A Law That Promised Control

It is difficult to forget the moment GDPR arrived. In 2018, inboxes filled overnight with privacy updates, consent requests and new terms. For a brief period, it felt as though something meaningful had shifted. Companies were being forced to explain themselves, and users were, at least in theory, being given control over how their data was used.

The promise was simple enough. Clear consent, transparent data use and the ability to say no.

Fast forward to today, and that promise feels less certain. Not because GDPR has disappeared, but because everyday experience increasingly suggests that something is not quite working as intended. Settings are pre-enabled, choices are buried, and consent often feels like something you give by default rather than something you actively decide.

That is where the question begins. Not whether GDPR still exists, but whether it still feels like it protects people in the way it was meant to.

The Reality People Are Experiencing

Spend a few minutes going through the settings of most modern apps or devices, and a pattern quickly emerges. Features that rely on data collection are often already switched on. Options to limit or disable them exist, but they are rarely presented in a way that invites easy understanding.

Consent, in many cases, has become something passive. It is tied to long terms and conditions, accepted in a single tap, and rarely revisited. The idea of being fully informed at the point of agreement feels increasingly distant from how these systems actually work.

This creates a gap between expectation and reality. On paper, users have control. In practice, that control requires effort, awareness and persistence to exercise.

Not Broken, But Being Navigated

It would be easy to conclude from this that GDPR has failed, but that would not be entirely accurate. The law itself still sets out clear requirements around transparency, consent and data protection. It has led to real changes in how companies handle personal data, and it continues to provide a framework for enforcement and accountability.

The issue is not that the law is useless. It is that companies have learned how to operate within it in ways that minimise disruption to their business models.

One of the most significant tools in this regard is the concept of “legitimate interest”. This allows organisations to process certain types of data without explicit consent, provided they can justify a valid reason for doing so. In theory, this is a practical necessity. In practice, it can be stretched to cover a wide range of activities that users might reasonably expect to opt into rather than opt out of.

This is where GDPR begins to feel less like a shield and more like a framework that can be carefully worked around.

The Rise of Design Over Consent

Another factor shaping this experience is the way interfaces are designed.

Consent is no longer just a legal concept. It has become part of user experience design, and not always in a way that favours the user. Options to accept are often prominent and easy, while options to decline or customise are less visible or require additional steps.

These patterns are sometimes referred to as “dark patterns”, though they are not always labelled as such. They do not remove choice entirely, but they guide it in a particular direction.

The result is that many users end up agreeing to things not because they fully understand or support them, but because the process of declining is inconvenient. Over time, this shapes behaviour, turning consent into something that feels automatic.

Legal Compliance Versus Real Understanding

At the heart of the issue is a distinction that is easy to overlook. There is a difference between being legally compliant and being genuinely transparent.

A company can meet the technical requirements of GDPR while still presenting information in a way that is difficult to interpret. Long privacy policies, complex language and layered settings may satisfy regulatory standards, but they do not necessarily lead to informed users.

This creates a situation where protection exists in principle, but feels distant in practice. Users are covered by rules they rarely engage with, and decisions about their data are often made in environments that prioritise speed and convenience over clarity.

Why It Feels Like It Is No Longer Working

The frustration many people feel does not come from a single failure, but from accumulation. Each small instance, a pre-ticked box, a hidden setting, a feature enabled by default, adds to the sense that control is slipping away.

When that experience is repeated across multiple platforms and devices, it begins to shape perception. GDPR is still there, but it becomes harder to see its impact in everyday use.

That is how a regulation designed to empower users can start to feel as though it is neither use nor ornament. Not because it has no value, but because its presence is no longer obvious in the moments that matter.

The Gap Between Law and Experience

What this ultimately highlights is a gap between intention and implementation.

GDPR was designed to give individuals meaningful control over their data. That intention remains valid. The challenge is that technology has evolved quickly, and companies have adapted just as quickly to ensure that their models continue to function within the boundaries of the law.

As a result, the letter of the regulation is often maintained, while the spirit becomes harder to recognise. Consent exists, but it is shaped by design. Transparency exists, but it is buried in complexity.

This does not mean the law has failed. It means it is being tested in ways that were perhaps inevitable.

Where This Leaves the User

For the average user, the situation is both simple and frustrating. The protections are there, but accessing them requires time, knowledge and attention that most people do not have to spare.

This creates a form of imbalance. Companies understand the systems they operate within. Users, more often than not, are reacting to them.

Closing that gap would require more than just regulation. It would require a shift in how consent is presented, how choices are offered and how transparency is delivered.

A Regulation Still Worth Having

It is important not to lose sight of the fact that GDPR still matters. It has introduced standards that did not exist before and continues to provide a basis for holding organisations accountable.

The problem is not that it is useless. It is that its effectiveness depends on how it is applied, and at the moment, that application often favours compliance over clarity.

That leaves users in an uncomfortable position. Protected, but not always informed. Covered, but not always in control.

And that is why, for many, it can feel as though something that was meant to make a clear difference has become harder to see in everyday life.