At first glance, the European Union’s (EU) General Data Protection Regulation (GDPR), which took effect in 2018, is a regulation that focuses on protecting consumer privacy by mandating procedures for websites collecting and managing user information. But survey data collected after the passage of GDPR reveals that it may have been detrimental to continuously improving user experience.
The impact of GDPR has gone much further than changing protocols for website hosts. An analysis of 2017 and 2019 waves of CIGI – Ipsos’ international survey on attitudes towards the internet reveals that EU members might end up with slower improvements to UI (user interface) and UX (user experience) as compared to much of the world due to the unintended, real-world consequences from adopting privacy regulation as restrictive as the GDPR. For the purposes of this comparison, all countries that appear in the survey and fall under GDPR jurisdictions are labeled as GDPR. All other countries are labeled as ‘world.’
Self-reported difficulty using the internet for daily tasks, before and after GDPR.
Across the above metrics, many more non-GDPR residents reported an easier internet experience. If the label “easier” can be used as a proxy for improvement of content usability, then we may conclude usability is increasing in many parts of the world faster than it does within GDPR-regulated countries. Comparing GDPR countries between 2017 and 2019 showed some improvement, but it was not as drastic as it was for the rest of the world.
GDPR may be slowing down user experience improvements, but why would privacy legislation matter for daily internet activities?
The reshaping of digital interfaces to comply with GDPR has detrimental effects on both companies and end-users. Specifically, SMBs (small and midsized businesses) and startups suffer more because they lack the resources and staff to upgrade their systems and interfaces to comply with the law while maintaining daily operations. Some companies have shut down their services within the EU altogether because of concerns about compliance with the GDPR.
GDPR also may limit the accessibility of foreign content by European audiences, since many international firms simply do not have the resources or market incentives to adhere to the regulations. Two months after GDPR went into effect, 30% of the most popular U.S. news websites were forced to block access to the EU due to their inability to comply with the GDPR requirements, and some of these websites are still not available. The list included Pulitzer award-winning publishers like The Chicago Tribune.
These examples of domestic and international businesses eschewing the European market because of GDPR should not surprise those who are familiar with the law, as penalties are quite extreme for those who fail to comply with the regulation. For example, companies that fail to comply with GDPR may be punished with up to 4% of global sales or 20 million euros, whichever is higher.
Europe's situation is not without hope - policymakers can still look to reform GDPR to be more business and user-friendly. As states across the U.S. draft privacy regulations and talks about national data privacy legislation begin to grow, GDPR's unintended outcomes should not be ignored. European experience should be further analyzed in order to find a balance between reasonable protection of American privacy and our ability to use the internet now and in the future.