The General Data Protection Regulation went into effect on May 25, 2018. In the weeks before the deadline, the volume of emails from companies updating their privacy policies was significant enough to become a cultural joke. Every service you had ever signed up for wanted you to know about their updated terms, and most of those emails were as difficult to read as the terms they were summarising.
By July, the immediate panic had settled into something more observable. The regulation had not broken the internet, as some of the more dramatic predictions had suggested it might. Small companies had not been driven out of business by compliance costs en masse. The data economy had not collapsed.
What had happened was considerably more uneven than either the optimists or pessimists had predicted. Large companies with dedicated legal and compliance teams had been preparing for months or years. The major platforms had made their policy changes, deployed their consent mechanisms, and adjusted their data processing workflows. Whether those changes represented genuine compliance or careful performance of compliance was a question the enforcement bodies would take time to answer.
Smaller companies and those outside Europe that had European users were in a more complicated position. The regulation applied to any company processing data of European residents, regardless of where the company was based. Many small companies had limited clarity on what full compliance required and limited resources to achieve it. Some had responded by geo-blocking European users rather than addressing the compliance question. Others had done relatively little and were hoping enforcement would focus on larger targets first, which turned out to be largely correct in the early months.
The cookie consent banners that became universal following GDPR are worth noting as a case study in the gap between regulatory intent and actual outcome. The regulation required meaningful consent for tracking cookies. What appeared on most websites was a banner that made it significantly easier to accept all cookies than to manage them selectively, which is not meaningfully different from the previous situation in practical terms. Regulators eventually addressed this, but not immediately.
The more significant effects were in how companies thought about data collection as a strategic choice rather than a default behaviour. GDPR introduced the concept of data minimisation, the idea that you should collect only what you actually need. That concept had implications beyond compliance that took time to be absorbed.