GDPR Works, but only Where Someone Enforces It

The study crawled the same set of globally popular sites from ten distinct jurisdictions, revealing a stark contrast between regions with vigorous data‑protection authorities and those where laws exist only on paper. German and Spanish users faced roughly half the number of third‑party tracker connections seen in places like Australia or California, underscoring that the GDPR’s opt‑in framework only translates into real privacy gains when regulators pursue cases and levy fines—an effect quantified by the 833 fines totalling about $3.28 billion across the EU.

For compliance officers, the findings highlight two practical levers: enforcing consent‑management platforms and monitoring the handful of dominant ad‑tech vendors. OneTrust appears on a large share of sites, meaning its configuration often dictates whether a banner complies with local law. Meanwhile, the tracking ecosystem remains concentrated among six parent companies—Google, Meta, Microsoft, Adobe, X and LinkedIn—so improvements at this layer ripple widely. Notably, sites without visible cookie banners carried more trackers, signaling that a missing banner is a stronger indicator of non‑compliance than a present one.

Strategically, multinational operators should adopt a tiered privacy model: apply GDPR‑grade controls for EU traffic, lighter opt‑out mechanisms elsewhere, and prepare for increasing complexity as more countries adopt opt‑in regimes. The so‑called "Brussels shield" shows that while a minority of sites apply uniform consent globally, the majority geofence compliance, limiting the broader export of strict standards. As California’s privacy agency expands enforcement and other states consider similar rules, the gap between high‑ and low‑enforcement jurisdictions may narrow, pushing the industry toward more universal consent practices.