How the pandemic has exacerbated online privacy threats

Driven by lockdown policies and a fear of contracting COVID-19, many individuals have moved to seek online alternatives for many of their offline activities over the pandemic, leading to a surge in online traffic—and increased tracking by commercial and public websites. These websites then share the data they collect with third parties, who aggregate the data to create user profiles for advertising purposes. Many of these third parties are unknown to users and have access to users’ data without their explicit consent. Additionally, while users may agree to share one specific data type with a website, an aggregation of various data types across many different websites can enable third parties to use advanced data analytics to make very precise inferences about sensitive aspects of users’ lives. Such practices have enabled increased commercial and state surveillance that consumers have little awareness or control over. This significantly elevates privacy concerns about consumer welfare in the rapidly-digitizing world we live in today. In response to such concerns, legislative efforts such as Europe’s General Data Protection Rule (GDPR) and its American counterpart, California’s Consumer Privacy Act (CCPA) have sought to curb data collection and sharing with third parties.

Brookings Senior Fellow Niam Yaraghi, along with a series of co-authors, conducted statistical analyses and authored a paper on how often websites shared user information with third-party sites, and whether such behavior differed across websites. Between April 9th and August 27th, 2020, they collected data on the number of third parties each of the top 1,000 websites in the United States interacted with on a daily basis. This data was collected from a virtual server with a New York IP address. They then combined this with data on the weekly number of COVID-19 related deaths in the state of New York over the same period in order to examine how the spread of the COVID-19 pandemic affects third-party tracking and the extent to which it varies by website characteristics. Noted characteristics included the industry that each website operates in and whether the site asks for permission before placing cookies on users’ browsers. Websites in the News & Media, Health & Healthcare, Telecommunications, and Games industries were classified as “high traffic,” as they were in sectors that experienced a spike in user traffic over COVID-19 lockdown policies.

The analyses found that the extent of third-party data sharing by websites increased with internet use as the pandemic progressed and users relied more on online alternatives. Websites with more traffic did so at a larger scale compared to those that did not. Merely asking for consent before collecting users’ data did not necessarily reduce the number of third parties; privacy-respecting websites interacted with third parties at similar rates compared to other sites. However, websites that asked for permission before placing cookies on users’ browsers have been shown to reduce their third parties over time as their traffic surged over the pandemic.

Amid national discussions about the necessity of potential legislation to protect users’ privacy, this research highlights how the pandemic has exacerbated online privacy threats and the importance of addressing such threats to protect user welfare. It is also important to note the difference in behaviors of privacy-respecting and non-respecting websites when it comes to collecting and sharing their user data.