Some GDPR Myths That Still Mislead Users * Science and Technology Times

Data Protection Day offers an opportunity to revisit widespread misconceptions about the GDPR and how it is enforced.
Several misunderstandings persist due to industry lobbying, misleading communication and inconsistent regulatory action.
Clarifying these issues helps users better understand their rights and the responsibilities of companies handling personal data.

Misconceptions About Cookie Banners and Enforcement

Many people believe the GDPR requires websites to display cookie banners, yet the regulation contains no such mandate. Companies use banners because they must obtain explicit consent before tracking users for personalised advertising. Numerous websites design these banners to maximise acceptance, often making refusal difficult or confusing. This practice has contributed to the false impression that the GDPR is responsible for intrusive consent prompts rather than the business models that rely on behavioural tracking.

Another common belief is that companies face strict penalties from data protection authorities, but enforcement statistics tell a different story. An analysis of cases between 2018 and 2023 shows that only a small fraction result in fines, with the Irish Data Protection Commission issuing penalties in just 0.26% of its cases. Proceedings often take years and frequently end with warnings instead of meaningful sanctions. Some authorities have even been criticised for working too closely with companies under investigation, raising questions about impartiality.

Debates Around Advertising, Business Freedom and User Rights

The advertising industry frequently argues that personalised ads are essential for financial survival, yet evidence suggests otherwise. Studies indicate that tracking‑based advertising increases revenue only marginally, and some organisations have reported higher income after abandoning targeted ads altogether. Alternative models such as contextual advertising, subscriptions and product placement remain viable options. These findings challenge the narrative that privacy protections threaten the economic foundations of online media.

Claims that the GDPR interferes with the freedom to conduct a business also misrepresent the law. The EU Charter guarantees this freedom only within the boundaries of existing legislation, including privacy and data protection rules. Companies must comply with legal obligations just as they do in areas like taxation or environmental regulation. The principle simply ensures that individuals are free to pursue economic activity, not that businesses can disregard regulatory requirements.

Access Requests and the Reality of User Control

Some companies argue that users abuse their Right of Access under Article 15 of the GDPR, overwhelming them with excessive requests. The regulation already includes safeguards allowing organisations to reject or charge for manifestly unfounded or repetitive submissions. Surveys of Data Protection Officers show that most organisations receive few access requests and consider the workload manageable. Larger companies often ignore requests or provide incomplete information despite having automated tools to process them efficiently.

A final misconception concerns the financial resources of privacy organisations such as noyb. Fines imposed by data protection authorities do not go to advocacy groups but to national budgets or, in some cases, directly to the authority itself. Organisations like noyb rely on membership support rather than enforcement revenue to continue their work. Their efforts highlight ongoing gaps between legal rights and practical enforcement across the EU.