Ever since the GDPR (General Data Protection Regulation) came into force in 2018, people in the European Union have stronger privacy and data protection. However, the law is far from perfect – and big tech companies, industry lawyers and lobbyists made sure to use every tool in their arsenal to either circumvent GDPR provisions (by misinterpretation) or to influence the public opinion about the law so that consumer don’t blame them for violations, but the GDPR itself. Over the past few years, this has led to a number of misconceptions about data protection and the GDPR in particular. Therefore, in honour of this year’s Data Protection Day, noyb is clearing up 5 of the most common misconceptions.
1. The GDPR forces companies to use cookie banners
This is incorrect. The GDPR doesn’t force websites to use cookie banners. Instead, companies are required to obtain your explicit consent if they want to track your online movements. Typically, this is done to show you personalised advertisements based on your interests. Companies chose to ask for your consent with cookie banners and are often blaming the GDPR for it.
But that’s not all: To maximise consent rates – and therefore profit – many websites use intentionally misleading and deceptive cookie banners that make it (near) impossible to refuse or withdraw consent.
So, the next time you see a cookie banner, remember that they don’t exist because of the GDPR, but because a company wants to profit off your personal data.
2. Companies need to fear sanctions by the data protection authorities
Unfortunately, data protection authorities (DPAs) only resort to strict enforcement measures in exceptional cases. A noyb analysis of DPA activity between 2018 and 2023 showed that only 1.3% of cases result in a fine. The Irish DPC, which is responsible for most major tech companies (Meta, Google, Apple, OpenAI, Microsoft and many more), even issues fines in only 0.26% of cases that it handles. And even if the Irish DPC issue a fine, it hardly every collects the money, as media reports.
We know from our almost 900 cases that proceedings are often dragged out over several years, only for the company to be let off with a warning. In some cases, a DPA has even switched roles to consult the company that violated data protection law. For example: In 2024, noyb took the Hamburg DPA to court due to discrepancies in a Pay or Okay case against the German news magazine SPIEGEL. During the proceedings before the authority, the Hamburg DPA was in close contact with SPIEGEL. Instead of investigating and deciding impartially, it also met with representatives of the company several times, invited them to its premises and provided feedback on the proposed changes on their Pay or Okay implementation. For the administrative costs of the procedure, the Hamburg authority charged SPIEGEL € 6,140. Cheaper than virtually any lawyer.
All in all, it is – unfortunately – a misconception that companies need to fear serious consequences by data protection authorities for violating the fundamental right to data protection.
3. Advertising needs to be personalised, otherwise no one would buy it and the ad industry would go bankrupt!
The advertising industry’s claim that it NEEDS to track you across the internet and plague you with misleading cookie banners to stay in business is more than controversial. In fact, there are many alternative ways to monetise a website, such as contextual advertising, product placement, paid content or freemium models where certain content is only available for a fee.
Even scientific studies raise doubt about the profitability – and therefore the necessity – of ad tracking as claimed by the ad industry. A US study from 2019 shows, for example, that the use of personal data only increases a website’s revenue by about 4%. “This corresponds to an average increase of $0.00008 per advertisement”, the study concludes.
But there are even more extreme examples: The Dutch public broadcaster NPO even reported an increase of income once it had abandoned targeted advertising.
This makes it clear that there are alternative solutions to companies tracking you across the internet.
4. The GDPR interferes with the freedom to conduct a business
No, it doesn’t. The freedom to conduct a business as set out in the EU Charter of Fundamental Rights clearly states that you have the “freedom to conduct a business in accordance with Union law and national laws and practices”.
This means that companies must follow the law, no matter if it concerns taxation, environmental protection – or data protection and privacy. There is no fundamental right to conduct a business overriding a company’s legal obligation, even though a lot of corporations would love that.
In addition, the freedom to conduct a business actually means that you are allowed to pursue an economic activity. You are free to become a pharmacist, for example, and it is not necessary that one of your parents was a pharmacist. Of course, also a pharmacist has to follow the law. The same goes for big tech and other companies.
5. People are abusing their Right of Access and flood companies with access requests
Despite the Right of Access under Article 15 GDPR being an essential for retaining at least a little control over your personal data in the digital age, some companies are rallying against it, claiming that it would require a “disproportionate effort”. Such lobby claims even made it into a German position paper, where Access requests were described as increasingly being "misused".
However, reality doesn’t even support this claim. The law already contains safeguards to prevent an abuse: According to Article 12(5) GDPR, companies can charge a reasonable fee or even reject requests, if they “are manifestly unfounded or excessive, in particular because of their repetitive character”.
On top of that, the vast majority of companies operating in the EU do not work in such a data-intensive manner that they receive a lot of access requests. As part of a (soon to be published) noyb survey, 73.3% of Data Protection Officers (DPOs) said that the Right of Access creates little to no work. On the contrary, larger companies often just ignore the consumers’ access requests or withhold parts of the information that people are entitled to by law. The advertising broker Xandr (a Microsoft subsidiary), for example, reported an astonishing 0% response rate to access and erasure requests in 2022.
Also, most major tech companies have by now implemented some sort of automation tool that allows them to fulfil GDPR access requests on a mass scale, usually via a “download your information” tool – but still don’t provide you with all your data.
In other words: companies have the means to deal with access requests without significant workload. They just don’t want to give you access to the processed information.
6. Bonus misconception: with billions of Euros in fines imposed, noyb must be rich!
Of course, noyb does not receive any of the fines imposed by the data protection authorities. When a DPA collects fines, the money goes into the state budget of the country in which the authority is based (or in Spain to the data protection authority directly).
noyb's work towards a more privacy-friendly future is only possible thanks to our 5,400 supporting members. If you also want to contribute to our cause, you can learn more about our memberships here. You can also reach us at info@noyb.eu if you have questions.
