A Better Model for GDPR

Justin Daab Customer Experience Design

The right idea with unintended implications

The European Union (EU) General Data Protection Regulation (GDPR) went into effect recently. Even if you don’t directly do business in Europe, undoubtedly, many of the services you rely upon to do work and communicate with potential customers do, and as such, it will certainly impact how any marketer manages opt-ins and permissions domestically. Though more interesting to me than the impact on marketing practices, per se, is how the law, while giving users control of their data, failed to provide mechanisms for wielding that power efficiently. It is, however, seemingly designed for efficient wielding of power by the government.

Let’s investigate.

A trojan horse for increasing taxes?

When the EU designed the GDPR, they clearly outlined the cost to companies for violating the regulation: €10mm or 2% of your worldwide turnover (revenue), whichever is greater. The scale of this fine seems to telegraph the EUs targets are the likes and scales of Facebook, Amazon and Google.

Imposing a fine of this size against 90% of smaller businesses for casual email list violations (which will likely be common for quite some time) would be catastrophic—for businesses and the public opinion of the EU. Therefore, I simply can’t imagine the EU is intending to impose those fines and put whole swaths of companies out of business.

It was quite telling when on the first day the regulation went into effect, reports were coming out of the EU press that Facebook and Google were already potentially liable for more than $9 billion in fines without a mention of the undoubtedly hundreds of smaller companies that were likely in violation. It really feels more like a means of taxing the mostly foreign “big data” companies without unduly increasing taxes on more traditional domestic business sectors.

A weak incentive for compliance

The EU created no proactive enforcement body aligned with the GDPR. Effectively, it relies on companies self-reporting major violations. As far as I could find, should a company simply lie and deny violations occurred, there is no ready mechanism for challenges other than one-off state-sponsored lawsuits.

Further, if you are running Facebook and/or Google, it is highly possible that a 2% revenue loss on a GDPR violating business practice is still better than any potential organic decline in revenue should their ad targeting models effectively break under the new constraints.

A terrible consumer experience

If the purpose of this legislation was truly to give consumers more control over their data, there should be some centralized mechanism for them to manage and syndicate their rights. As it is now, the consumer would have to know which companies had or was using their data, contact those companies independently and either review what data points that company is using and request certain points be redacted, á la carte, or that the entire record be “forgotten.” The chances that most people will take the time, on a company-by-company basis to review or even request deletion of their data from most databases seem slim.

A modest proposal: a central exchange model

It is a fair argument to say, as the GDPR implies, that ad tech has crossed the line into illegal or at least unethical surveillance. I think it is also a fair argument that regulating the collection and use of consumer’s data, regardless of the cost and inconvenience of implementation, will be a net positive. But I think that if the legislation was approached from a more human-centered design-thinking perspective instead of a financial levy perspective, the solution would have looked very different.

My proposed solution, the consumer data exchange—a centralized repository or exchange model that makes it easier for consumers to catalog, grant, sell or revoke licenses to access and use their personal data; and a verifiable and economical means for companies to remain in compliance, and request or purchase licenses for all or part of a consumer’s multifaceted online persona.

The technologies exist already to make this feasible. Every facet of consumer data could be associated with distributable, verifiable or revocable, encrypted digital certificates. Online exchanges are commonplace—simply replace financial instruments with digital data “products.”

Ultimately, the consumer only has control over their data when they control its value

It feels as if the EU had approached this problem from a solutions perspective rather than a punitive one, we could have all benefited.


Magnani is an experience design and strategy firm that crafts transformational digital experiences to delight users and deliver sustainable competitive market advantages for our clients.


Want more great marketing info delivered direct to your inbox? Enter your email to subscribe to our weekly and quarterly emails.