.svg)
In the Privacy Soapbox, we give privacy professionals, guest writers, and opinionated industry members the stage to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.
Do you have something to share and want to take over the privacy soapbox? Get in touch at blog@didomi.io
Since its enforcement in May 2018, the General Data Protection Regulation (GDPR) has marked a major turning point for personal data protection in Europe.
Six years later, one thing is clear: the GDPR’s technical and organizational implementation reveals a significant gap between theoretical ambitions and real-world challenges. Between good intentions and practical constraints, this gap continuously raises questions about the regulation’s effectiveness.
The evolution of the European regulatory framework: A complex journey
The 2018 GDPR established fundamental principles such as Privacy by Design and explicit consent, laying the groundwork for a new era in data protection. The introduction of the Digital Markets Act (DMA) in 2023 has further expanded this regulatory framework, adding another layer of complexity.
Significant fines imposed by regulatory authorities highlight the willingness to enforce these new standards. For instance, France’s CNIL imposed a record-breaking €50 million fine on Google in 2019 and a €35 million fine on Amazon in 2020.
2018-2020: Years of learning and disruption
The first months following GDPR’s implementation quickly revealed the magnitude of the challenge. Companies were forced to completely overhaul their data collection systems—an effort that proved both complex and costly. Early GDPR audits exposed significant gaps in personal data management, leading to a profound reevaluation of established practices.
Mapping personal data within existing systems proved particularly difficult. Uncovering the intricate architectures businesses had built over the years and identifying the legal basis for each data processing activity required meticulous documentation and legal analysis, a complex process that has often been underestimated.
The financial impact of compliance exceeded initial estimates. Companies had to invest in new technical tools, train their teams, and hire specialized professionals. Early attempts at data anonymization often failed, necessitating costly and time-consuming adjustments.
2020-2022: Market maturity and the emergence of new standards
Two major events defined this period: the launch of Google’s Consent Mode V1 and the Schrems II ruling.
Consent Mode revolutionized the management of advertising and analytics tags, requiring companies to rethink their tracking strategies completely. Meanwhile, Schrems II disrupted transatlantic data transfers by invalidating the Privacy Shield, forcing businesses to rethink their relationships with U.S. partners.
During this time, the consent management platform (CMP) market matured significantly. CMPs became more sophisticated, integrating TCF v2.0 and developing advanced features such as personalization and A/B testing. Additionally, Privacy Enhancement Technologies (PETs) began to emerge, paving the way for more intelligent and automated data protection solutions.
2023-2024: The era of increasing technical complexity
The introduction of Consent Mode V2 perfectly illustrates the growing technical complexity in the privacy space.
Companies now face a proliferation of technical parameters, including new variables like ad_user_data and ad_personalization. The need for CMP certification adds yet another layer of complexity, and implementing conversion modelling has become essential to maintaining marketing data quality.
The DMA has further complicated this technical ecosystem. New interoperability requirements force businesses to rethink their technical architectures, while the ever-evolving regulatory standards demand constant vigilance and adaptation.
Technical teams now face a daily challenge: maintaining marketing tool efficiency while strictly adhering to data protection requirements.
The reality on the ground: Between adaptation and resistance
Day-to-day practices reveal a mixed reality.
Many websites continue to drop advertising cookies without proper consent management, while others struggle to configure their tracking tools correctly. Technical errors are widespread: misconfigured Google Tag Manager (GTM) settings, poorly managed consent revocations, and failed synchronization between CMPs and marketing tools.
These technical failures have direct consequences. The loss of analytical data undermines marketing performance measurement, while non-compliance exposes businesses to significant legal risks. The situation is particularly challenging for SMEs, which often lack the necessary resources to achieve full compliance.
2025 outlook: Towards a new era of privacy
The rise of artificial intelligence is reshaping the future of data protection. While generative models introduce new challenges, they also offer unprecedented opportunities for data anonymization and consent management.
The gradual harmonization of practices at the European level suggests a more structured future in which data protection naturally integrates into innovation processes.
The GDPR has profoundly transformed the European digital landscape. While the gap between theory and practice remains, the evolution of technologies and mindsets is shaping a promising future.
Consent management solutions, such as those developed by CMPs (like Didomi), actively contribute to this transformation. Personal data protection is now emerging as both an innovation catalyst and a driver of trust in the digital economy.
.avif.avif){kind=tracking}
