The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

    News & Articles

    We give you a GDPR update

    Updated February 15, 2020.

    One year has passed since the European GDPR (General Data Protection Regulation) came into effect on May 25, 2018.

    A helicopter view of the situation a year later reveals both challenges and promises to its enforcement and effects.

    Here is a GDPR anniversary update!

    Reminder: What is the GDPR?

    The GDPR, or General Data Protection Regulation, is an EU law that regulates how companies, organizations and other entities handle personal data. Its jurisdiction is global, because it requires everyone who deals with the data of an EU citizen to abide by its rules and regulations.

    The GDPR empowers Europeans to control what data they wish to share, as well as enabling them to request their collected data deleted.

    Read about the GDPR in further detail here.

    Read the official GDPR law text here.

    GDPR awareness amounts to 67% of EU citizens

    Special Eurobarometer from the EU Commission available here.

    If you have a website, you most likely have cookies and tracking technology operating on your site and you are therefore required by the GDPR to comply to its rules.

    This includes:

    • obtain clear and unambiguous consent from its users,
    • prior to any processing of personal data,
    • after specifying all types of cookies and other tracking technology present and operating on its pages,
    • in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
    • to then be able to safely and confidentially document each user consent,
    • Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

    In doubt whether your website is GDPR compliant? Test with the free compliance test from Cookiebot consent management platform (CMP)

    Try Cookiebot CMP free for 30 days… or forever if you have a small website.

    If you have a website that provides services to the EU, you are legally bound to be compliant to the GDPR.

    This means that you must follow its requirements for how to handle user data and personal information.

    Using a consent management software like Cookiebot CMP can make you 100% GDPR complianct.

    Sign up and try for free today.

    GDPR enforcement overview

    One year into the enforcement of the GDPR, we are slowly beginning to see its impact.

    GDPR enforcement in year one of the law

    Special Eurobarometer from the EU Commission available here.

    While fines have been slow to ramp up against companies and businesses who violate the GDPR, its effects can also be seen on new privacy laws springing up around the globe, as well as its role as an instigator of public privacy discussions.

    How can the GDPR be enforced?

    The GDPR can be enforced in various ways, ranging from –

    • warnings,
    • fines up to €20 million or 4% of annual global revenue, whichever is highest,
    • data protection inspections directed by the EU Commission,
    • temporary or permanent restriction of an entity’s ability to process and/or collect data,
    • and ban from operating in the European Union.

    So far, the most common GDPR enforcement has been warnings and fines.

    Common types of GDPR complaints

    Special Eurobarometer from the EU Commission available here.

    GDPR fines in Year One

    The sum of GDPR fines one year into its enforcement amount to approximately €56.000.000, according to the IAPP.

    The average GDPR fine has so far been approximately €70.000, according to the London-based accounting firm Ernst & Young.

    Infographic of GDPR enforcement in the EU

    GDPR enforcement in numbers (infographic by IAPP).

    Most of the GDPR enforcement cases so far have been discretionary, i.e. they have been imposed on a case-by-case basis.

    The fines differentiate based on the what articles of the GDPR a company violates: if it violates its own obligations it will be subject to lower level fines, whereas violations of individual privacy rights will be subject to higher level fines.

    Germany, Poland, Denmark, Austria and Portugal are among EU member states that have fined companies or organizations for GDPR violation in this first year.

    France leads the GDPR enforcement in Year One

    The French data protection authority CNIL can rightly be called the leading watchdog of GDPR when it comes to both enforcement and guidance so far.

    CNIL received over 11.000 complaints in 2018 – an increase of 32.5% from the year before – and a large percentage of the complaints has been centered around the GDPR-introduced right to request deletion of personal online data. The French DPA has also been exemplary in guiding companies in GDPR compliance, as well as advising government legislation.

    The largest monetary enforcement of the GDPR yet also emerged from CNIL on January 21, 2019, when the French data protection authority levied a €50 million penalty against Google for three separate GDPR violations – lack of transparency (Article 12), inadequate information (Article 6) and lack of valid consent regarding the ads personalization (Article 7).

    The €50 million fine was the result of an investigation launched on the basis of two group complaints by the privacy associations None of Your Business (noyb) and La Quadrature du Net (LQDN), who accused Google of violating the GDPR regarding the processing of personal data, particularly in the case of personalized advertisements.

    “For the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law”, said the chairman of noyb Max Schrems.

    These complaints were put to the French DPA on May 25 and 28 of 2018, that is, on Day One and Day Three of the enforcement of the GDPR. That it took CNIL six months to investigate and enforce, tells us something about the timeframe of larger GDPR enforcement cases… and might hint at much larger enforcements to come.

    GDPR fines distributed across the EU

    Special Eurobarometer from the EU Commission available here.

    IRELAND, a challenge and a promise

    Technically, Ireland has the singular role of being the GDPR’s lead regulator.

    Why, you might ask?

    Well, because a provision in the GDPR specifies that its lead regulator be the country that houses a tech company’s data controller, and because Ireland is the European headquarters for many big tech companies such as Facebook and Google, who enjoy lax tax arrangements from the Irish government, Ireland has the responsibility of leading the enforcement of the GDPR against the industry’s biggest.

    Both the German and French DPAs have expressed their frustrations over the Irish DPA’s lack of enforcement.

    Ireland is a tax haven for GPDPR non-compliant companies
    Ireland has courted tech companies for years with low corporate taxes.

    However, the Irish DPA revealed recently that their office plans to announce enforcement actions this summer, adding that they currently have 51 large-scale privacy investigations open, 17 of which involve tech companies like Twitter, WhatsApp, Instagram, LinkedIn and Apple, while 7 cases specifically involve Facebook.

    On May 22, 2019 – three days short of GDPR’s birthday – the Irish Data Protection Commission (DPC) announced a comprehensive investigation of Google’s DoubleClick company (in the meantime rebranded as Authorized Buyers) for “suspected infringement” of personal data processing. The probe was triggered by a formal complaint from Dr. Johnny Ryan, Chief Policy Officer at Brave, the private web browser.

    This investigation could lead to severe fines against Google, or even worse for the company: a complete prohibition of using personal data in its advertising system. The GDPR is showing teeth indeed.

    A year into the enforcement of the GDPR we’ve mainly seen smaller fines, but have now begun to see larger and larger investigations and fines on the horizon, exactly because the bigger enforcement cases against the biggest industry heavy weights take a long time to build and execute.

    This is why privacy experts say that they expect larger GDPR fines are on the way. 

    Other GDPR enforcement techniques

    The GDPR authorizes the national data protection agencies to be the chief enforcing bodies of the law. This means that national DPAs can fine companies (up to €20 million or 4% of their global revenue) or they can dictate how or what data companies can use in their business.

    The latter can be enforced e.g. in the case of a data breach, where regulators deem a company negligent. In this case, they may issue an ultimatum for the company to either rectify the breach within 90 days or stop using the data that it has collected.

    Data breaches reported under the GDPR

    Special Eurobarometer from the EU Commission available here.

    If a company relies on data collection as a core business model for profit, this could potentially be a bigger blow than a fine, however large.

    So far, there have been only two examples of such

    • The Dutch DPA has prohibited the country’s tax authorities, since January 1, 2020, from using national identification numbers as part of their tax return number system.
    • The Maltese DPA temporarily prohibited its country’s national land register to process data while it investigates the authority.

    GDPR as ripple initiator – privacy laws around the globe

    One year into the GDPR, we begin to see another of its impact that hasn’t to do with fines or enforcement, but with legal change – what LinkedIn’s head of global privacy recently called “the GDPRization of laws across the world”, meaning that laws all over the globe are beginning to spring up and take shape with inspiration from the GDPRs scope and strength.

    CCPA, California Consumer Privacy Act will take effect January 2020
    The California Consumer Privacy Act (CCPA) is the strongest privacy law in the US and took effect on January 1, 2020.

    Among the nations or states in the world that either have passed or are in the process of passing privacy laws are …

    • Brazil, whose LGPD entered into effect in August, 2020.
    • California, whose CCPA entered into effect on January 1, 2020.
    • India, whose PDPA (Personal Data Protection Act of 2018) has been drafted, but not yet implemented.

    Argentina, Israel, Chile and China are among other nations who are working on privacy laws and regulations.

    Public awareness of the ad tech industry and privacy

    When it came into effect on May 25, 2018, GDPR was a top Google search keyword, outnumbering both Beyoncé and the Queen of England. 

    It doesn’t anymore, but its mainstream reach is still to be felt. The effect of the GDPR has also been to foster a public discussion about privacy that is still raging to this day.

    Awareness of data protection authorities

    Special Eurobarometer from the EU Commission available here.

    Its date of effect a year ago more or less coincided with the revelation about the Facebook/Cambridge Analytica scandal, perhaps the biggest, most reported privacy crisis last year, only rivaled by the digital interference by the Russian government in the US presidential election. 

    Some of the biggest news outlets in the world have reported on the GDPR continually and privacy at large remains a big continuous topic, e.g. the NY Times with its article series titled The Privacy Project.


    What is the GDPR?

    The General Data Protection Regulation (GDPR) is an EU-wide law that governs the processing of personal data of individuals inside the European Union. The GDPR requires websites that uses cookies and third-party trackers to ask for and obtain the explicit consent from users before activating them to process their personal data.

    Learn more about GDPR and cookie consent

    What is valid cookie consent under GDPR?

    Valid cookie consent under the GDPR is a clear and affirmative action from users that unambiguously indicates their wishes. Consent banners on websites must have cookies deactivated by default with no pre-ticked checkboxes, so users actively select and activate those cookies and trackers they will allow to process their personal data.

    Learn more about valid consent in EU

    Who enforces the GDPR?

    The GDPR is enforced by data protection authorities in each EU member country. Non-compliance can be fined up to €20 million or 4% of a company’s annual global turnover. The lead supervising body of the GDPR is the European Data Protection Board (EDPB) that is comprised of representatives from each national data protection authority.

    Learn more about GDPR compliance

    How can my website become GDPR compliant?

    Your website can use a consent management platform that is able to scan and detect all cookies and trackers, then automatically control them so users can give their true consent to which they will allow to process personal data from them.

    Try Cookiebot CMP free for 30 days for full GDPR compliance


    Try Cookiebot CMP for free to be GDPR compliant.

    Read about the GDPR further detail here.

    Read the official GDPR law text here.

    Infographic of GDPR’s first year.

    The average fines of GDPR in its first year of effect, according to Ernst & Young.

    UK’s ICO and its 57 GDPR enforcement actions.

    List of biggest GDPR enforcement cases so far.

    Politico looks into the lack of enforcement by Ireland, the GDPR’s chief enforcer.

    The Facebook / Cambridge Analytica scandal in full view.

    The facts of the Russian interference in the 2018 US presidential election.

    How can we help you?
    Scan your website for free or get started right away.
    You are one step away from being able to achieve compliance
    Get started right away for free with our plug and play Consent Management solution.
    Is your website privacy compliant?
    Scan your website for free and find out which cookies and tracking technologies are collecting user data.