The European Union’s General Data Protection Regulation (DSGVO) has been a defining force in the way personal data is handled across the continent since its implementation in 2018. Yet, as another Data Protection Day rolls around, the landscape is still riddled with confusion, myths, and legal questions. On January 29, 2026, the privacy advocacy group noyb took the opportunity to set the record straight, analyzing some of the most persistent misconceptions surrounding the regulation. Their findings—backed by recent studies, court rulings, and industry data—paint a picture that is far more nuanced than the public narrative often suggests.
One of the most widespread misunderstandings, according to noyb, is the belief that the DSGVO mandates the ubiquitous cookie banners that have come to define the European web experience. In reality, the regulation merely requires companies to obtain user consent before tracking, typically for the purpose of personalized advertising. How this consent is collected is left up to the businesses themselves. Many have opted for intentionally convoluted dialog boxes, making it easier for users to accept than to refuse. This design, as noyb points out, is a deliberate effort to boost consent rates and, by extension, advertising revenues. The practice also makes it harder to withdraw or deny permission, frustrating users and muddying the waters about what the law actually requires.
But the legal debate doesn’t stop with website operators. The question of third-party liability for cookies—especially when these parties aren’t directly running the site—has gained traction in recent months. On January 29, 2026, the Oberlandesgericht Frankfurt am Main (OLG Frankfurt) issued a ruling clarifying that even third parties can be held liable for cookies, regardless of whether they operate the website in question. This decision, coming on the heels of the DSGVO and Germany’s own TTDSG (Telecommunications Telemedia Data Protection Act), underscores that explicit user consent is required for all non-essential cookies. The ruling will likely reverberate through the digital advertising ecosystem, forcing companies to rethink their relationships and responsibilities when it comes to data collection.
Despite the strict language of the law, enforcement has been a different story. According to noyb’s analysis, only 1.3% of all reported cases between 2018 and 2023 resulted in financial penalties. The Irish Data Protection Commission, which oversees tech giants like Meta, Google, and Apple, imposed fines in a mere 0.26% of its cases. These numbers challenge the assumption that authorities are cracking down hard on violators. Instead, many cases drag on for years, often ending with nothing more than a warning. In one instance involving the German news magazine SPIEGEL, the Hamburg data protection authority held multiple meetings with company representatives and offered guidance for changes, but ultimately the case concluded with procedural costs totaling 6,140 euros—hardly a deterrent for large corporations.
The financial impact of personalized advertising—a central justification for aggressive data collection—has also come under scrutiny. The advertising industry frequently claims that tracking is essential for its business model, with little acknowledgment of alternatives like contextual ads, product placements, or subscription content. However, a 2019 U.S. study cited by noyb found that the additional revenue generated by personalized data was a mere 4%, translating to just 0.00008 dollars per ad. Remarkably, the Dutch public broadcaster NPO reported that its revenues actually increased after it stopped using targeted advertising altogether, suggesting that the economic necessity of pervasive tracking may be more myth than reality.
Another persistent belief is that the DSGVO unduly restricts entrepreneurial freedom. Critics have argued that the regulation stifles business innovation and competitiveness. Yet, as noyb points out, the EU Charter of Fundamental Rights recognizes entrepreneurial freedom only within the limits of existing laws—including those on taxation, the environment, and, yes, data protection. The right to run a business does not exempt anyone from complying with these obligations. The analogy is straightforward: just as a pharmacist must comply with health regulations regardless of their background, companies must respect data privacy rules, no matter how inconvenient they may seem.
Concerns about abuse of the right to access personal data—a provision enshrined in Article 15 of the DSGVO—have also been overblown, according to the evidence. While business associations in Germany have complained about the growing administrative burden, the data tell a different story. The regulation includes safeguards: Article 12, Section 5 allows companies to charge fees or deny requests that are obviously unfounded or excessive. A noyb survey of data protection officers revealed that 73.3% reported little to no additional workload from access requests. In fact, it’s often the companies themselves that fall short—either ignoring requests or providing incomplete information. In 2022, Microsoft subsidiary Xandr reported a zero percent response rate to data access and deletion requests, highlighting the gap between legal rights and practical realities. Most tech giants now offer automated tools for handling such requests, often as simple download functions, but a truly comprehensive overview of stored data remains elusive for most users.
There’s also a misconception about who benefits from fines imposed under the DSGVO. Since 2018, authorities have levied approximately two billion euros in penalties. However, these funds go into state coffers, not to advocacy organizations like noyb. In certain countries, such as Spain, the money is funneled directly to the national data protection authority. This distinction matters: while NGOs play a crucial role in monitoring and reporting violations, they do not receive any direct financial benefit from enforcement actions, which could affect their ability to continue their watchdog work.
Amid these clarifications, one thing is clear: the DSGVO remains a work in progress, both in terms of public understanding and practical enforcement. The law’s intent—to give individuals control over their personal data and hold companies accountable—has not always translated seamlessly into day-to-day reality. Complex consent dialogs, patchy enforcement, and persistent industry lobbying have all contributed to a climate where myths flourish and genuine protections are sometimes slow to materialize.
Yet, the recent OLG Frankfurt ruling and noyb’s ongoing advocacy signal that the conversation around data protection is far from over. As digital advertising models evolve and public awareness grows, the balance between innovation, privacy, and accountability will continue to be tested. For now, the message from privacy advocates is simple: know your rights, question received wisdom, and don’t be afraid to demand transparency from those who profit from your data.