A privacy law that nobody enforces is barely better than no privacy law at all. That’s the uncomfortable conclusion of a new measurement study that crawled the same set of globally popular websites from ten different countries — and found that your location determines how much you’re tracked far more than whatever privacy law is technically on the books.
The Numbers Tell the Story
Researchers set up virtual machines in Australia, Brazil, Canada, Germany, India, Singapore, South Africa, South Korea, Spain, and California, then visited identical sets of websites from each location. The results were stark.
German users encountered an average of 4.2 tracker connections per site — the lowest of any country tested. Spanish users saw 5.3. Cross the Atlantic to California, and that number jumps to 11.7. Australia was nearly as bad at 11.2.
Across 525 shared sites, EU visitors encountered 50.5% fewer tracker connections than non-EU visitors. But that number is misleading — most of the reduction came from just two countries: Germany and Spain, the only jurisdictions the researchers classified as “high enforcement.”
Laws Without Teeth Don’t Bite
Here’s where it gets damning. Brazil, India, Singapore, South Korea, and South Africa all have opt-in consent requirements on paper — regimes comparable to the GDPR. In practice, their tracking levels sit much closer to countries with no consent requirements at all.
South Korea is a striking example: 75.9% of popular Korean sites connect to trackers despite opt-in requirements, and only 1.8% of sites even bother deploying consent banners. The law says one thing. The web says another.
Brazil’s data protection authority (ANPD) has focused almost exclusively on public sector breaches. India’s Digital Personal Data Protection Act is too new to have produced meaningful enforcement. Singapore and South Africa have had data protection laws for over a decade and remain largely inactive.
The pattern is consistent: without a regulator that actually investigates complaints, issues fines, and creates real consequences, companies treat privacy law as optional.
Germany Shows What Enforcement Looks Like
Germany didn’t arrive at 4.2 trackers per site by accident. German data protection authorities have been active since the 1970s — decades before the GDPR existed. The country has state-level DPAs that independently investigate and fine companies, creating multiple enforcement pressure points.
Spain’s AEPD has similarly built a track record of action, including fining automaker SEAT specifically for deploying non-essential cookies without proper consent.
Across the EU, regulators have issued 833 fines totalling €3.01 billion specifically for insufficient legal basis for data processing. Cumulative GDPR fines have now passed €7.1 billion, with European data protection authorities processing an average of 443 breach notifications per day — a 22% increase year-over-year.
Those numbers matter. When the researchers tested what happens when users ignore cookie banners in Germany, those users still saw 48.5% fewer trackers than users who actively accepted tracking. In California, ignoring the banner reduced trackers by only 21.1%. The default experience in a high-enforcement jurisdiction is more private than the opt-out experience in a low-enforcement one.
The “Brussels Shield” Effect
About a quarter of globally popular websites deploy cookie banners everywhere. Another quarter deploy them nowhere. The remaining half deploy them selectively — predominantly to users in Germany and Spain.
The researchers call this the “Brussels Shield”: GDPR protections function as a shield for Europeans rather than exporting privacy standards globally. Companies build two experiences: one for jurisdictions where regulators might actually come knocking, and a tracker-heavy version for everyone else.
The tracking itself is dominated by a handful of companies. Advertising accounts for roughly two-thirds of all tracker connections. The top parent companies are the same everywhere: Google, Facebook, LinkedIn, Microsoft, Adobe, and X. Consent management has consolidated around platforms like OneTrust, making their compliance decisions disproportionately influential.
One counterintuitive finding: sites without visible cookie banners carried more trackers on average than sites with banners. The quieter experience was actually the most surveillance-heavy.
Why This Matters for Your Data
This study confirms something privacy advocates have argued for years: the law on paper means nothing without enforcement on the ground. And it raises uncomfortable questions about what happens when the EU itself starts weakening its own framework — as the Digital Omnibus proposals currently threaten to do.
If you’re choosing where to store your data based on legal protections, jurisdiction and enforcement track record matter more than the text of the law. Germany’s decades of active enforcement deliver measurably less tracking. Brazil’s GDPR-equivalent delivers almost none.
Switzerland, which operates its own data protection framework under the Federal Act on Data Protection (nFADP), enforces independently of the EU. The Swiss Federal Data Protection and Information Commissioner (FDPIC) has the authority to investigate and act — and Switzerland’s long tradition of privacy protection means enforcement isn’t just theoretical.
What You Can Do
- Check your jurisdiction. Where your data is stored and processed determines which regulators can act on your behalf. Not all privacy laws are created equal — and not all regulators are equally willing to use the powers they have.
- Don’t assume consent banners mean protection. This study shows that banners are often deployed performatively. The real question isn’t whether a site shows you a banner — it’s whether the site faces consequences for ignoring your choices.
- Choose services in high-enforcement jurisdictions. If a company knows it operates under active regulatory scrutiny, it behaves differently. That’s not opinion — it’s what the data shows.
- Support enforcement. Privacy laws only work when regulators have the resources, mandate, and political backing to use them. Pay attention to who’s funding data protection authorities — and who’s lobbying to defund them.