We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Widespread confusion over GDPR rules that protect your privacy

Rising number of people are anxious and concerned about data protection

A recent Which? survey of 2,067 UK adults has found widespread confusion over a privacy-protection law that was introduced a year ago this week. Additional reporting by Faye Lipson.

The General Data Protection Regulations (GDPR) give you greater control of how organisations can collect, store and use your personal data.

But we found that a third of people didn’t even know their data rights had changed.

And one third who knew there has been a change, weren’t confident what extra protections they now had.

That’s despite a wave of recent high-profile scandals in which people’s data was misused, including the Facebook-Cambridge Analytica scandal, the British Airways payment details data breach and the Marriott Starwood hotels data breach.

Read more: How to protect yourself and claim compensation if your personal data has been compromised following a breach

Growing concern and anxiety over misuse of personal data

The research into people’s attitudes towards data protection and misuse also found there has been a jump of 10 and 9 percentage points in the proportion of people in ‘anxious’ and ‘concerned’ groups in our Data Dozen segmentation.

This indicates a growing number of people are concerned about how their data is used.

Data Dozen infographic

The findings expand on our ‘Control, Alt or Delete: The future of consumer data‘ research and policy report launched last year, which explored consumer attitudes towards data collection and use to understand how far people might need further support and guidance to rebalance power over use of their data.

As part of this research, we identified 12 groups that reflect the different attitudes and behaviours people have when it comes to consumer data collection and use by organisations, businesses and web services – called ‘the Data Dozen‘.

Caroline Normand, Which? director of advocacy, said: ‘GDPR is a step in the right direction. But so far it hasn’t had as large an impact on overcoming the sense of consumer disempowerment that our research highlights.

‘More is needed to be done by government, policy makers and industry in progressing the recommendations in our Control, Alt or Delete? report.’

Are you tolerant, concerned, anxious or liberal about data? Take our quiz to find out which of the Data Dozen is most like you

An obscure exception to opting out of marketing

In separate research, we also found many customers who were criticising companies on social media for having pre-ticked or opt-out consent boxes on their apps and websites.

Under the GDPR, you can opt out of activity from online retailers and companies and of profiling that is used for direct marketing purposes.

But many people incorrectly believe that all email marketing consent should be on an active and opt-in basis (for example, by ticking a box).

An obscure exception to the rules means that in many cases companies aren’t breaking the law by assuming people want to hear from them and for consent boxes on web-based forms to be either pre-ticked or opt-out.

woman frustrated with computer

Companies are allowed to assume you agree to receive emails about similar products or services when you give them your email address in the course of a sale (or during negotiations for a sale).

This includes asking for a discount code to be emailed to you or signing up for a free subscription when paid-for options exist. You must be able to easily opt out.

To avoid marketing spam in your inbox, it’s important to always check the options carefully when signing up for services or buying goods. Some companies have fallen foul of the new rules.

A Virgin Media marketing box was so confusing that it was impossible to know what you were consenting to. We contacted Virgin Media and it said the consent box text was ‘incorrectly worded’ and had already been changed.

Back to top
Back to top