The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union to protect the personal data of its citizens. It was officially launched on May 25, 2018, and sets strict guidelines for how businesses handle, process, and store personal information.
The regulation is crucial for ensuring individuals’ rights to privacy and data protection, as well as addressing concerns about how companies collect and use personal data. GDPR also imposes severe penalties for non-compliance, making it a key consideration for businesses operating in or dealing with customers from the EU.
To find out more about GDPR, its impact on users and businesses globally, and how people are affected by both the regulations and data privacy as a whole, we surveyed data from 1,801,131 million people over a 12-month period, ending on the 4th of November 2024. This is what we discovered by analysing the results.
Bonus Material: Download GDPR Global Statistics for 2024
Index
- 24.7% of respondents agree enhanced data protection is GDPR’s biggest benefit
- 48.1% of respondents concerned about their data privacy online
- American Concerns About Data Privacy On The Rise
- 28.6% of respondents feel companies breaching GDPR should be investigated
- Google & Facebook among notable GDPR penalized companies
- Ireland tops list for country with most GDPR fines
- Industry and ecommerce hardest hit by GDPR fines
- Majority of GDPR fines related to consent and data privacy violations
- GDPR impacts user experience by as much as 62% in first year
- Email marketing statistics reflect success of GDPR
- 43.8% saw a change in the number of spam emails received after GDPR came into effect
- How businesses adapted to GDPR requirements
- US preparedness for GDPR
- Impact of Data Breaches
- Respondents over 45 record highest engagement rates
- Men affected 6.2% more than women
- North America the most engaged by 71.8%
- $200,000 to $500,000 earners the most engaged
- About the data
What’s the Biggest Benefit of GDPR?
24.7% of respondents agree enhanced data protection is GDPR’s biggest benefit
With nearly a quarter of respondents agreeing that GDPR’s biggest benefit is that it enhances data protection, our graph reveals what other benefits are considered tops:
Of the over 1.8 million people we surveyed, nearly 450,000 (24.7%) agree that the biggest benefit of GDPR is that it enhances data protection.
The GDPR is similar to the CCPA (California Consumer Privacy Act) in the United States. It is a data protection law designed to give individuals more control over their personal data by affording them the ability to request deletion and the right to opt out of data selling or sharing. However, while both GDPR and CCPA aim to protect individuals’ privacy, GDPR is broader and more stringent in its requirements, especially regarding data processing consent and rights for individuals. CCPA, on the other hand, focuses heavily on consumers’ ability to control the sale of their data.
Based on the parameters of the GDPR, it’s not surprising that the second-highest engagement levels we surveyed said that the biggest benefit of the regulations was that they strengthen privacy rights (14%). Similarly, prompting transparency garnered 13.3% engagement, increases accountability 12.1%, and user consent 11%. Timely notifications assumedly of data collection, use or breach were scored as most beneficial by 10.5%, data access at 7.1%, and significant fines at 5%.
In the bottom two benefits were regulating cross-border data sharing at 2.1% and strengthening consumer trust at 0.4%.
How Concerned Are You About Data Privacy On The Web?
48.1% of respondents concerned about their data privacy online.
Nearly half of our respondents are concerned about data privacy on the web. Here’s what our data reveals about people’s sentiments:
How Concerned Are You About Data Privacy On The Web?
48.1% of respondents are concerned about their data privacy online, and this correlates with other studies that show that 47% of Americans worry that their data is vulnerable to hackers, even after the introduction of GDPR a year prior. Engagement levels of those who are “somewhat concerned” sit at 36%, while those who are “very concerned” achieved engagement of 15.9%.
Considering that during Q4 of 2024 alone, more than 422 million records worldwide were exposed due to data breaches, it’s interesting that those who are “very concerned” about privacy online are in the minority.
American Concerns About Data Privacy On The Rise
We’ve seen that 47% of Americans have concerns about their data being vulnerable to hackers, but current concerns extend far beyond this.
A Pew Research Center survey highlights statistics showing growing unease about government data use, with particular concern among Republicans and a general lack of understanding of corporate data practices, as 67% of respondents feel they know little about how their data is used. There is also low trust in social media executives and AI applications, with 77% of Americans doubting social media CEOs will handle data responsibly and 81% worrying AI use will result in unintended data misuse.
Despite increased awareness and efforts like locking smartphones and using password managers, data breaches remain a frequent issue, affecting around 34% of Americans in the past year.
Companies Failing To Comply With GDPR Should Be
28.6% of respondents feel companies breaching GDPR should be investigated
From investigations to fines and grace periods, here’s what our respondents think should happen to companies that fail to comply with GDPR:
The highest engagement levels (28.6%) were recorded for respondents who think that companies that fail to adhere to GDPR should be investigated. This is a very fair view, as it allows companies to present their account of events.
However, the second highest engagement levels were recorded for those who think companies should be sued (14.4%), while 13.5% believe they should be penalized, 13.5% say sanctions should be put in place, and 11.2% want fines imposed. Considering GDPR fines have now reached more than €5 billion, this should satisfy those who believe companies should suffer financially for their infringements.
Lower engagement was recorded for those who believe companies should improve their practices (7.4%), be audited (5.8%), publicly reported (3.6%) or pay compensation (2.2%). The fact that paying compensation elicited such low engagement somewhat contradicts the other financially focused penalties, but being fined is perhaps viewed as a more severe punishment.
Lastly, there was 0% engagement for those believing companies should be given a grace period, showing that everyone surveyed wants some sort of action taken against those that fail to meet the regulations.
Google & Facebook Among Notable GDPR Penalized Companies
Several companies have faced significant fines under the GDPR for failing to protect user data. Amazon received one of the largest penalties of approximately $850 million due to issues around targeted advertising and data processing practices. Meta (formerly Facebook) was also penalized multiple times, including a $281 million fine in Ireland for inadequate protections for user data privacy.
Other notable companies that violated GDPR and paid the price are Google, which was fined $56.6 million; British Airways, which forked out $26 million; clothing brand H&M, which was hit with a $41 million fine; and Caixabank, which paid $7.2 million for breaching regulations.
Ireland Tops List For Country With Most GDPR Fines
As of 2023, Ireland has been the most active in levying fines, largely due to its role as the European headquarters for major tech companies like Meta and Google, totaling over €1 billion in fines. Germany has also been a significant enforcer, with fines reaching approximately €60 million for various violations related to data protection.
France has imposed hefty penalties as well, including a €150 million fine against Alphabet’s Google for cookie consent violations, highlighting the regulation’s wide-reaching impact across different sectors in Europe.
Industry and eCommerce Hardest Hit By GDPR Fines
According to Persona, GDPR fines per sector can be broken down as follows, with the number indicating approximately how many fines the sector has been issued.
- Industry and eCommerce: 170
- Broadcasting, telecom, media and Oxford: 145
- Public and education: 110
- Insurance, finance, and counseling: 85
- Healthcare: 75
- Employment: 65
- Individual and private associations: 50
- Transportation and energy: 35+
- Accommodation and hospitality: 25+
- Real estate: 25+
Download GDPR Global Statistics for 2024
Majority Of GDPR Fines Related To Consent And Data Privacy Violations
GDPR enforcement covers a wide range of violations, including unlawful data processing, failure to obtain proper consent, inadequate security measures, and non-compliance with data subject rights.
One of the most common breaches involves failing to implement adequate data protection measures, resulting in significant fines. The regulation also targets companies that fail to report data breaches in a timely manner.
Overall, as of 2023, GDPR enforcement has resulted in over €2.8 billion in fines, with the majority attributed to violations related to consent and data security.
GDPR Impacts User Experience By As Much As 62% In First Year
GDPR has significantly impacted customer experience by giving individuals greater control over their personal data, ensuring transparency in how companies collect and use their information.
Consumers now have the right to easily access, correct, and delete their data, enhancing trust and confidence in businesses. In 2019, 31% of consumers said they felt an improvement within the first year and in the UK alone, an increased 62% of consumers felt more comfortable sharing their data once data protection laws were in place
Email Marketing Statistics Reflect Success of GDPR
Email is one of the biggest marketing channels globally, with ad spend in the email advertising market in Europe forecast to reach $2.85 billion in 2024. However, GDPR has posed a major challenge for both marketers and email service providers.
According to Moosend, over 57% of businesses in Europe, North America, and Oceania sent “Privacy Policy Changed” emails to customers rather than emails asking for reconsent to reach out. However, recent research shows that 73% of shoppers would prefer to do business with brands that manage their email data transparently, which shows that the overall aim of GDPR aligns with consumers’ interests.
When GDPR Came Into Force How Noticeable Were The Amount Of Email Spam Received?
43.8% saw a change in the number of spam emails received after GDPR came into effect
Since its implementation in 2018, GDPR has had a major impact on the number of spam emails respondents received. We’ve unpacked the results of the graph below:
43.8% of the respondents we surveyed noted that when GDPR came into effect, the amount of email spam received did not remain the same. However, it didn’t necessarily decrease. 23.2% saw the number of spam emails somewhat increase, while 14.1% saw a significant increase.
In contrast, 8.8% engagement levels were recorded for those saying they did not increase significantly, while 7.1% said they did not decrease significantly. Only 2% agreed that these emails somewhat decreased, and just 1% said that they decreased significantly.
Looking at data from Statista from August 2024, the US has the highest number of spam emails sent daily, followed by China. Of the top nine countries, only three are protected by the GDPR.
How Businesses Adapted to GDPR Requirements
In response to GDPR, around 73% of European organizations enhanced their customer data management practices, and 62% increased their cyber security investments. Many businesses also revamped their data collection and storage practices to ensure better compliance and transparency.
Overall, companies have implemented stricter consent protocols, requiring users to actively agree to data usage terms, and have made privacy policies more accessible and understandable.
In many cases, data protection officers (DPOs) have been appointed across organizations to oversee compliance, assess data security risks, and handle user requests regarding personal data. Additionally, many businesses now conduct regular data audits to minimize the risk of breaches. However, almost 30% of European businesses admit they are still not compliant, with many citing not understanding the regulations as the main reason.
US Preparedness for GDPR
While the GDPR is a European regulation, it has extraterritorial reach, meaning it applies to companies outside the EU if they offer goods or services to EU residents or monitor their behavior. As a result, many US-based companies have had to adapt their data practices to comply with GDPR requirements to avoid hefty fines. This has also influenced broader data privacy discussions in the US, encouraging states to consider similar regulations.
Recent reports show that 32% of US companies now have a data protection officer, 78% have updated their privacy policies after conducting GDPR gap assessments, and 27% of companies have spent over half a million dollars becoming compliant. In the future, we can expect to see a growing number of companies prepare themselves as GDPR takes a firmer hold.
Impact of Data Breaches
Data breaches can cause severe financial damage to businesses, including fines, legal fees, and the cost of remedial measures such as identity protection services for affected customers. IBM states that the current global average cost of a data breach in 2024 is $4.88 million, highlighting just how costly they can be.
However, in addition to the immediate financial losses, companies often suffer long-term reputational damage as consumer trust erodes, and customers may choose to take their business elsewhere. The lasting impact on a brand’s reputation can lead to decreased sales, lower stock prices, and challenges in attracting new customers or partners.
According to the GDPR, organizations must report any data breach within 72 hours. If a breach is high risk for those affected, organizations must also inform those individuals without undue delay. This ensures that corrective action can be taken as quickly as possible to mitigate the effects.
Demographics
Our data also breaks down the demographics of the 1,801,131 people we surveyed by age, gender, region, and income.
Age
Respondents over 45 record highest engagement rates
Those aged between 45 and 65 top the list of our respondents who have been affected by data privacy; Let’s dig deeper into what the below graph shows:
Age Distribution
Older adults are more vulnerable to cyber scams, which aligns with the high levels of engagement for those over the age of 45. Over 65s top the list with 23.3% engagement, followed by 55-64-year-olds at 21.8% and 45-54-year-olds at 21.2%. Those under 25 are next, with 14.4%, followed by 35-44-year-olds at 12.6%. The lowest engagement levels come from those in the 25-34 year bracket, at 6.6%.
Gender
Men affected 6.2% more than women
Our survey showed that men are only marginally more affected by data privacy issues than women. Let’s take a closer look at what the graph shows below:
Gender Distribution
The results of our survey put men ahead of women, with 53.1% engagement versus 46.9%. This margin is not very wide, and it indicates that, overall, gender does not typically dictate who is affected.
Regional Distribution
North America the most engaged by 71.8%
The data clearly shows that North America has the highest engagement rates. Here’s how the rest of the world fared:
Regional Distribution
In 2023, the five most breached countries were the United States, the UK, France, India, and Canada. It makes sense then that North America has the highest engagement rates, with a whopping 71.8% of our respondents located there. Next up was Europe, with 19.2%, followed by Latin America, with just 4.6%. In last place was Oceania, which encompasses 14 countries, not too far behind Latin America with 4.4%
Income
$200,000 to $500,000 earners the most engaged
Based on our research, nearly 50% of respondents earn within the same income bracket. We’ve broken down the income groups of those affected by data privacy issues globally.
Income Distribution
At 47.7%, the majority of respondents who have been affected by data privacy issues all earn between $200,000 and $50,000 a year. This is well beyond the average wage across the regions surveyed. The second most affected group (20.7%) earned $120,000 to $200,000. Third and fourth places were almost tied at $80,000 to $$120,000 and $500,000 to $1 million, attracting engagement levels of 12.5% and 12..1%, respectively.
Those earning between $40,000 and $80,000 attracted 6.7% engagement, while those in the under $40,000 bracket only scraped together 0.2%.
Based on our data and the many statistics that back it up, it’s clear that data privacy is a major concern, and that there are huge sums of money at stake when breaches occur. With data breaches on the rise, we’re likely to see more fines being issued in the future and other countries adopting similar regulations sooner rather than later.
About The Data
The data used in the graphs in this article was sourced from an independent sample of 1,801,131 people from X, Quora, Reddit, TikTok and Threads globally. The responses are collected within a 95% confidence interval and 5% margin of error.
Engagement levels estimate how many people in the location are participating. The demographics are determined using many features, including name, location and self-disclosed description. Privacy is preserved using k-anonymity and differential privacy. Results are based on what people describe online globally; the questions were not posed to the people in the sample.
