GDPR celebrated its first anniversary this week with a flurry of new data privacy regulations on the way, including the California Consumer Privacy Act, called “GDPR-lite” or “California GDPR.”
One year later, the effectiveness of GDPR is debatable, company compliance is confusing and bureaucratic, and consumers are drowning in a tidal wave of privacy pop-up notices.
As Laura Jehl a partner at law firm BakerHostetler put it,
“I’m kind of a conscientious objector to the notice and consent model. It’s offloading too much responsibility to the individual … If you have a job, or kids, or hobbies, or a life, you can’t do that, keeping track of all that. It would be a full-time job to protect your privacy in a notice and consent model.”
This is causing a phenomenon of “consent fatigue”, where consumers are playing whack-a-mole with consent notifications without taking time to understand them. Rather than giving power to consumers, the current model is blinding them to what data privacy even means. It’s easiest to just click “Accept” and move on.
Marketing Week reported research last week that 46% of consumers don’t think GDPR has made any difference at all in their experience with companies using their data. Nearly a fifth believe that their experience with brands has actually gotten worse.
This will continue to be a tricky time for everyone to navigate data privacy and user experience. Buckle up.
Here are a few related cartoons I’ve drawn over the years:
“State of User Experience Design” January 2019
“Marketing Data and GDPR Compliance” October 2017
“Marketing with Personal Data” May 2014
John Brooker says
Totally agree with this. GDPR has had no positive effect. I spend my life working through policies that are clearly set up to make it difficult to refuse, so I abandon them. I seem now to get even more spam than usual though luckily trapped.
Tim Walters says
Another great cartoon, Tom. But it’s a comment on the current awful state of GDPR “compliance,” rather than a comment on the GDPR as such. The GDPR is precisely designed to avoid the consumer confusion that you illustrate. Indeed, contrary to the quote from Laura Jehl, the GDPR has nothing to do with the established practice of “notice and consent” — i.e., in which visitors are referred to T&Cs that they never read, and are assumed to have granted consent by then using the site. The GDPR’s requirements for information to be clear, easily understandable, and presented “separately from other matters,” and for consent to require an “unambiguous act,” aims at the opposite of the established notice and consent model. The obvious fact that very few organizations have achieved such clarity and unambiguous consent is due to faulty responses to the GDPR. DPA decisions such as the French finding against Google and the Dutch stricture against “cookie walls” point the way to a proper user experience under the GDPR — we simply haven’t yet been offered it by many data controllers.