This story is over 5 years old.


Here Are Some of the Worst Attempts At Complying with GDPR

Owen Williams, a freelance developer, has been collecting the more embarrassing, silly, and downright lame attempts companies are making to comply with Europe's General Data Protection Regulation.
Image: Jason Howie/Flickr

“We’ve updated our privacy policy!” By now you’re likely more than familiar with the onslaught of companies scrambling to comply with Europe’s new data privacy laws, the General Data Protection Regulation, or GDPR.

Everybody’s inbox has been flooded with messages from companies about updates to privacy policies and requests opt-in for certain functions, while other sites have resorted to pop-ups or just blacking out all of Europe while they work on complying with the new regulations.


Inspired by the flood of terrible attempts at compliance, freelance developer Owen Williams started a blog called GDPR Hall of Shame to call out some of the most egregious examples:

“The whole thing is a lighthearted jab at these companies who are implementing it without solving the problems,” Williams told me over Skype. “This thing was supposed to be good for everybody, so I wanted to tongue-in-cheek embrace the fact that this is ridiculous for both user and implementer.”

One of the worst offenders is Tumblr, which is requiring users to go through a list of 250 checkboxes and decide which to uncheck:

Another entry into the GDPR Hall of Shame is Yeelight, an Internet of Things lightbulb that simply blocked EU users from all of its functions because it apparently is “not able” to comply with GDPR:

The Europe-wide regulations went into effect on Friday, May 25, and ensure data collection and sales are as transparent as possible and that users have more control over their data. However, many companies have been panicking over the looming regulations, unsure of how to comply without inconveniencing their users.

Read More: What Is GDPR and What Can America Learn From it?

“The big challenge is that GDPR is very specific legislation that has a lot of nitty gritty, in-the-weeds details, but not a lot of information about how to comply,” Williams said. “People need to be able to opt out of some of the stuff you’re doing, but what’s unclear is what ‘opt out’ or ‘consent’ means. The big challenge is figuring out if you’re walking the line or not and this legislation is a jillion words, so it’s easy to forget something.”

Even though Williams is sympathetic, he is stunned that so many companies seem to be flailing even though they had two years to prepare for the regulation.

“How can you shut down the service when you knew about this two years ago?” he said. “They should have been building with user privacy in mind from start. There’s really no reason not to do it now.”

Get six of our favorite Motherboard stories every day by signing up for our newsletter .