top of page
GDPR: Neither Use Nor Ornament, or Just Quietly Being Stretched?

GDPR: Neither Use Nor Ornament, or Just Quietly Being Stretched?

29 April 2026

Paul Francis

Want your article or story on our site? Contact us here

A Law That Promised Control

It is difficult to forget the moment GDPR arrived. In 2018, inboxes filled overnight with privacy updates, consent requests and new terms. For a brief period, it felt as though something meaningful had shifted. Companies were being forced to explain themselves, and users were, at least in theory, being given control over how their data was used.

The promise was simple enough. Clear consent, transparent data use and the ability to say no.


Person typing on a laptop with a glowing padlock and circuit pattern overlay. Purple and orange hues create a secure, futuristic vibe.

Fast forward to today, and that promise feels less certain. Not because GDPR has disappeared, but because everyday experience increasingly suggests that something is not quite working as intended. Settings are pre-enabled, choices are buried, and consent often feels like something you give by default rather than something you actively decide.

That is where the question begins. Not whether GDPR still exists, but whether it still feels like it protects people in the way it was meant to.


The Reality People Are Experiencing

Spend a few minutes going through the settings of most modern apps or devices, and a pattern quickly emerges. Features that rely on data collection are often already switched on. Options to limit or disable them exist, but they are rarely presented in a way that invites easy understanding.


Consent, in many cases, has become something passive. It is tied to long terms and conditions, accepted in a single tap, and rarely revisited. The idea of being fully informed at the point of agreement feels increasingly distant from how these systems actually work.

This creates a gap between expectation and reality. On paper, users have control. In practice, that control requires effort, awareness and persistence to exercise.


Not Broken, But Being Navigated

It would be easy to conclude from this that GDPR has failed, but that would not be entirely accurate. The law itself still sets out clear requirements around transparency, consent and data protection. It has led to real changes in how companies handle personal data, and it continues to provide a framework for enforcement and accountability.


The issue is not that the law is useless. It is that companies have learned how to operate within it in ways that minimise disruption to their business models.


One of the most significant tools in this regard is the concept of “legitimate interest”. This allows organisations to process certain types of data without explicit consent, provided they can justify a valid reason for doing so. In theory, this is a practical necessity. In practice, it can be stretched to cover a wide range of activities that users might reasonably expect to opt into rather than opt out of.


This is where GDPR begins to feel less like a shield and more like a framework that can be carefully worked around.


The Rise of Design Over Consent

Another factor shaping this experience is the way interfaces are designed.

Consent is no longer just a legal concept. It has become part of user experience design, and not always in a way that favours the user. Options to accept are often prominent and easy, while options to decline or customise are less visible or require additional steps.

These patterns are sometimes referred to as “dark patterns”, though they are not always labelled as such. They do not remove choice entirely, but they guide it in a particular direction.


The result is that many users end up agreeing to things not because they fully understand or support them, but because the process of declining is inconvenient. Over time, this shapes behaviour, turning consent into something that feels automatic.


Legal Compliance Versus Real Understanding

At the heart of the issue is a distinction that is easy to overlook. There is a difference between being legally compliant and being genuinely transparent.

A company can meet the technical requirements of GDPR while still presenting information in a way that is difficult to interpret. Long privacy policies, complex language and layered settings may satisfy regulatory standards, but they do not necessarily lead to informed users.


This creates a situation where protection exists in principle, but feels distant in practice. Users are covered by rules they rarely engage with, and decisions about their data are often made in environments that prioritise speed and convenience over clarity.


Why It Feels Like It Is No Longer Working

The frustration many people feel does not come from a single failure, but from accumulation. Each small instance, a pre-ticked box, a hidden setting, a feature enabled by default, adds to the sense that control is slipping away.


When that experience is repeated across multiple platforms and devices, it begins to shape perception. GDPR is still there, but it becomes harder to see its impact in everyday use.

That is how a regulation designed to empower users can start to feel as though it is neither use nor ornament. Not because it has no value, but because its presence is no longer obvious in the moments that matter.


The Gap Between Law and Experience

What this ultimately highlights is a gap between intention and implementation.

GDPR was designed to give individuals meaningful control over their data. That intention remains valid. The challenge is that technology has evolved quickly, and companies have adapted just as quickly to ensure that their models continue to function within the boundaries of the law.


As a result, the letter of the regulation is often maintained, while the spirit becomes harder to recognise. Consent exists, but it is shaped by design. Transparency exists, but it is buried in complexity.


This does not mean the law has failed. It means it is being tested in ways that were perhaps inevitable.


Where This Leaves the User

For the average user, the situation is both simple and frustrating. The protections are there, but accessing them requires time, knowledge and attention that most people do not have to spare.


This creates a form of imbalance. Companies understand the systems they operate within. Users, more often than not, are reacting to them.


Closing that gap would require more than just regulation. It would require a shift in how consent is presented, how choices are offered and how transparency is delivered.


A Regulation Still Worth Having

It is important not to lose sight of the fact that GDPR still matters. It has introduced standards that did not exist before and continues to provide a basis for holding organisations accountable.


The problem is not that it is useless. It is that its effectiveness depends on how it is applied, and at the moment, that application often favours compliance over clarity.

That leaves users in an uncomfortable position. Protected, but not always informed. Covered, but not always in control.


And that is why, for many, it can feel as though something that was meant to make a clear difference has become harder to see in everyday life.

Current Most Read

GDPR: Neither Use Nor Ornament, or Just Quietly Being Stretched?
You Bought It, So Why Is It Changing Without You Knowing?
Stop Killing Games: The Fight Over Who Really Owns What You Buy in the Digital Age

Worker Safety Under Scrutiny: What U.S. Employment Laws Can Learn from the UK

  • Writer: Paul Francis
    Paul Francis
  • Oct 15, 2024
  • 3 min read

Hurricane Helene, one of the most destructive storms in recent years, swept through the southern U.S., bringing catastrophic flooding and devastation. Tennessee was particularly hard hit, where the disaster took a tragic turn at Impact Plastics, a manufacturing plant in Erwin. Reports and lawsuits allege that some workers were allegedly forced to remain at the plant as floodwaters rose, leading to several deaths. This case has raised questions about workplace safety laws in the U.S. compared to the UK, especially in emergencies.


Flooding in Florida

The Impact Plastics Case: A U.S. Employment Tragedy

During the peak of Hurricane Helene, employees at Impact Plastics allege they were ordered to stay at work despite the worsening flood conditions. Survivors and families of the victims, such as Johnny Peterson and Bertha Mendoza, have filed wrongful death lawsuits against the company, accusing them of negligence in failing to evacuate workers on time. These families claim that management prioritized production over safety, a charge now under investigation by state authorities.


In the U.S., this tragedy has highlighted the limitations of at-will employment and the potential for employers to exploit the system. Under at-will employment, companies can dismiss employees for any reason—or no reason at all—without notice. This flexibility, however, does not absolve employers from following Occupational Safety and Health Administration (OSHA) regulations, which require them to provide a safe working environment. If it is proven that Impact Plastics ignored these standards, the lawsuits could result in significant financial penalties and legal repercussions for the company.


U.S. Employment Law: At-Will Employment and Safety Regulations

While at-will employment gives U.S. companies the right to terminate employees freely, it comes with legal responsibilities to ensure worker safety. OSHA mandates that employers must prevent hazards and protect employees from danger, particularly during emergencies like natural disasters. However, as seen in the case of Impact Plastics, where workers were allegedly forced to stay in a dangerous environment, the law can sometimes fall short of protecting workers from extreme situations.


The lawsuits now facing Impact Plastics claim that management's failure to act and protect its employees resulted in preventable deaths. If OSHA finds that the company violated its safety protocols, Impact Plastics may face severe penalties beyond the civil lawsuits filed by the victims' families.


UK Employment Law: A Stronger Safety Net for Workers

In contrast, UK employment law offers far stronger protections for workers, especially regarding job security and workplace safety. The UK does not have an equivalent to at-will employment. Instead, employees are hired under permanent or fixed-term contracts and are protected from arbitrary dismissal by laws that require a formal and justified process for firing workers.


One of the UK's central protections is the right against unfair dismissal, provided by the Employment Rights Act 1996. Workers cannot be dismissed without good cause, particularly after two years of service, and employers must follow a defined procedure before terminating an employee. These protections would prevent a UK employer from arbitrarily terminating workers or requiring them to work under unsafe conditions without significant legal consequences.


The UK also has stringent workplace safety regulations under the Health and Safety at Work Act 1974, which places a legal obligation on employers to ensure the safety of their employees. Had a similar incident occurred in the UK, where a company allegedly forced workers to stay in dangerous conditions, it would face immediate investigation by the Health and Safety Executive (HSE). UK law requires employers to conduct thorough risk assessments and provide safe evacuation plans in emergencies.


The Evolution of UK Employment Law

UK employment law has evolved over centuries, shaped by labour movements, industrialization, and societal shifts toward human rights. Early labour protections emerged during the Industrial Revolution when unsafe working conditions in factories sparked the need for regulation. The Factories Act 1833 was one of the earliest laws aimed at improving workplace safety.


The labour movement grew through the 20th century, culminating in stronger worker protections, such as the Employment Protection Act of 1975, which introduced key rights like redundancy payments, notice periods, and protections against unfair dismissal. These laws were further refined with the Employment Rights Act of 1996, creating a modern framework that emphasizes both job security and worker safety.


Learning from the Tragedy

The Impact Plastics case underscores the importance of worker safety and the potential dangers of unchecked employer authority in the U.S., especially in high-risk situations like natural disasters. While at-will employment offers flexibility, it can leave workers vulnerable if employers do not prioritize safety.


In contrast, the UK's employment laws, built through years of labour activism and government reform, offer a far stronger safety net. The UK's emphasis on fair dismissal procedures and strict health and safety regulations ensures that workers are better protected in emergencies. As the lawsuits against Impact Plastics proceed, the case may spark discussions about the need for stronger employment laws in the U.S., particularly in times of crisis.

bottom of page