Privacy Policies Caught between the Legal and the Ethical: European Media and Third Party Trackers before and after GDPR

This contribution analyses the use of third-party trackers by European countries media before and after the introduction of the EU’s General Data Protection Regulation (hereafter: GDPR) as an inroad to discuss the legal versus ethical obligations of media with regards to audiences’ privacy and the impact on the key value of trust in media. In force since 25 May 2018, GDPR provides extended rights to users to protect personal information. The legislation deals with third-party servers (represented by URLs) that play a role in compiling a webpage presented to the user. We focus on third-party servers that track, collect and analyse user behaviour.

Theoretically, the paper starts from the idea that legal discussions of and instruments to regulate third-party servers’ impact on privacy do not cover more fundamental ethical questions. Data collection may be lawful but can affect users' lives in unwanted ways and, thus, affect their trust in the service provider, i.e. media. This has two complementary theoretical perspectives: computer ethics (e.g. Moore, 1997; Brey 2005) and (public service) media values (authors, 2017) in the ‘calculated public sphere’ (Harper, 2016).

Data result from an extensive and repeated collecting of third party traffic on media-related websites. From a dataset of +32 million recordings of HTTP responses from servers for files like pictures, code or text to +12700 web pages from 1250 websites visited 25 times before and after GDPR, we selected 355 media websites from 38 European countries (#114 from EBU members, #241 from private media). Data were analysed and third-party servers were identified and categorized.

The result section, first, discusses various characteristics of third-party trackers before focusing on differences between public service and private media, comparing for EU/EEA versus the rest of Europe. Next, we analyse evolutions over time finding that public service websites are unchanged with regards to third party URLs, while private media show a decrease. Furthermore, GDPR has led to smaller third-parties disappearing to the advantage of the big ones, enhancing concentration of power for access to and collecting of user data.

Results are discussed in light of the ethical implications of what may legally be a licensed use of audiences’ data by third-party trackers. We assumed that the more third-party servers involved in a webpage visit, 1) the higher the potential exposure of personal, identifiable information and, thus, 2) the more the ethical aspects of privacy and, ultimately 3) the soft value of trust – crucial to the working of media, especially PSM - are compromised. Finally, it discusses how media policies in the area of privacy and wider individual rights need to go beyond the legal boundaries as set out in legal frameworks such as GDPR.