GDPR vs. Freemium: why social media giants are winning

Avatar photo

By Iakov Shuvalov on


Aberdeen law student Iakov Shuvalov examines GDPR’s effectiveness in regulating ‘freemium’ business models, where ‘free’ services may compromise privacy

In the digital age, data has been regarded as the currency of the future. As a result, data is an asset that has grown in value and in its need for protection, and that is why the European Union (EU) implemented the General Data Protection Regulation (GDPR) in 2018. Aiming to empower individuals with control over their data and establish stricter privacy standards, the GDPR promised a paradigm shift and has received praise. However, a closer look reveals a critical shortcoming: the GDPR’s struggle to effectively apply, particularly to freemium models, a business model with significant presence in the average person’s life due to social media.

In the age of ubiquitous online services, the concept of “free” often comes at a hidden cost: our personal data. Freemium business models, particularly prevalent in social media platforms, thrive on collecting and monetizing user information. The current application of the GDPR falls short in its ability to regulate businesses that rely on data collection and monetization as their core revenue stream. This is because the application of the GDPR suffers from critical flaws in several areas, these being in the initial drafting and wording of the GDPR, in the GDPR’s application, and in the GDPR’s enforcement.

Issues in application

Widespread non compliance

A central argument for the GDPR’s ineffectiveness lies in the demonstrably high rate of non-compliance among websites. A web-scanning service analysing the 100 most popular websites in each of the 28 EU member states revealed a concerning lack of GDPR adherence. This study, while limited in its ability to definitively identify non-compliance within a website’s entire system, clearly demonstrates that many websites lack even the most basic GDPR implementation measures on their public interfaces. This widespread disregard for the regulation casts doubt on the ability of the GDPR to achieve its goals of data privacy protection.

This disregard is particularly worrying within the freemium landscape, where data collection and monetization are central to the business model.  Unlike other websites, data collection and user profiling are core functionalities for freemium services. Non-compliance with the GDPR in these areas directly undermines the service’s ability to operate its business model. But the most significant concern here is that if the GDPR is not effectively enforced within this sector, users are left unaware of how their data is being collected and used.

Issues in enforcement

Disproportionate impact

The GDPR’s application creates a concerning imbalance between small and medium-sized businesses (SMBs) and large corporations, particularly those operating under freemium models. While achieving GDPR compliance is crucial, the resources required – legal expertise, technical security measures, and ongoing data practice maintenance –  pose a significant burden for SMBs. These businesses often lack the financial and technical muscle of their larger counterparts.

This disparity creates a two-tiered system where resource constraints force many SMBs to fall short of full compliance, leaving them vulnerable to legal repercussions while for freemium social media giants whose business models rely heavily on data collection, potential GDPR fines become a mere cost of doing business. Their vast resources allow them to navigate GDPR complexities with relative ease.

This uneven playing field undermines the very purpose of the GDPR – a level playing field for data protection practices.  Currently, the system favours large corporations, particularly those in the freemium space. This stifles competition and innovation within the digital economy, as smaller businesses become discouraged from adopting data-driven technologies for fear of non-compliance.

Overall enforcement issues

The effectiveness of the GDPR in curbing privacy violations by freemium businesses is further hampered by significant challenges in its enforcement. While the GDPR outlines hefty fines for non-compliance, several factors create a lacuna in which freemium giants are less likely to face serious consequences.

One issue is the resource constraints of DPAs. Data Protection Authorities (DPAs) in each EU member state often lack the resources to adequately monitor and investigate the complex data practices of large, international freemium platforms. Furthermore, freemium services often operate across multiple jurisdictions. This makes it difficult for DPAs to determine which authority has oversight and hinders effective enforcement action. In addition to this, investigating large-scale data breaches or complex privacy violations involving freemium models can be a lengthy and time-consuming process. This delays any potential penalties and weakens the deterrent effect.

These enforcement challenges create a scenario where freemium businesses may be more likely to gamble on non-compliance. The potential for hefty fines may seem less threatening when weighed against the vast resources these companies possess and the complexities involved in pursuing enforcement actions. This ultimately weakens the GDPR’s ability to effectively protect user privacy within the freemium landscape.

Want to write for the Legal Cheek Journal?

Find out more

Issues in drafting

Loopholes and subjectivity

The GDPR’s reliance on the concept of “legitimate interest” as a legal basis for data processing introduces a significant loophole and element of subjectivity. While the GDPR outlines situations where “legitimate interest” might apply, it ultimately leaves companies with a degree of discretion in interpreting this clause. This subjectivity creates a risk of freemium services prioritizing their own interests over user privacy.

For example, the concept of “legitimate interest” can be used to justify the placement of certain cookies without obtaining explicit user consent. This raises concerns, as freemium business models can potentially interpret “legitimate interest” broadly to encompass a wide range of data collection activities. The lack of clear guidelines and the potential for abuse of this clause weaken the GDPR’s ability to ensure user control over their data.

Cookie notices

The GDPR’s reliance on cookie notices to inform users and gain consent for data collection presents a particular challenge. While intended to empower users, cookie notices often achieve the opposite effect in the freemium context.

As highlighted in a study by Advance Metrics, a staggering 76% of website visitors either ignore cookie banners altogether or simply click through them without engaging with the content. This behaviour stems from several factors such as many cookie notices being intrusive and disrupting the user experience, leading to frustration and a desire to dismiss them as quickly as possible. Another point to note is that the complex nature of cookie categories and the sheer volume of information presented overwhelm users, making it difficult to understand and manage their consent preferences. Finally, when faced with the choice between a seamless browsing experience and delving into complex cookie settings, users often prioritize convenience and sacrifice some control over their data privacy. It is for this reason that as of now there does not exist a lucrative market for businesses to sell enhanced privacy to their customers.

For freemium services, cookie notices become a flawed system that fails to achieve the GDPR’s goals of informed consent and user control over data. The pressure to access the “free” service and the complexity of cookie notices create a situation where users are unlikely to engage meaningfully with them. This ultimately undermines the effectiveness of the GDPR in protecting user privacy within the freemium landscape


The GDPR’s noble aim of protecting user data privacy faces a challenge of growing significance and importance in the freemium landscape created by social media. While the regulation outlines a framework for user control and data protection, its current application struggles to effectively address the practices of freemium business models. The widespread non-compliance, subjectivity of the “legitimate interest” clause, and ineffectiveness of cookie notices all create loopholes that freemium giants can potentially exploit.  Furthermore, the challenges of enforcement leave these companies with a lower risk of facing serious consequences for privacy violations.

It is clear that the current application of the GDPR falls short of its intended purpose. Moving forward, a re-evaluation of the regulation and its enforcement mechanisms is necessary. This may involve strengthening enforcement measures, clarifying subjective elements within the regulation, and exploring alternative approaches that incentivize user privacy alongside innovation. Only through such changes can the GDPR truly empower individuals and create a more secure and transparent digital environment for all.

The ongoing evolution of the digital landscape demands a robust and adaptable data protection framework. By addressing the shortcomings of the GDPR’s application within the freemium space, we can move towards a more balanced approach that protects user privacy without stifling innovation. Only then can the GDPR truly fulfil its promise of empowering individuals and fostering a more secure and transparent online environment, especially for users who rely on valuable “free” services offered by freemium businesses.

Iakov Shuvalov is a final year law student at the University of Aberdeen and has interests in Cybersecurity and Data Privacy Law.

1 Comment


Did not expect the twist in this that the two principal issues in all of data protection are … the legitimate interest lawful basis (which underpins so much processing of personal data by all companies and is usually uncontroversial) and cookie notices (albeit this seems to be confused with cookie banners and a general lack of awareness of the ePrivacy Directive). The writer of this would also be well advised to read up on strictly necessary cookies and why it would be foolish to require consent for their placement.

Join the conversation

Related Stories

5 Ways India’s Digital Personal Data Protection Act 2023 differs from Europe’s GDPR

Mayank Batavia takes a deep dive into data protection mechanisms in India and Europe

Feb 5 2024 8:57am

GDPR: 1 year on

University of Edinburgh law student Nicole Pitches examines its impact over the past 12 months

Jun 28 2019 1:04pm

Who is responsible for our data and how do we get it back?

Data controllers have weaponised consent by using privacy policies written in legalese and dark patterns to hide privacy-protecting options, argues St Andrews PhD student Janis Wong

Apr 29 2020 12:04pm