Skip to Main Content

Despite tightened data protection laws, websites still collect mountains of user data

The recent General Data Protection Regulation (GDPR) aims to protect surfers against data collectors. A noble objective indeed – but hardly anyone’s sticking to the rules, as revealed by a recent investigation.

Practically every website spies on its visitors, allowing data collectors to build detailed personal profiles. The European Union says things can’t go on as they are, and that data protection must be fundamentally overhauled. The GDPR, which entered into force at the end of May 2018, is intended to be a step in the right direction to achieving this. Yet the new regulation is having zero impact, as a current investigation by data-protection experts eBlocker shows.

Ambitious aims with little impact

One of the cornerstones of the GDPR is that users must give their express consent to the processing of their personal data, unless it is in the legitimate interest pursued by the operator. Before this, silence constituted consent. The German data protection supervisory authorities are therefore calling on site operators and online services to first seek the user’s consent when processing personal data. This is why you now see those special notice boxes informing you about data protection or privacy on practically every website you visit. Under the regulation, objecting is just as easy as consenting. For example, in an ideal world there would be a simple choice between “Yes, I consent to the processing of my data” or “No, I do not consent”.

However, this isn’t how things look on many websites. A random investigation by eBlocker experts of the 10 biggest companies by revenue on the German stock market (Volkswagen, Allianz, Daimler, Deutsche Bank, Siemens, E.ON, Metro, Deutsche Post, Deutsche Telekom, BASF*) showed that only E.ON meets the supervisory authorities’ requirements.

Objecting to data collectors is as complicated as ever

When it comes to the other companies (just like most other websites), this is common:

  • Consenting to data collection is a breeze. This either happens automatically by closing the data protection notice or by clicking Agree, Next, Accept, or something like that. If you ignore the notice, you consent automatically to data collection using trackers and cookies.
  • By contrast, the process of objecting to data collection ranges from complicated to downright impossible. This is because of a complete lack of a “No, I do not consent to data collection” button (or similar).

This means visitors then need to hit the “Additional information” button or such like, pick through the site’s data protection declaration – which can often run into several pages and be steeped in legal jargon – and object to the use of trackers one by one. And to top it all, you also often need to install additional programs which are unavailable for many devices, such as Apple iPads. Christian Bennefeld from eBlocker cannot believe it: “I was cautiously optimistic that the GDPR would make it easier to defend yourself against data collectors. However, things are practically just as bad as before. The GDPR turns out to be a toothless tiger that the biggest companies with the best legal advice don’t fear.”

In short: Things have hardly improved

Summing up, the random investigation shows that the ambitious aim of the GDPR has failed for now to put a stop to the reams of notices that hardly anyone reads and which they just let slide. The demand from the legislator for “informed consent” – which everyone understands without having to read through mountains of text and which can be given really easily with a single click – is still the absolute exception to the norm.

* As at 12.12.2018


This post is also available in: GermanFrenchItalian