Interviews, insight & analysis on digital media & marketing

Is the humble internet surfer now more private? GDPR, four years on.

By Aleksandras Švabas, Senior Product Manager at Adform

These articles have been written by the latest cohort of the Practice Makes UnPerfect programme – a course that helps people find and finesse their public voices

It has been almost 4 years since most internet publishers started greeting us – regular surfers of the world wide web – with ugly dialogues and annoying questions regarding cookie acceptance or consent.  

The General Data Protection Regulation – more widely known as GDPR –  has had implications for most of us

GDPR has certainly raised awareness of digital privacy amongst a wider audience. Now we have to give our approval to every company or service, saying that we’re ok with them collecting our data. But, has it brought a greater feeling of safety to the average internet surfer? Does the internet user ever actually read the terms and conditions, and understand what is happening after they click on “I Consent”? 

The GDPR law itself is a data privacy legislation. The data of regular people, so in theory it should help them, however there is no public study available as to how people actually perceive their rights introduced by the law, what parts of society know how to control personal data, and what percentage have actually acted upon the newly granted means.

The ones who actually felt the effect of GDPR introduction are the businesses: both tech companies, providing solutions for simplifying life as well as the companies, earning money from other activities, but using IT systems as their information backbone. Investing significantly into developing their solutions and systems to be compliant with the law was already quite a task. Now when systems are live, the companies are facing even a bigger challenge – they are a subject of investigations by the Data Protection authorities, if anyone files a complaint. 

Fines handed out by authorities for violations are huge. According to the law, they could reach up to 4% of the company’s annual revenue. No wonder, the magnifying glass is focused on the most well-known names in the field. The biggest fines so far were handed out to the tech behemoths – Amazon – 746 Million Euros, Meta Group – 302 Million in total (225M (WhatsApp) + 60M (Facebook) + 17M (Meta Group) and Google – ~206 Million euros. 

It is not like the companies are not complying with prerequisites on purpose. The interpretation of the law is quite a riddle, even to the ones who took the responsibility for the implementation of GDPR requirements for AdTech environment – IAB Europe. The Belgian DPA has found that the Transparency and Consent Framework (TCF), developed by the organization, fails to comply with the number of provisions of GDPR. And this is the same mechanism, which stands under the very same dialogue of “Accept cookies”, seen on each webpage. 

Not all of the cases have been concluded with a defined fine already. The most famous ongoing discussion now is the eligibility of Google Analytics. It is a service used by millions of companies throughout Europe, meant to check statistics on website performance, mainly used for marketing purposes. Recently the DPA offices in Austria and later France found that the company does not sufficiently protect the data gathered from European users. 

With all these legal actions taking place and gaining attention, some questions arise, what is in it for a regular internet user? Are their privacy needs fulfilled with just an option to consent or deny his private data processing? And, where do the fines issued to the violators of the GDPR law go? Are they just acting as a surplus to the budget of the country where the violation was discovered, or do they actually go to compensation to the actual ones whose rights were violated or privacy education?

As of now, it seems, that the law is more about putting Tech companies into a privacy cage rather than an actual data user and executing his rights.