Privacy vs convenience: Understanding intention-behavior divergence post-GDPR

The privacy paradox describes a scenario in which individuals express privacy concerns but still share private data online. We explore how the paradox can be understood following the introduction of the European Union's landmark GDPR (General Data Protection Regulation) legislation. Through qualitative interviews with online platform users, we find that individuals are concerned about personal data but remain constrained in their privacy self-management. In this context of limited perceived control, users' privacy attitudes are guided by anticipated value from using the platform and the convenience of privacy protection measures. Our study also highlights the role of peer influence on users' privacy choices, specifically through micro- and macro-network effects. We identify that (1) users move to privacy-protecting platforms to align with their social network, or because of information disseminated within their networks; and (2) users remain on platforms offering minimal privacy protection despite privacy concerns due to presence of their entire peer network. These findings provide a unified view on Privacy Paradox post-GDPR, bringing together a more comprehensive range of influences on individual-level privacy dynamics. Our research underscores the need for policymakers to streamline and standardize data protection measures lest the intentions of GDPR be undermined. We also highlight the need to go beyond a reliance on privacy self-management by better regulating the architecture of data management and enforcing principles of privacy by design and default.