Priorities for more effective tech regulation

Ample research has demonstrated that compliance with data protection principles remains limited on the web and mobile. For example, almost none of the apps on the Google Play Store fulfil the minimum requirements regarding consent under EU and UK law, while most of them share tracking data with companies like Google/Alphabet and Facebook/Meta and would likely need to seek consent from their users. Indeed, recent privacy efforts and enforcement by Apple have had - in some regards - a more pronounced effect on apps' data practices than the EU's ambitious General Data Protection Regulation (GDPR). Given the current mismatch between the law on the books and data practices in reality, iterative changes to current legal practice will not be enough to meaningfully tame egregious data practices. Hence, this technical report proposes a range of priorities for academia, regulators and the interested public in order to move beyond the status quo.