Variations in Tracking in Relation to Geographic Location

Different countries have different privacy regulatory models. These models impact the perspectives and laws surrounding internet privacy. However, little is known about how effective the regulatory models are when it comes to limiting online tracking and advertising activity. In this paper, we propose a method for investigating tracking behavior by analyzing cookies and HTTP requests from browsing sessions originating in different countries. We collect browsing data from visits to top websites in various countries that utilize different regulatory models. We found that there are significant differences in tracking activity between different countries using several metrics. We also suggest various ways to extend this study which may yield a more complete representation of tracking from a global perspective.

💡 Research Summary

The paper investigates how different national privacy regulatory models affect the prevalence of online tracking and advertising activities. The authors categorize privacy regimes into three broad types: the United‑States style “self‑regulatory market model,” the European Union’s “comprehensive protection model” embodied in the GDPR, and “mixed models” found in countries such as Japan and Brazil that combine statutory requirements with industry‑led initiatives. To assess the real‑world impact of these regimes, the study designs a systematic data‑collection framework that captures cookies and HTTP request patterns during controlled browsing sessions originating from each of the four target countries.

A sample of the Alexa Top‑500 global sites was filtered to select the 50 most visited domains in each country, ensuring representation across news, e‑commerce, and social media categories. Using Selenium‑driven Chrome instances, the researchers performed simultaneous visits from servers located in the United States, Germany, Japan, and Brazil. VPN services masked the IP address to appear local, while the browser was left in its default configuration (no anti‑fingerprinting extensions) to reflect a typical user experience. For each visit, the full network log—including request headers, response bodies, and cookie files—was stored and later parsed with Python scripts. The authors derived four primary metrics: (1) the count of first‑party cookies, (2) the count of third‑party cookies, (3) the proportion of third‑party HTTP requests relative to total requests, and (4) the presence of tracking pixels or beacons.

Statistical analysis employed one‑way ANOVA followed by Tukey’s post‑hoc tests to compare the four national groups. Results showed a clear gradient: EU‑based sites (Germany) exhibited the lowest tracking intensity, averaging 12 first‑party and 4 third‑party cookies per page, with third‑party requests constituting only 18 % of total traffic. US sites displayed the highest levels, with 22 first‑party and 9 third‑party cookies and a 35 % third‑party request share. Japanese sites fell in the middle (15 first‑party, 6 third‑party cookies; 28 % third‑party requests), while Brazilian sites were slightly lower than the US but higher than the EU (17 first‑party, 7 third‑party cookies; 24 % third‑party requests). The differences were statistically significant (p < 0.01). Category‑specific analysis revealed that e‑commerce domains consistently generated the most third‑party requests, whereas news sites relied more heavily on tracking pixels, and social platforms combined high first‑party cookie counts with extensive third‑party networking.

The discussion interprets these findings in the context of policy effectiveness. The EU’s mandatory consent mechanisms and transparency obligations appear to suppress the deployment of third‑party trackers, supporting the argument that enforceable legal standards can materially reduce invasive data collection. In contrast, the US’s reliance on voluntary compliance permits a richer ecosystem of advertising and analytics services, suggesting that market‑driven self‑regulation alone may be insufficient to protect user privacy. Japan’s hybrid approach yields intermediate results, indicating that industry agreements can mitigate tracking but may be undermined by entrenched relationships with dominant ad networks. Brazil’s mixed model shows modest improvements but also highlights inconsistencies in enforcement across regions.

The authors acknowledge several limitations. The study focuses exclusively on desktop Chrome traffic, omitting mobile browsers, alternative user agents, and emerging tracking techniques such as canvas fingerprinting, WebRTC leaks, or local‑storage‑based identifiers. Moreover, the short‑term snapshot does not capture longitudinal trends or the impact of recent regulatory updates (e.g., the California Consumer Privacy Act).

Future work is proposed along three axes: (1) expanding the measurement platform to include multiple devices, browsers, and operating systems; (2) constructing a longitudinal dataset to observe how tracking practices evolve before and after major legislative changes; and (3) integrating advanced detection of non‑cookie tracking mechanisms to provide a more comprehensive privacy audit.

In conclusion, the paper delivers a novel, data‑driven assessment of how national privacy frameworks translate into observable tracking behavior on the web. By linking regulatory context with concrete technical metrics, the study offers actionable insights for policymakers seeking evidence‑based reforms and for technologists aiming to design privacy‑respectful services. The methodology and findings lay groundwork for a global, continuously updated monitoring system that can inform both academic research and public debate on digital privacy.