Driven by quarantine policies and the fear of contracting COVID-19, many people have begun to look for online alternatives to many of their offline activities during the pandemic, leading to a sharp increase in online traffic and increased tracking by commercial and public websites. These websites then share the collected data with third parties who collect the data to create user profiles for advertising purposes. Many of these third parties are unknown to users and have access to user data without their express consent. Additionally, while users may agree to provide a specific type of data to a website, the aggregation of different types of data across many different websites may allow third parties to use advanced data analytics to make very precise inferences about sensitive aspects of users’ lives. This practice has contributed to increased commercial and government surveillance of which consumers have little knowledge or control. This greatly increases privacy concerns for consumer welfare in the rapidly digitizing world we live in today. In response to such concerns, legislative efforts such as the European General Data Protection Regulation (GDPR) and its American counterpart, the California Consumer Privacy Act (CCPA), have sought to limit data collection and sharing with third parties.
Brookings Senior Research Fellow Niamh Yarragi, along with a number of co-authors, conducted a statistical analysis and wrote a paper on how often websites shared user information with third-party sites and whether such behavior varied across websites. Between April 9 and August 27, 2020, they collected data on the number of third parties that each of the top 1,000 websites in the United States interacted with each day. This data was collected from a virtual server with a New York IP address. They then combined this with data on the weekly number of deaths related to COVID-19 in New York State over the same period to examine how the spread of the COVID-19 pandemic affects third-party tracking and how it depends on the characteristics website. Specified characteristics included the industry in which each website operates and whether the site asks for permission before placing cookies on users’ browsers. Websites in News and mass media, Health and health care, Telecommunicationsand Games industries were classified as “high traffic” because they were in sectors that saw a spike in user traffic due to the COVID-19 lockdown policy.
The analysis found that third-party data sharing by websites increased with Internet use as the pandemic progressed, and users relied more on online alternatives. Websites with more traffic did this to a greater extent than those without. Simply asking for consent before collecting user data does not necessarily reduce the number of third parties; privacy-conscious websites interacted with third parties at the same frequency as other sites. However, websites that asked for permission before placing cookies on users’ browsers were shown to reduce the number of third parties over time as their traffic spiked due to the pandemic.
Amid national debates about the need for potential legislation to protect user privacy, this study highlights how the pandemic has increased online privacy threats and the importance of addressing such threats to protect users’ well-being. It is also important to note the difference in the behavior of privacy-respecting and non-privacy-respecting websites when it comes to the collection and sharing of user data.