Europe’s General Data Protection Regulation (GDPR) is one of the strictest privacy laws in the world. It inspired a global trend of countries and regions passing similar pieces of legislation.
But some businesses make false assumptions about the requirements of this law.
Below, learn about 10 of the most common GDPR misconceptions businesses have, and I’ll explain the real truth behind them.
What is the GDPR and Does It Affect My Business?
The GDPR is one of the Regulations that makes up the data privacy legal framework in the European Union (EU) and European Economic Area (EEA).
If you are in Europe or if you are outside of Europe but collect any information from people in the EU/EEA and offer goods or services in the region, the GDPR affects your business.
According to Article 3(2) of the GDPR, it applies to controllers or processors outside the EU/EEA when they:
- Offer goods or services to individuals in the EU/EEA (even if no payment is required), or
- Monitor their behavior, such as through analytics, tracking, profiling, or cookies used to observe online activity.
Merely having EU/EEA website visitors is not always sufficient. The business must also demonstrate an intention to target EU/EEA users or monitor their behavior.
For the time being, it’s the strictest data privacy law in the world and was the first of its kind when it entered into force in 2018. It also inspired the creation of dozens of other similar laws from other countries, including the U.S., Brazil, South Africa, and more.
The GDPR specifically addresses the different ways entities can lawfully collect, process, and use personal information from data subjects, aka, people within the EU/EEA.
It has a very broad legal scope, which is why it impacts businesses small and large, located both in and outside of Europe.
What Are the Most Common GDPR Misconceptions?
Now that I’ve briefly summarized what the GDPR is and how it impacts businesses, let’s look at ten of the most common misconceptions businesses have about this major Regulation.
Misconception 1: Small Businesses Are Exempt From the GDPR
There’s a common misconception that small businesses are exempt from the GDPR, but this could not be further from the truth.
In reality, there are no size thresholds associated with the GDPR.
It can apply to any business of any size, including individuals, as long as the latter operate in a professional activity. The GDPR only exempts the collection of data for personal or household uses, as written in Article 2.
Misconception 2: The GDPR Only Applies to EU Businesses
Another common misconception businesses believe is that the GDPR only applies to those located in Europe, but this is not the case.
In truth, the GDPR has a global threshold and applies to businesses in and outside of Europe.
As stated previously, the Regulation applies to any business in Europe or any business outside of the region that offers goods or services there and monitors the online behaviors of data subjects in the region, as written in Article 3.
‘Goods and services’ in this context has a very broad meaning and includes just the ability to access a website; it does not require any monetary transactions to take place.
This means any business outside of the EU/EEA with website visitors from Europe is likely subject to complying with the law.
Misconception 3: Consent Is the Only Legal Basis Under the GDPR
Some businesses falsely believe that the only legal way to collect data under the GDPR is by obtaining user consent, but this is not entirely true.
There are actually six legal bases for the collection and processing of personal information outlined by the GDPR.
The legal bases are outlined in Article 6 and include:
- Consent
- Contractual obligations
- Legal obligations
- Vital interests
- Public tasks
- Legitimate interests
Under the GDPR, the burden of proof falls on the business.
In other words, if your business is investigated by a supervisory authority due to a privacy violation, it’s up to you to prove that all the legal bases outlined in your privacy notice are accurate and in line with the Regulation.
The GDPR does provide guidelines for each of the six legal bases to help businesses prove that they’re fully in line with the law.
It is important to highlight that supervisory authorities consistently hold that legitimate interest cannot be used for intrusive tracking, analytics that identify users, or electronic direct marketing without a proper balancing test.
Misconception 4: With Data Subject Consent, I Can Collect Any Data I Want
Some businesses might falsely believe that, with consumer consent, they can lawfully collect whatever data they want under the GDPR, but this is not the case.
The truth is, the GDPR outlines strict data limitation guidelines that all businesses must follow.
You’re only allowed to collect personal data that is adequate, relevant, and limited to what is necessary for the specific purposes determined by your organization, which must also be clearly described in your privacy notice.
If your business is caught collecting more data than is actually reasonable, you could receive fines for violating the GDPR and be forced to stop all data processing.
Misconception 5: If Data Subjects Ignore the Consent Banner, They Agree to Cookies
Another misconception businesses often have regarding consent and the GDPR has to do with their use of pop-up cookie consent banners.
There’s a false belief that it’s okay to place cookies on users’ browsers if they do not interact with the consent banner.
However, under the GDPR, you must obtain user consent before collecting any data from them.
This means you cannot automatically place any unnecessary cookies on their browsers until they’ve provided explicit, opt-in consent.
The GDPR outlines very clear conditions for consent in Article 7, which include the following:
- Consent must be freely given by the data subject.
- The consent must be for specific purposes, and consent must be obtained for each different processing activity.
- The user must be properly informed about what they are consenting to.
- It must be unambiguous and not convoluted with consenting to other contracts or policies.
The GDPR also gives data subjects the right to change their minds or withdraw consent at any time. This process must be as easy as giving consent.
All conditions must be met for the use of a cookie consent banner to be considered lawful.
Importantly, the obligation to obtain consent for cookies does not come from the GDPR itself but from the ePrivacy Directive, (Article 5(3)), which requires prior consent for non-essential cookies.
Recent decisions by the EDPB, CNIL (France), AEPD (Spain), and DPC (Ireland) confirm that:
- Scrolling does not constitute valid consent.
- Pre-ticked boxes are unlawful.
- Cookie walls may be unlawful unless the user has a genuine alternative.
Consent must be actively expressed, and analytics or marketing cookies cannot be placed until that happens.
Misconception 6: The GDPR Only Protects European Citizens’ Data
Some businesses assume that the GDPR only protects the personal information of European citizens, but this is untrue.
Actually, the GDPR protects the information of any individual who is in the EU or EEA, regardless of their citizenship status.
This is because the GDPR protects natural persons, which is defined in Article 4.
The term refers to any person who can be identified and does not have anything to do with regional citizenship.
Misconception 7: My Business is Too Small to Be Investigated by a Supervisory Authority
Some small businesses might think they’re so small, no one will notice if they’re not following all requirements outlined by the GDPR, but this is a very risky false assumption.
In reality, Supervisory Authorities across Europe have received complaints about businesses and organizations of all types and sizes.
Those found guilty during the investigation process have been fined, as seen in the GDPR Enforcement Tracker.
For example, private individuals have been fined in countries like Germany and Austria, as have fishing clubs and even a daycare center.
All it takes is a single complaint from a data subject, and your business, no matter the size, could be subject to an investigation.
Misconception 8: Following the GDPR Guarantees Data Security
There are some businesses that wrongfully believe that following the GDPR means the data they’re collecting is properly secure and safe from data breaches or cyberattacks.
The GDPR does not provide a detailed cybersecurity standard, but it does impose concrete security obligations under Article 32, requiring controllers and processors to implement “appropriate technical and organizational measures” such as encryption, access controls, and regular testing.
The truth? While GDPR compliance can help reduce security risks, it does not guarantee immunity from breaches.
Instead, it just holds businesses accountable if the data they store is ever breached, leaked, or accessed by an unauthorized entity.
The GDPR requires businesses to outline the proper technical and organizational measures to keep all personal information safe, but how you actually do this is completely up to you.
Misconception 9: The GDPR is Fixed and Will Never change
The GDPR has been in force since 2018, and many businesses now believe that it is a fixed law that will never change.
In actuality, the privacy legal landscape is constantly evolving, and even the GDPR enforcement recommendations are changing and adapting.
For example, the European Commission is currently releasing guidance and proposed changes to the GDPR to account for the recent advancement in AI technologies, cross border transference of data, and more.
It’s therefore important for businesses that choose to engage in the collection and processing of consumer personal data to keep up with privacy laws and news about any changes, amendments, or new laws entering into force.
Misconception 10: Complying With the GDPR is Confusing and Hard
The GDPR has a reputation for being difficult to follow, and it’s known for taking up a lot of business time, money, and effort.
However, plenty of resources exist that help businesses more easily align with the GDPR without the hassles and expenses of relying on a privacy attorney.
There are now several policy generators, templates, WordPress plugins, and consent management tools specifically designed to help businesses meet the GDPR requirements.
The world has had several years to learn how to adapt to the GDPR. There are now plenty of viable, affordable options for businesses of any size to access.
How Termly Helps Businesses Simplify GDPR Compliance
If your business needs to comply with the GDPR, try using Termly’s GDPR solution to help clear up confusion and save time.
By accessing tools like our Privacy Policy Generator, you can more easily make an accurate privacy notice to help meet the transparency guidelines outlined by the law.
Our Consent Management Platform features regional consent settings that accommodate the different user choices, such as opt-in and opt-out consent requirements in various privacy laws.
You can also align your site with voluntary frameworks like the IAB TCF v2.2, or Google Consent Mode.
More about the author
Written by Natasha Piirainen
Natasha is a Content Specialist with over 10 years of professional experience in research-driven content development. She graduated from Wheaton College with a degree in English and Philosophy. At Termly, she focuses on data privacy and consent management best practices and is responsible for maintaining and updating comprehensive data privacy materials.
More about the author
Reviewed by Teodor Stanciu, CIPP/E, CIPM Legal Coordinator & DPO
