Five years with the GDPR: an empirical study emphasising information privacy and the consumer

Abstract

Consumers’ privacy rights have been enshrined in law, long before information systems and the Internet was brought to life. In 2018, stricter regulations relating to information privacy came into force, named the General Data Protection Regulation (GDPR). Using elements of Roger’s diffusion of innovations theory, we investigated the research question: How has five years of the GDPR influenced consumer’s knowledge, attitude, and practice of their enhanced rights? We draw on empirical data collected in Norway through four online survey questionnaires over five years (N=1293). Quantitative (descriptive statistics) and qualitative analyses (manual cluster text mining) were performed to obtain a state-of-the-art mapping of insights on consumers and their information privacy. Our findings show that the respondents’ answers remained similar over the years, and that the GDPR has not had a significant influence on the consumer. The respondents demonstrated a high degree of knowledge regarding both the regulation and technology, such as cookies. Their attitude was sceptical, as they valued their enhanced rights but questioned the feasibility. Regarding their practice, our findings reveal diversity. Some respondents took careful actions to protect their privacy, while most did not. The present paper should be interesting to both the industry (practitioners) and academia (researchers).