The Ugly Truth About GDPR

What is the purpose of GDPR?

The GDPR data protection reforms came into effect across Europe on May 25, 2018, modernizing decades-old laws for the protection of personal information in the digital age.

The updated regulations are meant to strike a balance between the legitimate interests of businesses and protecting the fundamental rights and freedoms of individuals, particularly the right to protect their personal data.

The term “personal data” is a pretty broad scope, but according to GDPR Article 4, it means any information relating to an identified or identifiable person.

This can be a name, an identification number, location data, an online identifier, or even the physical, genetic, biometric, economic, cultural, or social identity of a person.

The rights of EU citizens under GDPR are also referred to as the eight “guarantees” or core user protections:

• The right to be informed on how personal data are used
• The right of access to personal data organizations are holding
• The right to correct personal data that are inaccurate or incomplete
• The right to request the deletion of personal data under certain circumstances
• The right to restrict or pause the processing of data if there are irregularities
• The right to have an organization send personal data it holds to other companies
• The right to object to data processing
• The right to protection from harmful automated decision-making processes

Every website and business providing a service to EU citizens and residents is responsible for facilitating these core protections. This is why every time you visit a website, you'll be asked to give your consent, allowing businesses to track your cookies, and store and/or share your data.

In theory, it puts the individual in control.

In theory, GDPR sounds like a good thing.

But in practice, it's a completely different story. Let's take a look at the GDPR issues.

GDPR failure of forced consent

One of the most obvious GDPR issues is that of consent. Although well-intended (as well as legally required), cookie consent windows, blocks, and banners have become little more than an everyday annoyance.

The often text-heavy, scrollable pages with countless checkboxes, pop up on almost every single website to ask the same basic question:

Do you consent to this website collecting your data?

We see it so often that it has become meaningless and few people ever actually read what they are consenting to. Be honest. How many times have you simply selected “Consent all” just to get rid of the box and get to the info you came for?

The truth is, that many consent boxes are specially designed to make you do just that.

The vast majority of banners are made by consent management platforms (CMP). These platforms often utilize tactics like the neverending array of options, confusing language, pre-ticked boxes, or “Accept all” buttons with a larger font or a brighter color.

Some even disguise the acceptance with a “This website uses cookies” statement with a simple “I understand” option. Clicking that can often mean inadvertently giving consent without your knowledge.

Basically, the more difficult it is to bypass the GDPR window, the more people are inclined to give consent and move on. But the question we should be asking ourselves is: is it really consent if it is manipulated?

GDPR ignores users' wishes

Even when a website's cookie window does provide simple and meaningful options to its users, their choices aren't always respected.

One study showed that from 508 analyzed websites that provided users with an opt-out choice, 39 of those sites still stored a positive consent result— even after a user explicitly refused. Not only can the website collect, store and use the data, but so too can hundreds of third-party advertisers.

The rights of EU citizens under GDPR are being ignored by using the very regulation that is meant to protect them. GDPR is used to blatantly disregard users' intent with on-page content such as videos.

Technically, browsers have restrictions that forbid websites to autoplay videos with sound when the user hasn't yet interacted with the page. Showing a GDPR banner forces the user to click on the page which constitutes an interaction, unlocking the ability of the site to play a video with sound.

GDPR issues with cookies: They are not the only tracking tool

Let's say every website provides a nice and neat, easy-to-read, 100% compliant GDPR window and that you do actually take the time to reject every single cookie tracker on every single website you visit…

You would like to think that in this case, your data would be safe, right?

Think again.

One of the main GDPR issues is that it gives internet users a false sense of security and privacy. When they reject the cookies from the GDPR window, they believe they won't be tracked. But websites use other methods of tracking such as fingerprinting, which not even a VPN can block.

What is fingerprinting?

Fingerprinting, also known as browser or device fingerprinting, is a term used to describe an “invisible” process of collecting information on an internet user via their browser. The data is gathered to build a unique identity (aka fingerprint) of that individual user across remote devices.

While fingerprinting has been championed as a means to detect and prevent identity theft and credit card fraud it also has a dark side that undermines the rights of EU citizens under GDPR.

Fingerprinting allows companies to get around the GDPR cookie blocks as it enables them to compile records of individuals' browsing histories and deliver targeted advertising even when that individual has chosen to avoid tracking or deleting their cookies.

Most people are not even aware that this process is being used, yet a study from 2020 found that more than a quarter of the top-10K websites are running fingerprinting scripts. Not taking digital fingerprinting into consideration is a massive GDPR failure that puts people's privacy at risk.

To sum up...all these GDPR issues make it a farce

The myriad of GDPR issues makes it an ineffective data protection tool. The banners are either designed to be ambiguous to manipulate users into giving consent or blatantly violate the laws with no way to reject all or simply by ignoring users' choices.

Although there have been fines for GDPR violations, there are hundreds of websites slipping through the net every day, taking your data with them. Plus, its current scope doesn't even take into consideration digital fingerprinting meaning the rights of EU citizens under GDPR are not protected at all.

Instead of trusting companies and third-party advertisers, consumers are seeing the light and turning to privacy tools and anti-tracking technology. Ad blockers, VPNs, privacy-focused email providers, and browsers are becoming more popular as they fill the gap that GDPR so sorely leaves behind.

But with the web landscape changing, that gap is only going to widen. If GDPR is failing us in web 2.0, then what hope do we have in web 3.0 and the Metaverse? READ MORE: Privacy In The Metaverse Is Uncertain In 2022