GDPR 4 years on: How data consent changed the internet

Privacy news
6 mins
Balloon with eu logo and lock.

Today is the fourth anniversary of the GDPR, or the General Data Protection Regulation, an EU law surrounding data privacy. This regulation is the reason “I consent,” “Accept all cookies,” or other similar buttons appear when you first land on a website—often regardless of whether you are in the EU or not. But what does it really mean? This post will explore the GDPR’s meaning and how it has changed our digital lives in the last four years.

What is the GDPR?

It’s a set of rules that protect individuals’ personal data. Although it’s EU-based, many companies make their GDPR compliance worldwide. This regulation ensures that EU internet users have the following rights:

  1. Right to transparency (Article 12)
    Companies have to communicate clearly and in plain language.
  2. Right to access personal data (Articles 13-15)
    On request, companies have to share all personal information they have on you. This includes purchase history, behavioral analytics, and more.
  3. Right to be forgotten (Articles 16-20)
    On request, companies have to erase all data related to you.
  4. Right to Refuse Data Processing (Articles 21, 22)
    Companies are not allowed to do anything with personal data without explicit consent. This is why you see the “I consent” buttons on websites.

Companies are responsible for proving GDPR compliance by showing what information they collect, how long they keep it, and who they’re sharing it with.

Read more: 3.2 million “right to be forgotten” requests since 2014

GDPR violations hit Big Tech

From 2018 to 2020, the European Commission issued fines against Facebook and Google. But the biggest fine, 50 million EUR (59.27 million USD) towards Google, was small in the context of the company’s overall revenue.

In 2021, the European Commission got more serious about enforcing the GDPR, issuing a 40% greater number of fines than in 2020, including a fine of 746 million EUR to Amazon. This fine was more than double all the previous ones combined.

During that time, surveys showed companies’ concerns shifting. In 2018, they saw the greatest challenges as complying with the right to be forgotten, data requests, and data portability. By 2021, the concerns were consent and international data transfer. 

While this regulation has been making waves for companies’ online presence, what is the GDPR’s effect on our daily lives? Let’s review both the positives and the negatives.

GDPR’s positive impact

1) Businesses now operate with privacy in mind

Since 2018, companies have spent over 9 billion USD to ensure GDPR compliance.

This money went into changing company procedures and hiring data-protection officers. These workers track processes, audit data, and raise employee awareness. This regulation has also changed the way apps are developed, with some studies finding moderate improvements to app safety since the GDPR came into effect.

Finally, this regulation has changed online marketing. Advertisers are turning away from cookies and personal data mining. Instead, they are advertising based on webpage content—a concept called contextual marketing—and brands plan to spend 20% of their media budget this way in 2022. 

Read more: Surveillance capitalism: How every “like” adds to your data for sale

2) No more auto opt-ins

They might be a hassle, but the “I consent” buttons are a good thing. They represent companies asking you permission to gather data for marketing activities. For GDPR compliance, they need to tell you what data they are taking and how they will use it. And for every consenting button, there is the option to deny data collection. The comfort of knowing that you are not being data-mined is well worth clicking a button or two. 

3) Improved employee privacy rights

The GDPR not only protects citizens’ rights as consumers but also as employees. In 2020, one company received a 35.3 million EUR fine for breaching the privacy of its employees. The company had created profiles of each staff member based on informal discussions and included everything from holiday activities to religious beliefs. They were shared with over 50 managers and used to inform HR decisions.

The GDPR defines this information as sensitive personal data. This is a special category of information that companies cannot process (Article 9). In fact, the GDPR is an upgrade from the 1995 EU Data Protection Directive. It sets a wider definition of personal data and grants employees more rights. No matter where the company is, it has to follow the GDPR as long as it has EU-based employees.

Read more: ExpressVPN survey reveals the extent of surveillance on the remote workforce

4) Increased awareness of data privacy

The launch of the GDPR came with press coverage and websites launching consenting buttons. At the same time, companies sent emails about privacy policy changes. All this happened at once, bringing data privacy into the public eye. 

According to a study from Cisco, 84% of people said they wanted more control over how their data gets used, and 48% have switched service providers because of their data-sharing practices. 

GDPR’s negative impact

1) Loss of services, content, and innovation

Although the GDPR has improved privacy rights, it has made it harder to do business online. According to a recent Oxford study (pdf), this regulation resulted in an 8% drop in company profits and 2% drop in sales. Small tech businesses are being hit particularly hard, facing double the average decline.

GDPR compliance is seen as so onerous that some sites and services cut off the EU or shut down their services altogether. When it came into effect, over 1,000 US-based news sites blocked EU countries from access. 

There was a similar effect on the Google Play store. According to one study (pdf), the number of mobile apps dropped by a third after the GDPR was launched. Since then, the number of new apps has fallen by 47.2%. 

Read more: 20 tech giants could face stricter rules in the EU. Will this hurt innovation?

2) Fewer free services

What if Facebook or Twitter charged a monthly fee for their services? The GDPR makes it more difficult to justify offering free services. If you’re not paying for the service by cash, then you’re paying by watching ads or by providing data. And with the GDPR’s consent requirements, gathering customer data has become harder. 

On top of that, companies also have to cover the costs of ensuring GDPR compliance. According to one report, 88% of companies spend more than 1 million USD—and 40% of companies spend more than 10 million USD. This makes it harder for companies to justify offering free services.

Read more: Would you trade your privacy for free apps? Some don’t have a choice

The future of GDPR

While there have been privacy laws before, the GDPR is the first one that led to companies worldwide restructuring to ensure compliance. 

At the same time, 14 non-EU countries have matched their privacy laws to the GDPR. The European Commission has granted these countries GDPR “adequacy,” which means they are recognized as having adequate data protection and can receive personal data from the EU without additional safeguards. As more companies and countries get on board, the GDPR is on its way to becoming a global standard of privacy. 

This year, the EU will launch an update to the 2002 ePrivacy Directive. This update includes a cookie provision that will reduce the number of “consent” buttons. It will also ban spam and require marketing callers to reveal their phone numbers. Finally, it will improve confidentiality protection in instant messaging.

Moving forward, governments will face some interesting challenges in privacy legislation. One such challenge is blockchain. Although the GDPR encourages privacy by design, blockchains are the polar opposite: They are transparent by design, and this transparency is a key feature that makes them secure. Once entered into a blockchain, information is visible to all and cannot be erased. So much for the right to be forgotten. We look forward to seeing how governments will address this unique challenge.

Let us know your thoughts about GDPR in the comments!

Phone protected by ExpressVPN.
Take the first step to protect yourself online

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Alan is like a slow cooker for tough ideas: just put them in, and he’ll turn them into something tasty and easy to eat. When he’s not doing that, he also likes cooking, no surprise there.