It seems that a fairly severe, sweeping data privacy law in Europe could be just the incentive news organizations needed to trim the number of third-party cookies and content loading on their sites before readers have a chance to give explicit consent, according to a Reuters Institute report on a wide selection of news sites in Finland, France, Germany, Italy, Poland, Spain, and the U.K.

A prequel report from RISJ, released a few weeks before the General Data Protection Regulation came into effect May 25, found that some news sites researchers looked at were worse than popular non-news websites when it came to third-party content. These news sites averaged 40 different third-party domains per page and 81 third-party cookies per page, compared to an average of 10 and 12, respectively, for other popular non-news websites. (Researchers collected the data in the first three months of this year.)

This time around, researchers found declines in cookie prevalence on the 200-plus news sites they tracked, across several categories, from cookies related to advertising and marketing to ones related to design optimization (they looked at the difference between the sites in April and then the sites in July). On average, total cookies related to design optimization dropped 27 percent; cookies relating to advertising and marketing dropped 14 percent.

Some third-party cookies were still present, both before and after GDPR: “We saw almost no change in the percentages of pages with at least one instance of third-party advertising, audience measurement, content recommendation, design optimization, and hosting,” the researchers note. But it seems that a significant number of the news sites sampled did remove third-party content loaded from social media platforms and from content recommendation widgets: There was “a fall of eight percent in the share of sites with any third-party social media content — in other words, many news sites don’t include even a single instance of content loaded from a social media firm — and a six percent decline in the use of third-party content recommendation systems.”

What didn’t get whittled down much post-GDPR on these news sites? Content from Google and Google-owned services, which news sites just can’t seem to quit (the table shows the percentage of news sites that still load content from Google subsidiaries and services):

Drops vary country by country. In Germany, for instance, news sites were already loading comparatively few third-party cookies before GDPR came into effect, and cookies-per-page for German news sites declined just slightly from April to July. In the UK, news sites had been loading a lot of third-party content; these news sites saw a 45 percent decline in cookies per page from April to July. (Poland is the anomaly here: “This is largely due to major increases in four of the 29 websites examined. We may not rule out that these sites may have changed in a way which has impacted our measurement tool,” the researchers wrote.)

None of these are changes that can definitively be credited to GDPR, but the researchers point out two strategic moves news sites may be making in the wake of the law:

First, due to the GDPR’s requirements for consent, news organizations may simply be deferring some tracking cookies until after a user clicks to accept the site’s terms on a pop-up consent dialogue.

Second, we may be observing a kind of ‘housecleaning’ effect. Modern websites are highly complex and evolve over time in a path-dependent way, sometimes accumulating out-of-date features and code. The introduction of GDPR may have provided news organizations with a chance to evaluate the utility of various features, including third-party services, and to remove code which is no longer of significant use or which compromises user privacy.

You can read the full report here. The prequel report on the sites pre-GDPR is available here.