Skip to main content

Looking Back on Five Years of GDPR | June 2023

While the United States does not have a comprehensive consumer data protection law, the European Union passed the General Data Protection Regulation (GDPR) in 2016. The law, which went into effect in 2018, requires businesses to acquire permission from consumers in order to collect their data. The legislation applies to any company doing business with EU citizens.  

Reception of the General Data Protection Regulation 

GDPR set an important precedent for how companies handle data because it was the first far-reaching privacy law. The goal of GDPR was to standardize data protection laws and give individuals more control over their digital privacy. Under the law, companies must ask consumers for permission to collect their data and they must respond to consumer inquiries about data usage within 72 hours. Many countries, including Brazil, China, India, Japan, South Korea, and Thailand followed in the EU’s footsteps and introduced similar legislation.

Leading up to GDPR going into effect, businesses of all sizes, even mom-and-pop small businesses, had to make changes to their websites and data policies. Some small-to-mid-size ad tech vendors were forced to exit Europe because they didn’t have the resources to handle compliance. Even large companies faced challenges.

GDPR in Action

Spain, Italy, Germany, and Romania imposed the highest number of fines. The three sectors with the largest number of fines are 1) industry and commerce, 2) media, telecoms, and broadcasting, and 3) individuals and private associations.

When it comes to the largest fines, Ireland and Luxembourg top the list due to fines issued to large technology companies. The three sectors with the highest median fines are 1) media, telecoms, and broadcasting, 2) transportation and energy, and 3) finance, insurance, and consulting. The largest fine to date (€1.2 billion) went to Meta (the parent company of Facebook, Instagram, WhatsApp, and Meta Quest) for poorly safeguarding personal data as it was transferred between Europe and the United States. Other big-ticket offenders include Meta Ireland, Amazon Europe, Google, and Google Ireland.

Interestingly, beyond these headliners, there has been little enforcement of GDPR with only 232 fines with a median amount of €2,000. Some enforcements were simply reprimands. Some industry experts question how effective GDPR has been in standardizing the digital advertising industry. The EU has been divided over enforcement and the ability to impose fines. The European Commission is looking to make changes that would allow it to act on privacy violations more quickly and forcefully. 

Arguably, GDPR’s main achievement is increasing public awareness of digital privacy and how companies store and use consumer data. Some say without GDPR, people would be worse off today than they were five years ago. The legislation has also greatly influenced privacy protection around the world, serving as the standard for similar laws.

Data Privacy in the U.S.

California, Virginia, Connecticut, Colorado, and Utah have passed comprehensive data privacy laws, six states have enacted narrow privacy laws, and more than 10 states have introduced privacy bills. Some believe state legislation could accelerate federal legislation.

Consumers may welcome these types of protections, but digital advertisers that use consumer information to better target advertisements to online consumers often see it as a threat. The tension between data collection and consumer privacy will continue as countries and states introduce and improve regulations.

In the Classroom

This article can be used to discuss privacy (Chapter 13: Digital Marketing and Social Media). 

Discussion Questions

  1. Describe GDPR and how it affects U.S. companies. 
  2. What data privacy laws, if any, exist in the United States?  
  3. How has GDPR affected the U.S. ad market over the past five years?

This article was developed with the support of Kelsey Reddick for and under the direction of O.C. Ferrell, Linda Ferrell, and Geoff Hirt. 


Dana Leigh, "The 10 Biggest GDPR Fines of All Time," TechRound, May 23, 2023,

European Data Protection Supervisor, "The History of the General Data Protection Regulation,"

Giovanna Coi, Clothilde Goujard, and Laurens Cerulus, "Europe’s Privacy Regime: 5 Years in 5 Charts," Politico, May 25, 2023,  

Seb Joseph, "Five years in, the GDPR has had a double-edged impact on the ad market," Digiday, May 25, 2023, 

"Which States Have Consumer Data Privacy Laws?" Bloomberg Law, May 3, 2023,  

About the Author

O.C. Ferrell is the James T. Pursell Sr. Eminent Scholar in Ethics and Director of the Center for Ethical Organizational Cultures in the Raymond J. Harbert College of Business, Auburn University. He was formerly Distinguished Professor of Leadership and Business Ethics at Belmont University and University Distinguished Professor at the University of New Mexico. He has also been on the faculties of the University of Wyoming, Colorado State University, University of Memphis, Texas A&M University, Illinois State University, and Southern Illinois University. He received his Ph.D. in marketing from Louisiana State University.

Profile Photo of OC Ferrell