Skip over navigation

Contact us to learn more about OroCommerce's capabilities

Contact us

B2B eCommerce

Surveying the GDPR Aftermath

July 5, 2018 | Oro Team

It’s been about a month since the General Data Protection Regulation (GDPR) went into effect. In the months leading up to implementation, some companies were filled with escalating panic while others barely yawned. Now that the initial frenzy is over, let’s assess GDPR impact, look at implementation hits and misses, and weigh actual GDPR consequences.

GDPR Impact

There’s no doubt. GDPR implementation was costly. According to Bloomberg, the estimated cost for the largest 500 multinational companies to comply was upwards of $7.8 billion. Countless hours of planning and implementing audit controls and security measures had to be complete before May 27. The largest companies designated a data protection officer, and some also designated a regulation liaison officer as well just to be safe. One German producer of bottling equipment had 60 people involved in the GDPR process. Smaller companies were faced with many of the same tasks but with far fewer resources.  AuroraWatch, a service of Lancaster University, operated with absolutely no commercial interests. When faced with the task of compliance, they opted to delete their database, stop sending emails, and just asked users to follow them on social media. The cost was simply too high. Clearly, there was plenty of panic and the GDPR impact was huge in terms of financial and human capital.

GDPR Email Hits and Misses

GDPR was all about respecting privacy and securing personal information. As a result, marketers in the European Union (EU) were on the hunt for double opt-in consent to email and explicit user consent for website cookies. Companies that are not EU-based but may have their content seen by people in the EU or have EU residents on their email lists had to comply as well.

Pundits proclaimed in the period before implementation that GDPR would kill email. To the contrary, one of the earliest GDPR consequences was the torrent of emails hitting inboxes worldwide as companies scrambled to get the necessary opt-ins for compliance.  When the torrent became a flood of epic proportions, jokes were inevitable.


Some companies like MM.LaFleur turned a regulatory requirement into opportunity and scored $4,000 in sales with their creative GDPR email. Now, that’s not much for an email marketing campaign, but this was their privacy policy email. That’s a most definite hit and a company that got it right.

Not every company was so savvy. Asos was a clear miss. Twitter was filled with complaints about their incessant emails. As if that wasn’t bad enough, some customers even received text messages in the wee hours of the morning.

Social media was afire with examples of companies that swung and missed. There is still an active hash, #GDPR Fail if you want to see more of what not to do.  

GDPR and the User Experience

GDPR had an unexpected impact on user experience. If awards were given for the most awful and most ugly compliance forms, almost every company could enter. Even when the form was clean, many companies still got it wrong. Instead of opting in, they had users opting out.

One GDPR compliance firm required users to create an account and click through two pages just to opt into cookies. Two pages! In the coming months, UX designers will be busy cleaning up the carnage.

On the other hand, many companies opted to completely ignore GDPR and continue to Spam away. Their efforts are more noticeable now that email privacy is on everyone’s minds. It will be interesting to see if Spammers honor opt-out requests. Early indications are that Spammers are still gonna Spam.

Serious GDPR Consequences

Those Spammers should pay attention. The fines for non-compliance are steep. While the ICO hasn’t issued fines yet, pre-GDPR they fined Holmes Financial £300,00 for automated calls made to individuals without their consent and Honda Motor Europe Ltd £13,000 for sending 289,790 emails to discern customer preference for marketing messages. So, the ICO is scrutinizing marketing. And, under GDPR, those fines would have been much steeper. Luckily, the ICO has indicated they would rather inform and advise rather than fine and sanction. At least for the time being.

In the dust of the GDPR aftermath, it’s clear to see the greatest consequences were self-inflicted.  Either overreacting or failing to act hurt relationships with customers and prospects. It’s a tremendous lesson learned when its time to comply with the next major regulation. When cooler heads prevail; customers, regulators, and employees are all much happier.

Back to top