How one man and a bottle of wine exposed the problem with GDPR

Nicholas Fearn
·8 min read
GDPR wine
GDPR wine

We all see them: those annoying pop-up boxes that appear on our screens, asking us to consent to websites’ privacy and digital cookie policies.

Likely you don’t read them, instead frantically hurrying the messages away by clicking “yes, I accept” without a second thought.

In fact, it appears actually engaging with the jargon is so rare that free wine goes unclaimed for months on end, buried deep in the particulars.

It emerged last week that Tax Policy Associates, a think-tank, had since February hidden a clause in their website privacy policy offering a complimentary bottle of “good wine” to the first person to notice it.

But it wasn’t until this month that somebody stepped forward to claim the prize, highlighting how little we all engage with the reams of legal red tape that have increasingly come to define our digital lives.

“We know nobody reads this, because we added in February that we’d send a bottle of good wine to the first person to contact us, and it was only in May that we got a response,” a sentence in the non-profit organisation’s updated privacy policy now spells out.

The think-tank’s founder, Dan Neidle, says the experiment involving a £30 bottle of 2014 Château de Sales Pomerol was a personal, “childish protest” against regulations that dictate all businesses have to have a privacy policy when “no one reads it”.

“I had an email out of the blue from a chap named Arthur. He was writing a privacy policy for his own website, and so was researching other ones. That’s how he found it,” Neidle says, adding Arthur unfortunately turned out to be “intolerant to alcohol” and so was unable to enjoy his reward.

“It shows that no one reads this stuff normally. A normal person doesn’t have the slightest reason in the world to do so.”

Burdensome bureaucracy

All firms that process and store customer information like names and email addresses must provide an online privacy policy as part of their obligations under the 2018 General Data Protection Regulation (GDPR), according to the Information Commissioner’s Office.

Those who fail to comply face the prospect of hefty fines and reputational damage.

But adhering to the directives is often an onerous task for small and medium-sized enterprises (SMEs) and charities, costing them energy and resources that could be allocated elsewhere.

As the complexity has risen, so too has the time such companies spend on ensuring they conform with the regulations, which is up by 46 per cent over the past year alone, according to new research from data and analytics firm Dun & Bradstreet.

Meanwhile, a 2021 study by the Federation of Small Businesses (FSB) saw two-in-five of its members describe data protection as the “most burdensome regulation” to grapple with.

These regulations create a “disproportionate effect” for companies with “fewer resources to devote to compliance than their larger counterparts”, says Tina McKenzie, policy chair at the FSB.

Neidle points out that even small, community coffee shops, for example, need to have privacy policies to comply with GDPR, adding this incurs costs that mean “money… [is] being wasted”.

Dan Neidle is the founder of tax think tank Tax Policy Associates Ltd
Dan Neidle, who placed a clause involving free wine in his privacy policy, is in favour of simplified GDPR rules for small businesses - South West News Service/South West News Service

He argues the solution is to simplify - by reverting to standard privacy conditions that “apply as a default to typical small businesses that don’t handle client data”.

These shouldn’t require cookie policies and would help businesses save money and “save consumers from annoying clicking”, he says.

McKenzie, for her part, acknowledges data protection laws are a “vital” part of life in the 21st century.

However, their “complex” and “sensitive” nature means small businesses often need greater support and understanding from regulatory bodies not only to ensure compliance but also to “reduce the financial and time costs of doing so”, she says.

Regulators should be “proportionate” in enforcing these rules, McKenzie adds, focusing on “education and support in the first instance”.

“Having reams of text required by law, which, in practice, very few people actually read, undermines the consumer protection we all want to have in place. It also costs small firms time and money they can ill afford,” she says.

In effect, stringent requirements can distract entrepreneurs from important priorities like increasing profits, growing their businesses and generating jobs for their local communities.

“Starting a business isn’t about just doing the fun stuff – there’s a lot of compliance that can’t be ignored – but this all contributes to the long hours and sense of feeling like you’re taking on the world when trying to build traction and momentum,” says Gareth Jones, CEO of small business and coworking experts Town Square Spaces Ltd.

Hours of reading time

On the consumer end, there’s precious little appetite to sift through tens of thousands of words of policy, regardless of what it costs businesses to produce them.

Not only are they hugely complex, they’re also getting longer all the time.

A 2021 study by De Montfort University found that the average length of privacy policies had increased from more than 1,000 words in 2000 to over 4,000 words in 2021.

Dr Isabel Wagner, an associate professor in computer science who conducted the research, found that their average word count increased following the European Union’s implementation of GDPR in 2018 and, again in 2020, when California adopted its own privacy policies.

“As a researcher who works on privacy, I find myself agreeing to privacy policies but not reading them,” she told the New Scientist in 2022, admitting her study of some 50,000 texts was triggered by a recognition of her own habits.

Typical policies “require university education to understand”, Wagner said, and take at least an hour to read.

If you were to stop and digest each one, it would effectively amount to a part-time job.

A study of the most popular websites in 19 different countries conducted by NordVPN in October last year revealed that the average privacy policy was 6,461 words long.

In the UK, reading every word of every policy on each of the 20 most visited websites would take nearly 11 hours, the study found, based on assumptions that people read at approximately 238 words per minute on average.

And over the course of a month, the typical Brit would clock up something like 53 hours of reading time were they to peruse every privacy policy in full on each website they visited –  nearly 20 hours more than the length of the average working week nationwide.

Calls for a ‘rethink’

The apparent absurdity of the situation has prompted calls for policymakers to make adjustments.

McKenzie, of the FSB, says there is a need for a “rethink on how the system works” so that legislation is “easier for everyone to navigate”.

This should be done in a way that preserves the “data adequacy we need to keep business flowing between the UK and other international jurisdictions with their own sets of rules”, she says.

Jordan Phillips, founder of food delivery startup Tin Can Kitchen, agrees that existing data protection regulations can be confusing for consumers and small businesses alike, arguing that a new approach is needed. He says the regulations’ wording is “verbose” and should be “condensed” to make them easier to understand.

“This, I feel, should definitely be the case for small businesses that do not have the money or resources of large businesses,” he says. “How this translates into real-world cases remains to be seen.”

Austin Walters, director of website design firm Triplesnap Technologies, recommends that regulators take a tiered approach that simplifies requirements for smaller businesses that don’t handle highly sensitive data. Meanwhile, companies which possess more personal, or sensitive, information about their customers would need to continue following “stricter controls.”

“Simplifying legal jargon and making policies more accessible could increase consumer trust and understanding without compromising data security, ultimately improving user interaction with these important documents,” he says.

Others contend companies have a part to play themselves too.

Andrew Wilson-Bushell, an associate at the law firm Simkins LLP, says firms should ensure they’re only providing customers with information they genuinely need to engage with.

But, lengthy and unloved as they are, privacy policies do ultimately have an important purpose, he acknowledges.

“The exercise of writing the privacy policy requires a business to understand its use of personal data, and map that out in a relatively comprehensible way. That might often feel like overkill - until a serious data breach occurs.”

Neidle, for his part, remains sceptical in the extreme about the demands GDPR has placed on SMEs.

That’s despite a historic uptick in engagement with his think-tank’s smallprint on the back of the wine stunt.

“In the last 72 hours we have had 1,000 people read our privacy policy, but in the whole of April, nobody looked at it,” Neidle says, citing web traffic data.

“It just seems crazy to me that my local coffee shop has to deal with the same rules as Facebook does,” he adds.

“Why can’t there be a simplified version of the rules for small businesses and non-profits?”

Broaden your horizons with award-winning British journalism. Try The Telegraph free for 3 months with unlimited access to our award-winning website, exclusive app, money-saving offers and more.