Data protection laws are useless if most of us can't locate the information we're agreeing to

You may already have noticed your inbox filling up with a new species of spam. “You’re in control,” the latest one told me. “The law is changing.”

This proliferation of politely worded emails asking you to please accept or not miss out or continue to receive is the public face of a a gargantuan piece of European data protection legislation called GDPR (General Data Protection Regulation), which comes into force exactly a month from now.

The new laws, which the UK has promised to keep in place after Brexit, make it easier for people to find out what information companies hold about them, have tougher penalties for companies who don’t keep data secure and require much clearer consent from individuals giving up their information – hence all those emails.

It’s a wonderful coincidence of course that a regulation that’s been grinding through the system for years should be coming into force just as the question of information rights becomes the political subject of the day, following the revelation that people’s information on Facebook was shared without their knowledge.

There must be some happy civil servants in Brussels right now congratulating themselves on their foresight that the rise of the digital economy would turn data into a precious commodity which people should be able to control.

At Doteveryone, we conducted research which shows this data protection overhaul should be welcome. People care deeply about their personal information, 94 per cent say it’s important to know how their data is used and 91 per cent say it’s important to be able to choose how much data they share.

But our Digital Understanding report, released this week, shows people don’t know what happens to their data – 83 per cent don’t realise that information about them is gathered from what other people share, 45 per cent aren’t aware that what they put on social media is used to target adverts, 79 per cent don’t know their information can be used to determine prices and almost two thirds don’t realise tech companies make money from their data.

The report shows where there are currently low levels of public understanding around digital technologies. But this can’t be blamed on the public.

Digital understanding is dependent on digital technologies being understandable. At present they are not.

We know from speaking to users that many people don’t read the long list of terms and conditions presented to them. In fact, 43 per cent say there’s no point reading them as companies will do what they want anyway.

GDPR should address exactly that problem – consent must be freely given, specific, informed and unambiguous. Companies who breach the legislation can face fines of 4 per cent of their turnover or £17.5 million, whichever is greater.

Facebook has reportedly deployed legions to address how to meet the new obligations and has promised to go beyond mere compliance with the letter of the law. But the decision to move 1.5 billion of its users based outside Europe away from the auspices of its (GDPR covered) Irish headquarters to the more easy-going regime still available in the US suggests it may not be such a fan of the increased data protection requirements.

And in the way it’s introducing the new law to its European users, Facebook is playing tech’s usual trick of making things easy to use but not as easy to understand.

In its email, Facebook tells me it’s updated its terms to better explain its service and promises it’s made it easier for me to control my data privacy and security settings. I’m then asked to review and accept.

But clicking through, it’s clear most of us will accept but not review. At each stage there’s a nice big button to say “I agree” – conveniently located just where your cursor still hovers from the previous screen. Want to do something else? You’re sent on a meandering tour along a set of pages to dig through new settings.

Facebook’s brilliance at frictionless design – the seamless experience we’ve all come to expect from our simple-on-the-outside interfaces – risks making this milestone piece of data protection meaningless.

And it’s not just Facebook – the email that told me I was “in control” was from online retail giant Asos, and had a nice big button to “opt me in” and a teeny hidden link if I wanted to tinker with anything.

There’s a design mantra in the government’s digital service that good digital products “do the hard work to make it simple”. But tech has now become polluted with the deceptively simple.

Information rights will be meaningless unless the public is in a position to exercise them. We need new codes of practice for design and consent which mean that good digital products do the hard work to make themselves understandable.

As the Information Commissioner considers who falls foul of the new rules next month, she should mark companies on whether they pass this test.

Rachel Coldicutt is the CEO of Doteveryone