The EU’s General Data Protection Regulation came into effect in 2018 to tackle issues of privacy and personal data. Looking at over 110,700 websites before and after the introduction of the regulation, this column examines its effect on non-EU-based websites and on other policy domains, such as competition or trade policy. Both EU-based and non-EU-based websites switched to more privacy-sensitive technologies following GDPR, but only in the short term. The market for web tracking technologies became more concentrated, with Google gaining the most market share among large providers. Privacy regulations can function as nonpecuniary barriers to trade, especially if enacted by a large economic area.