Digital Consumers Guide to GDPR: What You Should Know about EU Data Privacy Regulation

GDPR will ensure that technology companies behave with user data.

Digital consumers have spent many a hour wondering about just how much do companies such as Facebook and Google know about their personal life.

Some have also thought about what these technology companies do with their data.

But the more important question is who else, apart from these companies, can access their customers’ sensitive and personal data.

All of these questions don’t really matter in the end.


Because technology giants have from little to no interest in giving straight answers to any of these questions.

Even worse, these companies don’t even like to answer simple questions.

Simple questions like why are these seeing the ads that these companies are showing them via their online platforms.

Come May 25 though, it is all but guaranteed that the balance of power will definitely shift in the direction of the digital consumer.


Well, we’ll talk about the how in a moment.

But for now, online consumers should thank a particular European privacy law.

This law will ensure that there are some meaningful restrictions on how these technology companies collect and handle their users’ personal data.

That rule goes by the name of GDPR.

In other words, General Data Protection Regulation.

The law focuses on quite a lot of things.

To start off it wants to ensure that online consumers know how technology companies store their data.

It also wants people to understand the data collection process.

And then it focuses on consumers giving consent to companies collecting data about them.

Under the new General Data Protection Regulation no amount of fine print on policy pages is going to suffice.

Not anymore.

Technology companies will have a tough time in forcing users to just go ahead and click the YES button in order to use or sign up for their online services.

What will we see instead?

Well, under the new law, technology companies will have to tell everything about how they collect and use their consumers’ personal data in a concise and clear manner.

But what type of data are we talking about here?

We’re talking about data such as the user’s,

  • IP address
  • Location data
  • Home address
  • Full name
  • Any other type of identifier that a technology company can use to track app and web usage on the user’s smartphone device.

GDPR will force technology companies to spell out the reasons why they want to collect the data that they want to collect.

They will also have to disclose whether they will use the consumer data to create a profile about them and their online actions.

Not to mention, habits.

Additionally, with the new law in place online consumers will be able to take advantage of a new right.

This right would allow them access to all the data that technology companies collect and store about them and their online activities.

GDPR will also give online consumers the right to go ahead and correct any type of inaccurate information about them.

They will also have the right to restrict and/or limit how technology companies would use that data to make decisions about them with the help of algorithms and all other techniques.

The new GDPR rule will protect online consumers in a total of 28 member countries.

Needless to say, all of these countries belong to the European Union.

Readers need to know that even if the consumer data, that these technology companies collect, is processed somewhere other than the European Union, the law will still protect them.

What does that mean for the end-user exactly?

Well, it means a lot of things to a lot of people.

Popular publishing platforms such as WIRED will definitely come under GDPR.

So will a lot of universities and banks.

You can bet that the new GDPR law will affect most of the Fortune 500 companies.

GDPR will also put restrictions on the whole of the alphabet soup that has become the list of ad-tech companies.

These are the same companies that track users across the entire web.

Some of these companies not only track users online but they also track them via their devices and their apps.

GDPR will definitely hit all the tech giants in Silicon Valley.

Let’s take a look at an example of how GDPR will affect different companies.


If you go to the official website of European Commission (which is the European Union’s legislative arm) you can read it for yourself that the law will require all types of social networks to comply with any user request that is related to deleting the user’s photos that the user posted when he/she was a minor.

Moreover, social networks will have to inform all search engines and all the different websites which make use of such photos that they should remove the user’s photo as well.

The European Commission also mentioned that the law would allow a car-sharing service to request a given user’s,

  • Name
  • Credit card number
  • Address
  • Potential information about whether the particular person has some sort of a disability

But car-sharing services cannot request for information related to the race of the given person.

Under GDPR, the European Commission will apply stricter conditions on what type of sensitive data these companies can collect.

Sensitive data includes information regarding,

  • Sexual orientation
  • Political affiliation
  • Religion
  • Race

This is also a good time to mention that GDPR has managed to already spur and has contributed to, various modifications in the way technology companies collect and handle data.

The GDPR law will take a look at all the related practices as well.

For example, back in June of last year, the technology giant Google made the announcement that the company would cease to mine user emails via its online email service Gmail in order to personalize ads.

Google has already mentioned that its decision to do that had nothing to do with GDPR.

The company also mentioned that it did so solely for the purpose of harmonizing the business and consumer versions of its email service known as Gmail.

Back in September, the search engine giant (Google) started to offer a completely revamped privacy dashboard.

The company first launched the privacy dashboard back in 2009.

Google’s new privacy dashboard treated users with a much user-friendly interface and easier to understand options.

In January of this year, the social media giant Facebook made an official announcement saying that it would also introduce a privacy dashboard.

But since making the announcement the company has not launched the privacy dashboard yet.

As mentioned before, the new GDPR law only applies to people living in Europe.

However, that hasn’t stopped these technology companies to make changes to the way they conduct their business globally.


Because as far as these companies go, it is much simpler for them to create one single system rather than try and come up with multiple different systems.

We have already alluded to the fact that the GDPR law will impact all the big technology players.

What we haven’t mentioned is that this new GDPR law will impact companies and entities well past all these technology giants.

Back in March, an ad-tech online company by the name of Drawbridge said that it had made the decision of winding down its online advertising business as far as Europe was concerned.

Readers should know that Drawbridge’s main business was to track users and store their data.

And then sell it.

But why did Drawbridge close down its entire operation?

According to the company, it did not have a clear idea on how digital ad companies (the entire industry in fact) would manage to ensure the consumer’s consent.

Another data broker goes by the name of Acxiom.

data protection

It provides interested parties with information on a total of 700 million plus individuals.

The company has culled that amount of data from resources such as,

  • Vehicle registration
  • Purchasing behavior
  • Voter records

It also collects data from other sources that it has not mentioned publicly.

Recently Acxiom made the statement that the company would revise all its online portals that work in Europe and the US.

The company’s online portals are the places where online consumers can go and see what type of information does Acxiom has collected about them.

According to chief data ethics officer at Acxiom, Sheila Colclasure, GDPR will find a lot of success in setting the tone for user data protection all around the globe for a considerable portion of the next decade or so.

So does the law go beyond these types of moves to restrict data collection?


It does.

The GDPR law makes its emphasis on clear explanations along with control and consent in a very forceful manner.

What most do not realize is that this could prompt online consumers to have a better understanding of the methods that companies use to survey them online.

This will also push them to reconsider some of their daily decisions regarding their online habits.

Meanwhile, privacy advocates and activists have already started to make plans to use the new GDPR law as a potent weapon in order to force alternations in the data-handling practices of corporations.

To put it another way, the new GDPR law represents a chance for the people to flip the industry’s economics.

Since the very beginning of the thing we all know as commercial web, technology companies have had the proper financial incentives to vacuum up as much data as they can and then think of monetizing that data later.

But that will change thanks to GDPR.

This new law will enable EU online consumers to have the freedom of opting into such “data deals.”

Before GDPR (that is since the dawn of online web till now) technology companies placed the burden of making the decision of opting out their own responsibility.

GDPR has laid enough emphasis on user consent.

And in the future, it will create an appropriate financial reward for technology companies to build consumer trust first and then make money later.

An associate professor of media design at The New School, David Carroll recently mentioned that GDPR represented a genuine opportunity for online consumers to renegotiate the terms and conditions of online engagement between technology companies, the people and their data.

No longer will online consumers have to mindlessly click away technology companies’ terms of service agreements.

Carroll also mentioned that activists might also collect data which might form the firm basis of new types of investigations and methods to keep all types of technology companies accountable.

The whole community needs to feel the need for accountability and transparency as a more vital issue than any other.

There is no doubt about the fact that online consumers did not care much about the terms of service document before.

They just clicked on something they thought was impenetrable.

In all truth, most considered clicking YES to these terms as a no-brainer.

Online consumers gave more weight to the upsides of agreeing to the terms of services.

These upsides came in the form of incredible efficiency.

To them it seemed like the only downside to clicking yes was having to endure some annoying shoe advertisements which stalked them all around the online world.

However, that has changed now.

The past 12 months alone have shown the questionable ways technology and marketing companies can make use of the personal data and turn that data into a weapon.

We have also seen evidence that technology and advertising companies have used this weapon to suppress certain sections of the population.

Certain sections like minority voters.

Not only that but companies have used the same data to radicalize youthful white mean and have exploited political leanings in order to sow division.

Most (especially in the US) think that bad state actors used the same personal data to possibly swing US elections as well.


Wolfie Christi, a researcher, recently published a white paper.

He titled his white paper “Corporate Surveillance in Everyday Life”.

In the white paper, the researcher made use of various diagrams to show how companies used personal data to influence user behavior.

Using the same data, companies also determined the type of product that the user would see and which services that the user had access to.

Exploiting more personal data, companies also came to know what kind of prices the user would pay in all areas from banking to shopping.

Christi also mentioned that every time the user clicked on something, these advertising and technology companies tried to determine whether the person who performed the click represented a valuable person or a person who was worthless.

Wolfie Christi also showed all the sources of personal information that these companies tapped in order to assemble detailed profiles on online consumers.

The EU had already established most of the user data rights that GDPR is now promoting.

But the problem was that the EU did not enforce them.

GDPR has successfully managed to standardize user data rights.

And it has done so for all online consumers living in EU countries.

The new GDPR law has empowered regulators.

It has done so with the same old big stick.

Along with that, it has given the law slightly sharper teeth as well.

Entities who will violate the GDPR law will have to face fines that may reach up to, but not limited to, 4 percent of their global annual revenue.

That may not seem like a lot.

But get this.

For a technology giant like Google that 4 percent would mean a fine of $4.4 billion.

And for a social media giant like Facebook, that fine will reach $1.6 billion.

No one should find it surprising that the new GDPR law has its fair share of loud detractors.

Critics of the new GDPR law have dismissed the new law as EU’s way of encouraging more protectionism.

In the past, the EU has consistently challenged United States technology platforms on various privacy and antitrust grounds.

Critics say that it has done so at pretty expensive consequences.

Then they make the argument about all the related costs.

Colclasure, who works for the data broker company Acxiom, has called the online data gathering industry the real backbone of free knowledge and free content that users get online.

She recently also said that online consumers would either hit a big paywall everywhere online or they will have to support these free websites with ads.

With that said, it is also true that the new GDPR law isn’t without its due loopholes.

For example, the new GDPR law allows online businesses, and otherwise, to collect and process users’ personal data without their consent but only for limited reasons.

These reasons include entries such as “the business’s genuine and legitimate interests.

The European Commission has come out and said that these “legitimate interests” would include direct marketing via methods such as,

  • Online advertisements
  • Email
  • Mail

With that said, even if technology and advertising companies try to take advantage of such loopholes, they will still have to take into account their online consumers’ new expectations of how they handle their data and use it.

Consumers now would not allow these companies to infringe on various other kinds of consumer rights that GDPR has guaranteed them.

As far as the digital realm is concerned, consumers in European Union can also lean on the added protection of another special and less talked about companion set of rules.

These rules, in their entirety, are called the ePrivacy Directive.

Under EU law, these rules basically govern all types of electronic communication.

The other thing that should be mentioned here is that under the ePrivacy Directive rules, consent is the one and the only legal basis for companies to collect user personal data.

These rules are still have not been ratified into EU law.

But they are in the process of becoming law.

According to a European Commission Organization (an umbrella group that consists of a total of 43 consumer groups) senior legal officer, David Martin, recently said that lobbyists working for technology companies were hard at work in order to influence the existing guidelines which were used to interpret GDPR.

These lobbyists were also trying to weaken the language used in ePrivacy Directive.

Technology companies need to understand that avoidance, especially now, is not an option anymore.

Back in 2017, the social media giant Facebook’s revenue in Europe on a per-user basis grew around 41 percent from the previous year.

In monetary terms, it increased to around $8.86.

Readers should know that the social media giant did not see such a fast rate of revenue growth per user in any other region.

The deputy chief privacy officer at Facebook, Rob Sherman, talked to WIRED recently.

In a statement, he said that everyone using Facebook would have the opportunity to see all the improvement the company had made to its tools and privacy controls.

Users would see them as early as this year.

He also said that in addition to new rules such as GDPR, the company had started to look at various other things across the entire board to observe how it could provide users with more control.

The company, according to Rob, wanted to help users understand how the company used their personal data.

WIRED also contacted Google for a comment and the search engine giant directed the publication to its official 2017 blog post.

In that blog post, Google mentioned that the company had a commitment to comply with new rules such as GDPR across all of its online services that it provided to users in Europe.

These services included Gmail and Google search along with the company’s various measurement and advertising services.

Most privacy activists have this belief that laws like GDPR will help to unlock that data that privacy groups needed in order to force other kinds of amendments.

New laws have always given results.

Max Schrems, a privacy activist, and an Austrian lawyer filed a lawsuit against Facebook back in 2013.

That lawsuit led to a new ruling.

The ruling struck down the agreement that technology companies call Safe Harbor.

Technology companies used this agreement in order to transfer user data between Europe and the US.

Max’s case is still pending though.

As alluded to earlier, GDPR’s approach to user data has emboldened many privacy advocates.

And those advocates includes Max Schrems.

Seeing the new GDPR rules, Max Schrems launched None of Your Business.

It is a non-profit that Schrems founded in November of last year.

The nong profit would use the new GDPR law in order to confront technology giants such as Google, Facebook, and Co.

None of Your Business will take the help of a team consisting of motivated and highly qualified IT experts and lawyers.

The group recently said that GDPR would allow it to fight tech companies on an equal footing.

The cofounder of and a mathematician, Paul-Olivier Dehaye, recently made use of a UK data protection law in order to successfully help several individuals access their personal information that Cambridge Analytica processed.


Cambridge Analytica is the same controversial firm that was behind the notorious data breach which affected a total of 50 million-plus Facebook users.

Paul-Olivier believes that rules such as GDPR would help him to pry out even more information from such unscrupulous firms.

Ultimately, GDPR’s total impact would rest on consumers and how aggressively they would wield their new data protection rights.

If recent trends are anything to by, then an increasing number of online users are showing interest in online privacy.

That is the reason why the use of tools such as VPN services and ad-blockers has grown exponentially in countries such as the United States of America and elsewhere.

On a side note, if you want to protect yourself from all sorts of data protection starting right now, then sign up for a VPN service.

Our research shows that IPVanish is the best VPN service when it comes to data protection and security.

to sign up for IPVanish right now from the official website.

Various corporations who have shown previously shown in user privacy have responded well to new user demands.

For example, Mozilla recently launched its private mobile web browser Firefox Focus.

Back in September of last year, Apple successfully upgraded its Safari web browser with the addition of a tracking prevention feature.

A principal analyst working for Forrester, Fatemeh Khatibloo, feels that the eventual end result would lead everyone to adopt data-collection practices which are more progressive.

She also said that it would shock consumers if they found out the number of ad servers, trackers, and cookies firing on a single web page that they visit on a regular basis without much care.

Khatibloo conducted a UK consumer survey back in August and found out that around 51 percent of all respondents mentioned that they had planned to at least somewhat exercise some of their new data rights under the new GDPR law.

These respondents cited data deletion as the most common example.

Khatibloo mentioned that people in the UK at least felt that they had the power to punish these technology companies which exercised aggressive and/or invasive data collection policies by requesting these companies to delete their data and/or information on their platforms.

Even with that, Khatibloo is somewhat skeptical that GDPR would manage to spook online consumers of various popular online services.

She recently mentioned that online consumers understood the real value that they derived by exchanging their personal data for free online services.

Moreover, these users don’t want to interrupt their online experience.

According to Khatibloo, GDPR indeed shed a relatively bright light on various kinds of data machinations that people still had no awareness of.

However, she doesn’t think that Facebook would have to face a huge reckoning anytime soon.

Because of GDPR, we are like to see a major turn on how technology and advertising companies ask users for their consent.

Last year, in September, a company that helped publishers deal with those “pesky” ad blockers, PageFair, conducted its own survey.

In the survey, the company presented online consumers with various choices to make regarding tracking.

The company gave these online consumers options such as “reject all tracking unless and until tracking had become strictly necessary for the requested online services” and “only give consent to first-party online tracking”.

PageFair surveyed 300 online consumers.

The percentage who consented to all types of online tracking came to only 5.

Criteo, a marketing firm, said that the company now aimed for techniques which did not cause much intrusion.

Back in January, Digiday, an online trade magazine, recently published a Criteo consent interface sample.

Digiday reported that Criteo had already started to test the sample.

The sample featured a small pop-up banner which appeared at the very bottom of a webpage.

Criteo’s banner told online consumers that by clicking on any given link on the given webpage, they basically gave their consent to Criteo to use cross-site and user-friendly tracking technology.

Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.

2 thoughts on “Digital Consumers Guide to GDPR: What You Should Know about EU Data Privacy Regulation”

  1. I think even with GDPR VPN service popularity will still be growing. Maybe it even will push people to think about their security online one more time and that will do an impact of buying a vpn just in case. I’m personally using NordVPN for few years, mainly for security reasons. It’s good to know no one is keeping your personal data and maybe sharing it with third parties. It’s not expensive and everyone can use it, so why not? I have a coupon code save75 as a loyal member, maybe for someone it will be helpful.

    • Thank you for the comment Frances Payne.
      Our research says that IPVanish is the best but NordVPN is a good option as well.
      Whether or not GDPR stops companies from selling user data without permission, one should always use a VPN service.
      It does so much more than just secure user data.

Leave a Comment