain1.domain.com is identical to the company/owner behind subdomain2.domain.com.4.1.2.1.Crunchbase.We obtain data from Crunchbase to access information about the physical location of the headquarters of the company behind the website domain we observe in the HTTPArchive.We link HTTPArchive to Crunchbase based on the company website listed on a Crunchbase profile.We observe country information from Crunchbase for 34,950 (31.6%) websites.

WHOIS.
We further obtain information about the owner of the website through WHOIS requests in the domain registry database.Using the proprietary service whoisxmlapi.com,we can identify the country of the domain registrant for 94,919 (85.7%) websites in our sample. 164.1.3.Website Audience.4.1.3.1.Country-Specific Top-Level Domains.We primarily infer whether a website-host caters to an EU audience via the country-specific top-level domain (TLD).EU-specific TLDs include the country-specific domains of the EU member states, as well as.eu.

EU-Specific
Languages.An alternative way to infer website audience is to extract metainformation from the website, notably its language and thus its likely target audience.We use HTTPArchive to determine whether websites use one of the 23 official languages in the EU (excluding English).
4.1.3.3.Country-Specific Traffic.We add information on country-specific demand from Alexa.Specifically, we obtain the rank by country (based on page views, as of October 2019), if available, for every country in the world.These data are incomplete, but we can add this information for 42,764 websites.We define a website as catering to an EU audience if it appears in Alexa's ranking in at least one EU country.The country-specific Alexa ranks cover a wide range of the popularity distribution.Websites in our baseline sample have an average minimum rank of one and an average maximum rank of 37,530 in the percountry popularity lists.Regarding the global ranking, all the websites included in the sample, except 99 websites, are part of Alexa's top one million list, with the median ranking being 158,774.
4.1.4.Definition of Territorial Scope of the GDPR.We apply any of the previous criteria to define the four different cases of Table 1.Regarding website location, a website is an EU website (i) if its headquarters are in EU (Crunchbase data) or (ii) if the country of the domain registrant is an EU country (WHOIS data).Regarding the audience location, a website serves an EU audience (i) if the TLD of the website is an EU-specific top-level domain or (ii) if the website uses 1 of the 23 official languages of the EU (excluding English) or (iii) if the website has traffic from at least one EU country (Alexa data).After applying this definition, we end up with 19.4% of our sample of websites belonging to Case 1 of Table 1, 11.7% to Case 2, 6.8% to Case 3, and finally 61.9% to Case 4. In Table 3, we provide summary statistics regarding the third-party requests and  Hosting, and Extensions).We use all of these categories for our analysis of the extent of services (Section 5.3.2) and focus only on the five categories Audio/Video Player, Advertising, Analytics, CDN, and Other that are most important in terms of market share for Google in our sample.We define Other to include the categories Misc and Hosting from the original whotracks.meclassification.The results reported below are robust to variations of these definitions.4.1.5.2.Mapping Third-Party Domains to Companies.whotracks.mealso gives information about the companies behind the third-party domains we observe in HTTPArchive.We only have this information for 1,890 domains and assume that all domains that we cannot link to a particular company are independent companies.The average number of websites served by third-party domains that we cannot link to a company is 8.4, whereas the average number of websites served by third-party domains that we can link to a company is 1,247.9.4.1.5.3.Privacy Policies.Finally, we have snapshots of Evidon's industry directory that provides information on privacy policies, in particular, whether a web technology provider discloses in its privacy policy whether it collects and shares data with third parties.In these data, we can distinguish between anonymous, pseudonymous, aggregate, personally identifiable, and sensitive (relating to personal financial or health information) data.

Econometric Model
The empirical setting of the GDPR makes it challenging to find a valid control group to establish a counterfactual.However, we believe it is possible to treat the introduction of GDPR as an exogenous shock (see Section A.2 in the online appendix for a more detailed discussion).Although the lack of a clear counterfactual makes it difficult to make strong causal claims, we set up a model allowing us to document the changes that narrowly coincide with the timing of the introduction of the GDPR.Hence, after ruling out a few alternative explanations, such as changes in the industry because of tracking prevention technology and privacy scandals, we conclude that unobserved factors that correlate closely with the timing of the introduction of the GDPR are likely negligible.Hence, it seems reasonable to expect that-at least in the short run-our estimates closely resemble the causal effect of the GDPR.Our baseline specification is as follows: where D it is the number of third-party domains that website i requests at time t.In other specifications, we also look at the subset of third-party domains that respond with at least one cookie.Post t indicates the period after the GDPR came into force on May 25, 2018.We include group-and time period-specific linear time trends and website fixed effects µ i .The error term ε it has the standard assumptions, and we report estimates clustered at the website level.This model lets us carry out a before/after comparison within the four groups of websites in Table 1.In particular, we are interested in estimating a discontinuity around the introduction of the GDPR.That is, we are more interested in estimating the δ parameters than the β or γ parameters in Equation ( 1).Estimating the model on the subsample of websites located in the EU, δ 1 gives an estimate of the change in D it for websites located in the EU and catering to EU audiences (Case 1 in Table 1), whereas δ 2 is the estimate of the change in D it for websites located in the EU and catering to non-EU audiences (Case 2 in Table 1).Estimating Equation (1) on the subsample of websites not located in the EU, δ 1 and δ 2 are the respective estimates of the change in D it for Cases 3 and 4 in Table 1).

Findings
We structure our findings along three dimensions: First, we document the changes in the use of web technologies by websites in the different cases outlined in Table 1 in Section 5.1.This lets us assess to what extent GDPR compliance is limited by territorial considerations of websites and users.Second, in Section 5.2, we switch perspectives to focus on web technology providers and the extent to which demand for their services changes following the GDPR.Third, we look at the changes in the structure of the web technology market to see whether some web technology vendors were able to improve their position following the GDPR (Section 5.3).

Changes Within and Beyond the Territorial
Scope of the GDPR Any type of web technology that we can observe in our data can potentially be a tracking technology.When sending an HTTP request, websites are communicating with third-party servers.This communication can-as a technical principle-entail data, such as details of a user's device (screen resolution, browser Notes.Average log(y + 1) number of third-party domains to which websites with (non)EU audiences and (non)EU location send requests.As described in Section 2.1, the GDPR applies in all cases except non-EU/non-EU.Vertical line indicates the implementation of the GDPR on May 25, 2018.The vertical axis has a different scale in each panel.The purpose of this figure is to visualize the immediate changes (intercept) and changes in slopes after the GDPR for each case independently and not to compare differences in these changes across cases.Having a common scale would allow to compare the magnitudes of the changes after the GDPR across cases.This is what we do with the regression model in Equation ( 1) and Table 4. version, operating system, etc.), but also personal data such as names, email addresses, and credit card details.Hence, when websites make less requests to third-party servers, this potentially enhances user privacy.Third-party requests that respond with cookies are by definition carrying personal data, because cookies are designed to identify the same user again by the same website or technology vendor at a different point in time.We therefore distinguish between requests to third-party domains overall and those to third-party domains that respond with at least one cookie.Although the former capture web technologies that could be and are used for collecting any kind of data, the latter reflect the de facto industry standard for collecting personal data online.

Web Technologies in General Are Used
Less.A plot of the raw data in Figure 2 shows that the average (log) number of third-party domains to which websites send requests follows an increasing trend interrupted at the time of the introduction of the GDPR.A reduction directly after the GDPR comes into force is clearly visible.However, the general trend seems largely unchanged.Thus, after the GDPR was enacted, websites did not decrease their thirdparty domain requests on a long-term basis.Rather, third-party requests are almost immediately back to their pre-GDPR trajectory.
Furthermore, Figure 2 suggests that the described changes happen in all cases-even in the case of non-EU audiences and a non-EU location, where the GDPR does not apply de jure.Looking at the post-GDPR trend, for websites outside of the EU (right column of Figure 2), the return to pre-GDPR levels is faster.At the end of our observation period in mid-November 2018, the number of requested third-party domains is either back to the level just before the GDPR came into force (Case 3) or has increased far beyond that level (Case 4, Brussels effect).Visual inspection of the four panels also shows that the magnitude of the immediate change after the GDPR is largest in the standard case (Case 1), and smallest, yet still quite prominent in Case 4.
As noted previously, however, using the regression model specified in Equation (1), we put full focus on quantifying the immediate changes after the introduction of the GDPR and do neither interpret nor report estimates of trend changes.Using website fixed effects lets us control for time-invariant unobserved heterogeneity.Furthermore, because the model includes separate linear time trends for the pre-and post-GDPR periods, we can estimate the change in the intercept.That is, we can effectively compare the number of requested third-party domains just before and after the GDPR.
The different magnitudes of the immediate changes after the GDPR across the different cases are also evident in Figure 3.However, it is striking that the increasing trend in the pre-GDPR period does not continue after the sudden and immediate drop.This is in sharp contrast to the overall number of requested third-party domains in Figure 2.This suggests that, after the GDPR went into force, a new state is reached in which less third-party cookies are used.The patterns are similar across the three cases in which the GDPR legally applies.However, the bottom right panel of Figure 3 implies that websites located outside the EU that are catering a non-EU audience return to the levels directly before the GDPR, at least until October 2018.
We now discuss some alternative explanations for these findings.The apparent structural change after October 2018, with a further reduction in the number of requested domains that send at least one cookie, is visible in all four panes of Figure 3.Although it is difficult to pin down the underlying causal mechanism, one might speculate that it could be related to strategic behavior in response to (self-)regulatory pressure.On September 17, 2018, Apple released Safari 12, which included its Intelligent Tracking Prevention technology (ITP 2.0) that effectively bans third-party cross-site tracking cookies. 18Similarly, Firefox released a new version of their browser on October 28, 2018, that blocked third-party cookies by default. 19 The way HTTPArchive collects data on third-party Notes.Average log(y + 1) number of third-party domains to which websites with (non)EU audiences and (non)EU location send requests and that respond with cookies.The GDPR applies in all cases except non-EU/non-EU.Vertical line indicates the implementation of the GDPR on May 25, 2018.The vertical axis has a different scale in each panel.The purpose of this figure is to visualize the immediate changes (intercept) and changes in slopes after the GDPR for each case independently and not to compare differences in these changes across cases.Having a common scale would allow to compare the magnitudes of the changes after the GDPR across cases.This is what we do with the regression model in Equation (1) and Table 4 requests and cookies does not rely on the technologies of Safari or Firefox; hence, the drop we observe cannot purely be a measurement issue.Rather, it suggests that there was a strategic reaction of websites and/or technology vendors. 20 Although the GDPR was a major policy change with direct implications for the nearly 450 million inhabitants of the EU and beyond, there might be other events that coincide with the timing of its introduction.In particular, one might be worried the Facebook's major privacy scandal ("Cambridge Analytica") could affect our results.The public became aware of the Cambridge Analytica case with the revelations in a news article published on March 17, 2018.In Figure 4, we compare requests to Facebook-owned and non-Facebook third-party domains.Although requests to Facebook seem to decrease in all markets-except in Case 4 in Table 1-immediately after the Cambridge Analytica revelations, they decrease much more heavily in all markets directly after the GDPR.Even if our data and research design does not allow us to make strong causal claims, we are therefore confident that our results concerning Facebook are not entirely driven by the Cambridge Analytica scandal.5.1.3.Mostly Less Popular Websites Change Operations After the GDPR.The results reported so far mask an important source of heterogeneity.As we show in Table 5, it is mostly less popular websites that change operations after the GDPR.Our measure of website popularity by its global Alexa rank, which is based on overall traffic. 21We distinguish between the most popular websites (in the top 1000 most popular websites, which includes 599 websites in our sample) and lower ranked websites.The results in Table 5 indicate that the change after the GDPR that we document in the main text-both in terms of the number of requested  third-party domains as well as the number of thirdparty domains that respond with cookies-mostly comes from lower ranked websites.The triple interaction of postintroduction, audience type, and website popularity is either very close to zero, imprecisely estimated, or even significantly positive.In Section A.1.1 of the online appendix and in Table A.3, we show that a weighted regression leads to the same conclusion.This is consistent with the notion that small and new firms are disproportionately affected by privacy regulation (Campbell et al. 2015).We discuss the implications of this finding in more detail.
Similarly, as we discuss in more detail in Section A.1.1 of the online appendix, we find also find that general-audience websites reduce their requests to third-party domains (and cookies) more than specific websites after the GDPR.This is in line with prior research on privacy regulation and effects on online advertising (Goldfarb and Tucker 2011).

Changes in the Collection of Personal Data
We now switch perspectives to focus on web technology vendors and investigate whether the web technology market has changed after the introduction of the GDPR.We are interested in whether the changes we have observed and quantified so far are especially pronounced among vendors that should be affected strongly by GDPR: vendors disclosing that they collect and share personal data.We use detailed information on the data collection and sharing policies of

3,993 technology vendors via an industry database by
Evidon.We first ask whether the number of requests websites send to a particular vendor changes at different rates after the GDPR depending on the vendor disclosing in their privacy policy that they collect or share personal data with third parties.To do this, we use information on privacy policies from September 2017, that is, before the GDPR.The results in column (1) of Table 6 show that firms that have indicated that they collect personal data prior to the GDPR receive about 6% less requests after the GDPR.This holds true when we additionally control for whether a firm discloses that they share personal data with third parties in column (2).There is no significant difference between firms that disclose sharing of personal data and those that do not.Finally, in column (3), we add the interaction between collection and sharing of personal data.This would capture firms disclosing that they do both.Again, there is no significant difference.Hence, we conclude that the reduction in requests we identified in our main results seems to come mostly from firms that disclose that they collect personal data.
An additional set of analyses on the dynamic changes in vendors' privacy policies is reported in the online appendix in Section A.1.2.Specifically, we find that vendors are more likely to disclose the collection and sharing of personal data, as well as a data retention policy after the GDPR went into effect.These results imply that the vendors change their approach to privacy rather than the previous results being driven by a change in the composition of firms.

Changes in the Competitive Landscape of
Web Technologies We now investigate changes in the market structure of web technology vendors.The results thus far suggest that websites reduce their interactions with thirdparty vendors after the introduction of the GDPR.
Here we ask whether these changes are universal or whether some vendors are affected more or less strongly by websites' apparent reactions to the introduction of the GDPR.We do this because the related theoretical literature suggests that privacy protection can affect firms of different sizes differently, which can have implications for market structure (Campbell et al. 2015, Gopal et al. 2018).We start with an aggregate view, then look closer at firm-level measures of market power.In doing so, we will pay special attention to comparing the dominant firm to the rest of the market.

Changes in Overall Market
Structure.We investigate whether the market structure in web technology markets has changed after the introduction of the GDPR.Using metadata from whotracks.me,we can observe the ownership structure of third-party domains.For example, Google operates a variety of different domains, including less obvious domains such as doubleclick.net,invitemedia.com,and 2mdn.net.
We measure market structure using the Herfindahl-Hirschmann index (HHI, the sum of squared market shares of all firms).We define the market share of a firm based on the sum of market shares for each thirdparty domain of that firm, that is, s i J j 1 (n i,j = N k 1 n k,j ), where n i,j is the number of websites that send requests to third-party domain j of web technology firm i, N is the total number of third-party domains to which at least one website sends one request, and J is the number of third-party domains of firm i.Our definition throughout the rest of the paper does not make a distinction between websites according to their audience or firm location as defined in Table 1.In light of the results presented in Section 5.1 showing that firms change their interactions with third-party vendors globally, we believe that a market structure analysis should be carried out a global level rather than at the level of the legal applicability of the GDPR. 22 With the caveat of a very small sample because of the high level of aggregation, we run a regression to investigate whether the HHI has changed after the introduction of the GDPR while controlling for an overall trend.In column (1) of Table 7, we find that HHI has increased by 16.0 points from a base of 950.8, which amounts to 1.68%.In column (2) of Table 7, we look at the hypothetical market structure without the firm with the largest market share (Google).Google's dominance becomes apparent when comparing the average pre-GDPR HHI when we include Google (950.8)relative to average pre-GDPR HHI when we exclude Google (70.1).In a hypothetical market without Google, the estimates are negative but imprecise.Notes.Dependent variable is HHI, calculated as squared sum of market shares defined as s i J j 1 (n i,j = N k 1 n k,j ), where n i,j is the number of websites that send requests to third-party domain j of web technology firm i, N is the total number of third-party domains to which at least one website sends one request, and J is the number of third-party domains of firm i.Post indicates the period after May 25, 2018.Separate linear time trend for before/after the GDPR.Whiterobust standard errors in parentheses.

5.3.2.
A Closer Look at Google.Having established that Google is the dominant firm in the market and that changes in aggregate market concentration largely depend on Google, we now look at more granular data.We compare the changes in the market share of Google to changes in the market shares of all other firms.The definition of market share remains as described previously.

Google Is the Biggest Winner in Terms of
Market Share.These results indicate that dominant firms in web technology markets play a special role and suggest that Google's market shares have changed in a different way than the market shares of other firms.To provide a more detailed picture, we give a disaggregated descriptive view of market shares.Figure 5 plots the evolution of market shares of the five firms with the largest increases ("winners") and of the five firms with the largest decreases ("losers"), relative to their market share level just before the introduction of the GDPR.The biggest winner is Google, and it is worth noting that among the winners there are three services that specialize in data security and consent for data collection, processing, and sharing (Consenu, Digicert Trust, and Cloudflare).The list of losers includes some of Google's competitors in the advertising market (Adtech, Appnexus, Brightroll, Liveramp).

Google Serves Less Websites Overall but
Increases Its Market Share.Although the previous illustration of the five largest firms is insightful, it can mask heterogeneity in the tails of the size distribution.
We therefore dig deeper and compare Google to all other vendors in a regression setup.
First, and to provide further detail on how Google's market share increased after the introduction of the GDPR, we look at the numerator in the definition of market share.We run a regression comparing Google to all other vendors.We look at the number of websites served by a web technology vendor as well as its market share while controlling for group-specific time ), where n i,j is the number of websites that send requests to third-party domain j of web technology firm i, N is the total number of thirdparty domains to which at least one website sends one request, and J is the number of third-party domains of firm i.Post indicates the period after May 25, 2018.Google indicates the joint levels/market share of all domains of Google.Non-Google indicates the average levels/market share of all other firms.All specifications include firmfixed effects and separate linear time trends.Standard errors in parentheses clustered on the firm-level.

Figure 5. Winners and Losers
Notes.Top five firms with largest increase/decrease in market share at the end of our sample period compared with one snapshot before the implementation of GDRP on May 25, 2018.Market share is defined as where n i,j is the number of websites that send requests to third-party domain j of web technology firm i, N is the total number of third-party domains to which at least one website sends one request, and J is the number of third-party domains of firm i.
Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.
trends and firm-specific unobserved heterogeneity.Column (1) of Table 8 shows that the total number of websites that send requests to all Google services combined decreases by about 2.4% after the introduction of the GDPR.This refers to a pre-GDPR log number of websites of 13.14 (or 508,896 websites, equivalent to the average website in our sample sending about 4.6 requests to Google services).For the average non-Google firm, we do not find a significant change after the introduction of the GDPR.Looking at the pre-GDPR mean for non-Google vendors (0.61 in logs, i.e., 1.8 websites), Google's strong market position becomes evident.Looking at market shares in column (2) of Table 8, we find a significant increase of Google services, suggesting that Google's market share across all its services increased by about 0.3 percentage points from a base of 29.7% before GDPR.The market share of the average non-Google firm (again across all the firm's services) does not change significantly after GPDR.Again, Google's strong market position becomes clear when looking at the pre-GDPR market share of 0.001% of the average non-Google firm.A likely explanation for the results in Table 8 is that, although most firms received less third-party requests after the introduction of the GDPR became effective, some firms-and most strikingly Google-lose relatively less such that their market shares increase after the GDPR.5.2.2.3.Changes Are Most Pronounced in Google's Key Markets.Google is one of few web technology vendors in our sample that operate in multiple submarkets, that is, offer services across different categories.Some of these services may be less or more strongly affected by the introduction of the GDPR, for example, because they (do not) involve personal data.
To further explore the special role of Google after the GDPR, we therefore differentiate between submarkets in which Google is active.Using data from whotracks.me,we classify third-party domains in the five categories of Video/Audio Players, Advertising, Analytics, CDN/API, and Other/Unknown services.We accordingly change our definition of market share to the category-level.Hence, ), where n i,c,j is the number of websites that send requests to third-party domain j in category c of web technology firm i, N c is the total number of third-party domains in category c to which at least one website sends one request, and J c is the number of third-party domains in category c of firm i.
In Table 9, we look at changes in the log(y + 1) number of websites that send requests to Google-owned and non-Google services, distinguishing between different service categories.Again, note the large difference in pre-GDPR means.Google's web technologies are, on average, requested by thousands of websites, whereas average non-Google web technologies are requested by less than 10 websites.Google's largest market is Analytics: the pre-GDPR mean is about 212,011, indicating that many of the 110,706 websites in our sample send more than one request to Google's domains in that category.Put differently, the websites in our sample send about 1.9 requests on average to Google's analytics services.Looking at the changes after the GDPR, we see that the number of websites requesting Google services decreases in all categories except Other/Unknown by between 1.3% and 4.1%.We also see significant decreases in Advertising, Analytics, and CDN/API for non-Google services, ranging between 2.7% and 4.9%.The point estimates of Google's decrease in the number of websites served is smaller than the decrease of non-Google services in the Advertising, Analytics and Other/Unknown categories, but much larger in Video/Audio Players and CDN/API.These results suggest that, although the pie is shrinking for everybody, some firms walk away with relatively larger pieces.
Finally, we look at market share changes in Table 10.Again, we distinguish between Google and non-Google services and look separately at the same five categories.We only see significant changes in the market shares of Google, and not of other firms.In Video/ Audio Players, Google's market share decreases by about 1.1 percentage points from a pre-GDPR mean of about 75.8% and in CDN/API by about 0.4 percentage points from mean of about 70.6%.However, in Advertising, Google's market share increases by about 0.4% from pre-GDPR base of about 27.1%.In the Analytics category, we observe an increase in Google's market share of 1.4 percentage points from a base of 39%, and our results suggest that Google's market share increased by about 0.03 percentage points in the Other/ Unknown category from a base of 1.2%.Hence, Google's market position has improved after the GDPR, considering that the overall market has shrunk.This is especially the case in the categories of Advertising and Analytics, technologies that collect, process, and sometimes share personal data.
The analyses in Tables 9 and 10 may be driven by a large tail of third-party domains that receive only a small number of requests from the websites in our sample.In the online appendix (Tables A.11 and A.12), we show that the results are robust to removing all third-party domains that receive less than 50 requests in a given time period.

Limitations and Robustness
Given the institutional setting of the GDPR, it is difficult to establish causal estimates.We discuss this limitation here.Conditional on the issue of causality, however, our results are robust to alternative variable definitions and a more flexible approach to modeling the dynamics of Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR Marketing Science, 2022, vol. 41, no. 4, pp. 318-340, © 2022 The Author(s) 333 Downloaded from informs.org by [91.212.128.251]third-party requests.For details, see Section A.2 of the online appendix.
5.4.1.Definitions and Measures.Our point estimates of the changes after the introduction of the GDPR appear conservative compared with a large number of alternative ways of measuring the target audience of websites and/or the geographical location of the organization that operates them.We describe these alternative definitions and measures in Section A.2.1 of the online appendix.Our baseline results are either statistically not distinguishable or more conservative than the results obtained in 44 other specifications.Most importantly, in all 96 models we estimate, we always find a significant decrease in the number of requested third-party domains or the number of requested third-party domains that respond with cookies.Our results also hold for websites targeting multiple international audiences.5.4.2.Alternative Data Source for Third-Party Requests.A potential limitation of HTTPArchive is that the servers that crawl websites to collect their interactions with third-party domains are physically located in California.If websites used different tracking technology depending on user location, we might mismeasure the changes after the introduction of the GDPR.In Section A.2.2 of the online appendix, we show that our results hold when using a different data source that does not rely on one specific user location.Using data on third-party requests collected through a browser plugin (whotracks.me), and therefore recording the third-party requests of a website as the user navigates to it, we can differentiate between users in the US and users in the EU (Table A.10).This data set has its own shortcomings, but we arrive at the same baseline conclusion: Websites visited by users both inside and outside the EU reduce the number of interactions with third-party web technology providers after the introduction of the GDPR.

Alternative Functional Form for Modeling
Dynamics.The specification in Equation (1) assumes that the dynamics of third-party requests can be linearly approximated.As we show in the online  Notes.Dependent variable is market share defined as s i,c Jc j 1 (n i,c,j = Nc k 1 n k,c,j ), where n i,c,j is the number of websites that send requests to thirdparty domain j in category c of web technology firm i, N c is the total number of third-party domains in category c to which at least one website sends one request, and J c is the number of third-party domains in category c of firm i.Post indicates the period after May 25, 2018.Google indicates the joint levels/market share of all domains of Google.Non-Google indicates the average levels/market share of all other firms.All specifications include firm fixed effects and separate linear time trends.Standard errors clustered on the firm-level in parentheses.
appendix in Section A.2.3, we obtain similar results when we allow for a more flexible functional form for the dynamics.In particular, comparing just the last observation before period (May 1, 2018) to the first observation of the after period (June 1, 2018) in what resembles a regression-discontinuity-in-time design, we obtain qualitatively similar estimates of the immediate change after the GDPR as in the baseline specification reported in Table 4.
Although the GDPR was a major policy change with direct implications for the nearly 450 million inhabitants of the EU and beyond, we are careful about making causal claims in our empirical analysis as other events may have coincided with the timing of the GDPR coming into force.As we show in the online appendix in Section A.2.4, we do not see significant changes in the interactions with third-party web technology providers when we focus on online piracy websites that operate in a legal gray area and should therefore not be bound by the introduction of the GDPR.Furthermore, we show that websites had not already initiated significant changes in their interactions with third-party web technology providers when the Council of the European Union and the European Parliament adopted the GDPR in April 2016.

Discussion
We now discuss how our findings from Section 5 relate to the institutional features of the GDPR laid out in Section 2.

Privacy Law and Dynamic Compliance Risks
We find that websites reduce their connections to web technology providers after the GDPR went into force, and that this reduction was particularly pronounced regarding requests involving cookies, which typically process personal data (see Section 5.1).These findings can be explained by the increasingly complex compliance landscape websites have to navigate after the GDPR.Given the risks created by the GDPR's joint responsibility regime (see Section 2.2), if websites cannot accurately assess the privacy risks originating from their web technology provider, the best way to reduce liability exposure is to reduce their use of web technology providers.We see that third-party web technology providers collecting personal data receive less requests after the enactment of the GDPR (see Section 5.2).We also find a persistent reduction in third-party domain requests involving cookies (see Section 5.1.2).Given that third-party cookies typically include personal data at least by identifying a browser and a device, this outcome aligns with one of the primary goals of the European legislator when creating the GDPR: to increase the protection of individuals' privacy while maintaining the benefits of data processing, for example, by implementing a data minimization principle (Art.5(1)(c), 25(1) and Recitals 78, 156 GDPR).

Privacy Law and Regulatory Competition
As described in Section 5.1, we observe that, at least temporarily, even websites located outside the EU and catering to a non-EU audience reduce their use of third-party web technology providers, especially cookies, after the GDPR.At first sight, it is counterintuitive for websites not legally bound by the GDPR to conform to its rules (Table 1).However, considering the broad territorial application of the GDPR (see Section 2.1), this de facto compliance is understandable for three reasons.First, under general principles of international public law, the EU cannot regulate the processing of personal data that takes place outside of and is not related to the EU.Yet, the EU has expanded the de facto territorial reach of European privacy laws well beyond the geographical boundaries of the EU.As complying with the GDPR is costly, some global technology companies simply apply the GDPR to all their consumers worldwide, even though the GDPR does not require them to do so.These companies save costs by not having to offer two versions of their products and services (for users inside and outside the EU). 23A second rationale for global adoption of the GDPR by websites can be that the GDPR has served as a role model for other countries to follow suit (Bradford 2020, p. 143-144).By adopting GDPR-compliant rules for all their consumers worldwide, firms may preempt the anticipated adoption of GDPR-like regimes in countries outside the EU.Third, non-EU websites that consider entering the EU market may decide to adopt EU rules right away: To realize the option value of being able to serve EU customers at some point in the future, a website may decide to comply with GDPR ex ante, rather than incurring the cost of creating and maintaining multiple versions of the website, one GDPRcompliant version for EU customers and one for the rest of the world (Frankenreiter 2022).
The literature on international regulatory competition has developed a general theory that the EU has de facto expanded some of its strict regulatory laws beyond its borders through a combination of market mechanisms and unilateral regulatory globalization.European privacy law is one example of the Brussels effect, according to Bradford (2012Bradford ( , 2020)), in addition to European antitrust, consumer health, and environmental law (Goldsmith andWu 2006, Schwartz 2019).
Our study provides the first large-scale empirical evidence of this argument in European privacy law. 24  Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR Marketing Science, 2022Science, , vol. 41, no. 4, pp. 318-340, © 2022  The EU is not the only jurisdiction whose privacy laws may have extraterritorial reach (Rustad andKoenig 2019, Bygrave 2021).The California Consumer Privacy Act (CCPA)-which became effective January 1, 2020, and incorporates several GDPR concepts such as the rights of access, portability, and data deletionapplies to all for-profit entities doing considerable business in California.It protects California residents that are either in California for other than a temporary or transitory purpose or are domiciled in California but are currently outside the state for a temporary or transitory purpose (Cal.Civ.Code §1798.140(c),(g); Cal.Code Regs.tit.18, §17014).Consequently, the CCPA can apply to websites and web technology providers located outside California or even outside the United States, as long as they cater to California residents.Several other U.S. states are considering introducing similar or even stricter privacy laws than the CCPA.As with the Brussels effect in the context of the GDPR, we may observe a California effect (Vogel 1995) in future U.S. privacy law, and state privacy laws may converge toward the jurisdiction with the strictest regulatory standard.
In fact, this debate transcends the boundaries of privacy regulation.In the spring of 2021, the European Commission proposed an "Artificial Intelligence Act" (AI Act), coordinating European rules on the legal and ethical implications of artificial intelligence (European Commission 2021).The AI Act proposes fines that go even beyond the sanctioning regime of the GDPR (up to 6% of the worldwide annual turnover, see Art. 71 (3) of the Draft AI Act), and it would apply if an AI system or its output are used in the European Union, regardless of whether the systems provider is located within the EU or not.The proposed AI Act encompasses important building blocks-in particular, an effective sanctioning regime and extraterritorial application-that could contribute to a Brussels effect in the context of AI regulation.In this context, our study sheds an empirical light on the mechanisms that may enable regulatory competition and a race-to-the-top in regulating privacy, AI, and other areas of digital society.

Privacy Law and Antitrust Policy
We find that, although the market for third-party web technologies shrank in the period following the GDPR's enactment, Google's position in various web technology markets improved relative to competitors (see Sections 5.3.1 and 5.3.2).Increasing concentration and an increasing market share of the dominant firm is most likely not what European legislators had in mind when designing the GDPR.Indeed, the European Commission stressed in 2012 how the procompetitive effects of the future GDPR would increase the attractiveness of Europe as a location to do business (European Commission 2012, p. 148-149).However, our findings are consistent with the dynamics of data-intensive markets.In dataintensive markets, large firms may have an advantage in the processing of personal data.As mentioned in Section 2.3, the revised e-Privacy Directive and the GDPR require firms to gather user consent for using cookies and processing personal data.As long as the data stays within the firm, the firm may control its compliance risks by a firm-wide consent management system.Once data are shared with a third party, however, the firm must inform its consumers and may be jointly liable for privacy violations (see Section 2.2).Hence, the GDPR has created an environment in which data sharing within firm boundaries is less risky than data sharing across boundaries.
Moreover, in line with the compliance risks outlined in the preceding section, websites may choose large web technology providers over small ones because these may have more resources to weather legal challenges created by the GDPR.By choosing a large web technology provider, a website may therefore reduce its own compliance risk.The GDPR widely implemented and enforced the consent requirement for websites, which disproportionately benefits larger firms offering a broader range of services: as most Internet users have used some of Google's services, Google could gather consent from most Internet users.Such consent then typically covers a broad range of Google products and services.The larger a service provider becomes, the cheaper it may become to gather broad user consent.This is consistent with theoretical work showing that larger firms can benefit disproportionally from access to user data (Farboodi et al. 2019, Hagiu andWright 2020).Our results also speak to work showing that consent-based privacy regulation can disproportionately benefit firms offering a larger scope of services and that privacy regulation can increase market concentration by restricting data flows across firms (Campbell et al. 2015, Acemoglu et al. 2019, Jin and Wagman 2020, Jones and Tonetti 2020).
Although our results are in line with literature pointing out tradeoffs between privacy protection and competition, we can only provide empirical evidence regarding one side of the tradeoff: we document empirically the changes in third-party domain requests in general and cookies in particular after the GDPR has been enacted.However, we cannot quantify the costs of more concentration with our data.

Conclusion
We provide robust large-scale evidence on the changes occurring around the time when the GDPR came into force in the context of websites and web technology providers.We show how websites-within a time frame of six months-reduce their compliance risks after the GDPR: they reduce the number of third-party web technology providers they use, in particular relating to third-party cookies.We offer empirical evidence of the Brussels effect in European privacy law: Websites and web technology providers that are located outside the EU, cater to non-EU audiences, and are therefore not subject to the GDPR still comply with it.Finally, we demonstrate that, although markets for web technologies shrunk in size after the enactment of the GDPR, the dominant firm-Google-increased its market share vis-à-vis competing web technology providers.Our findings suggest that some of the key implications of the GDPR may not relate to privacy, but to antitrust policy and regulatory competition.Although such regulatory spillovers have general implications for debates on how to govern data and AI, we leave the implications for the theoretical relationship between privacy and antitrust laws to future research.
Endnotes 1 When we refer to the effects doctrine and the Brussels effect, we refer to concepts as introduced in the legal discourse, not to effects in the sense of causal inference.In Fashion ID, the European Court of Justice established a joint controller responsibility between a website that used a Facebook Like button and Facebook.The Court stressed that the joint responsibility is limited to those steps of the data processing that were jointly determined. 4Such liability does not exist if the website can prove that it was not responsible for the violation.However, the website may often share some responsibility, or it may have difficulties proving otherwise in court (Articles 26(1), (3), 82(3), (4) GDPR).Also, the joint liability does not extend to administrative fines. 5The European Data Protection Board, for example, issued its guidelines on the territorial applicability of the GDPR six months after the GDPR had become effective (European Data Protection Board 2019a). 6According to industry reports, compliance costs for large U.K. firms (FTSE 350) were $1.1 billion, and $7.8 billion for large U.S. firms (Fortune 500); see https://www.forbes.com/sites/oliversmith/2018/05/02/the-gdpr-racket-whos-making-moneyfrom-this-9bn-business-shakedown. 7Cookies are small files stored in the user's web browser placed by a website when visited.They contain information about the user's visit to provide additional functionality.Cookies placed by the visited websites are called first-party cookies, whereas cookies placed by other entities are called third-party cookies.These are typically used to track user behavior across different websites. 8In some cases, the GDPR also allows for processing without user consent.In particular, if the website has a prevailing legitimate interest to process personal data-for example, IT security measures or fraud prevention-Article 6(1)(f) GDPR allows the website to process such data without explicit consent of the user (see also Recitals 47 and 49 GDPR).For the types of technologies of interest for our study, user consent is usually required. 9Art.5(3) e-Privacy Directive concerns the storing of a cookie on a user's device, whereas Art.6(1)(a) GDPR concerns the processing of personal data that has been gathered through cookies or other means.On the complex relationship between the GDPR and the e-Privacy Directive, see European Data Protection Board (2019b). 10See the description at https://www.thirdrocktechkno.com/blog/how-to-choose-a-technology-stack-for-web-applicationdevelopment/. 11Detailed information for replication, including instructions on how to obtain the publicly available data we use is available at https://github.com/cpeukert/gdpr. 12Regarding our main estimation period, the public data set, available in Google's BigQuery web service, does not contain information for 12-01-2016, 01-01-2017, 01-15-2017, and 04-01-2018.  1For our empirical analysis, we call subdomain.domain.com a website-host and domain.coma website. 14HTTPArchive has introduced several changes in the technology they use to collect information on HTTP requests and the list of website-hosts from which they collect information.This reduces the number of websites that we can consistently observe. 15Websites can send multiple requests to different URLs of the same third-party domain.For example, we may observe two requests to google-analytics.com for the same host.One request concerns the URL https://www.google-analytics.com/r/collect(with a number of parameters), and the second request concerns the URL https://www.google-analytics.com/analytics.js. 16Although the GDPR has affected the amount of information publicly listed in the domain registry, the country of the registrant remains available.See https://www.icann.org/resources/pages/gtld-registration-data-specs-en., 2022, vol. 41, no. 4, pp. 318-340, © 2022 The Author(s) 337 Downloaded from informs.org by [91.212.128.251]

Figure 1 .
Figure 1.(Color online) Example of Third-Party Requests

Figure 2 .
Figure 2. Number of Requested Third-Party Domains

Figure 3 .
Figure 3. Number of Requested Third-Party Domains That Respond with Cookies

Figure 4 .
Figure 4. Requested Third-Party Domains, Facebook vs. non-Facebook Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR

2
For a recent U.K. High Court of Justice decision on these questions, see Walter Tzvi Soriano v. Forensic News, [2021] EWHC 56 (QB). 3In recent case law, the European Court of Justice held that websites and web technology providers can be responsible as "joint controllers" (Art.26 GDPR) even if the website cannot control what personal data are transmitted to or processed by the web technology provider.See European Court of Justice, June 5, 2018, case C-210/16, ULD Schleswig Holstein v. Wirtschaftsakademie Schleswig-Holstein (Fan Page); July 29, 2019, case C-40/17, Fashion ID v. Verbraucherzentrale NRW (Fashion ID); European Data Protection Board, 2021.
Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR Marketing Science

Table 1 .
Territorial Scope of the GDPR Table shows whether the GDPR is applicable, as a matter of law, to Internet users and firms located within and outside the European Union.
on 16 August 2022, at 03:48 .For personal use only, all rights reserved.Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.

Table 3 .
Summary Statistics Before and After the GDPR Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR Marketing Science, 2022, vol.41, no. 4, pp.318-340, © 2022 The Author(s) For personal use only, all rights reserved.Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.
Notes.Dependent variable in columns (1) and (2) is the log(y + 1) number of third-party domains that the website-host requests and in columns (3) and (4) the log(y + 1) number of third-party domains that the website-host requests and respond with a cookie.Post indicates the period after May 25, 2018.EU Audience indicates whether a website host has a top-level domain that is specific to a country in the EU and/or whether the website's language is in a EU language and/or whether the website appears on any EU country's Alexa ranking.Non-EU Audience indicates the opposite.EU firm indicates that the website domain is associated with a firm that lists a headquarter in the EU on Crunchbase and/or a website where the Whois records indicate an owner with an address in the EU.Separate linear time trend for EU audience/non-EU audience before/ after and website host fixed effects in all specifications.Standard errors in parentheses, clustered on the website-host-level.*p< 0:10; **p < 0:05; ***p < 0:01.

Table 6 .
Change in Websites Served by Data Type Notes.Dependent variable is the log the number of websites that send requests to third-party domains to firm i.Post indicates the period after May 25, 2018.Information on whether firms collect and/or share personal data comes from Evidon.All specifications include group-specific linear trends and firm-fixed effects.Standard errors clustered on the firm-level in parentheses.*p< 0:10; **p < 0:05; ***p < 0:01.

Table 5 .
Change in Number of Requested Third-Party Domains and Cookies: Website Popularity Dependent variable in columns (1) and (2) is the log(y + 1) number of third-party domains that the website host requests and in columns (3) and (4) the log(y + 1) number of third-party domains that the website host requests and respond with a cookie.Post indicates the period after May 25, 2018.EU Audience indicates whether a website host has a top-level domain that is specific to a country in the EU and/or whether the website's language is in a EU language and/or whether the website appears on any EU country's Alexa ranking.Non-EU Audience indicates the opposite.EU Firm indicates that the website domain is associated with a firm that lists a headquarter in the EU on Crunchbase and/or a website where the Whois records indicate an owner with an address in the EU.Top1k indicates whether the website is ranked in the global top 1,000 most visited websites according to Alexa (n 599).Separate linear time trend for EU Audience/non-EU Audience before/after and website host fixed effects in all specifications.Standard errors in parentheses, clustered on the website-host-level.Peukert et al.: Regulatory Spillovers and Data Governance: Evidence from the GDPR 330 MarketingScience, 2022, vol.41, no. 4, pp.318-340, © 2022 The Author(s)Downloaded from informs.org by[91.212.128.251]on16 August 2022, at 03:48 .For personal use only, all rights reserved.Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.

Table 8 .
Change in Levels and Market Shares: Google vs.
on 16 August 2022, at 03:48 .For personal use only, all rights reserved.Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.

Table 9 .
Change in Levels by Submarket Dependent variable is the log the number of websites that send requests to services owned by web technology firm i.Post indicates the period after May 25, 2018.Google indicates the joint levels/market share of all domains of Google.Non-Google indicates the average levels/ market share of all other firms.All specifications include firm-fixed effects and separate linear time trends.Standard errors clustered on the firm-

Table 10 .
Change in Market Shares by Submarket The Author(s) 335 Downloaded from informs.org by [91.212.128.251] on 16 August 2022, at 03:48 .For personal use only, all rights reserved.Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.
on 16 August 2022, at 03:48 .For personal use only, all rights reserved.Published in Marketing Science on February 15, 2022 as DOI: 10.1287/mksc.2021.1339.This article has not been copyedited or formatted.The final version may differ from this version.