Even though GDPR officially took effect back in May, companies all over the world are still scrambling to get their privacy rules in order. While most companies seem to be steadily rolling with the new changes, others haven’t been so lucky. Here are the five worst cases of GDPR mishaps we’ve seen in the past few months.

1. Ghostery Shares User Email Addresses

On May 25, 2018, GDPR’s zero hour, Ghostery sent out an email informing users of changes to the service’s privacy policy. At first glance, the email read like any of the other GDPR-related messages people received thus far.

Instead of sending a single email to each user, Ghostery actually sent the emails in batches — and forgot to blind CC the other recipients. The result? Hundreds of email addresses meant to be protected were exposed, clearly violating the service’s user privacy policy.

Source: Imgur

For a company founded on data privacy protection, the incident was ironic, to say the least. Ghostery has since released an appropriately apologetic statement, claiming full responsibility for the event and vowing to report the incident “as mandated by the GDPR.”

2. U.S. Newspapers Bid Europe Adieu

Even though everyone was given a two-year notice, some U.S. newspapers waited until the very last minute to make themselves GDPR compliant — and learned a valuable lesson about procrastination. After the May 25 deadline passed, major newspapers such as the LA Times, the Chicago Tribune, and the New York Daily News went dark for European visitors, all because the papers were still “working on technical compliance solutions.”

Source: Tronc

Other newspapers took less drastic approaches to GDPR compliance. NPR prompted visitors to either accept or decline the use of cookies and other tracking tools on their site. If users chose to opt out of tracking, they were redirected to a plain text version of the homepage.

Similarly, USA Today built a separate site specifically for European Union visitors. Much of the core content remained identical to the U.S. edition, but all of the adware and other tracking tools were removed for EU browsers. The move inadvertently showed the sheer amount of bloatware that plagued the U.S. site, as users quickly pointed out the drastic differences in speed between the two versions.

3. Forbes Visitors Experience Interruptions

Post-GDPR, new visitors to Forbes.com are now met with a stark landing page that offers a simple request: please enable cookies to enjoy the website’s “full power.” Users are then given the option to select preferences pertaining to cookie usage.

Source: Imgur

There are three levels of cookie choices available: required cookies, functional cookies, and advertising cookies. In theory, selecting the bare minimum option should give users access to the site, but that doesn’t seem to be the case.

Many users on Reddit have said that when they chose only required cookies, a message appeared saying Forbes is “processing” the request. However, after a few minutes, the users were redirected back to the settings options and asked again to update their cookie preferences to allow for data collection.

On the flipside, when visitors chose to allow all three levels of cookie preferences, they were able to browse the site immediately.

It’s debatable whether this move by Forbes holds up against the new regulations, but either way, the opt-in/opt-out gatekeeping is certainly an inconvenience to site visitors, especially those who are already wary about the website’s previous malware ad practices. Luckily, for those who don’t want to enable cookies, Forbes isn’t the only news site on the internet.

4. Klout Calls it Quits

Rather than adapt to the changes brought by GDPR, some companies have decided to close shop entirely. Klout, a former social media analytics platform, is one of them.

Marketers looking to work with digital influencers often used Klout to seek new partners. The Klout algorithm analyzed a person’s present on social media and took into account how many followers, likes, and shares they received. Based on the findings, the algorithm pumped out a score ranging from 1 to 100 that indicated a person’s value as an influencer.

It’s easy to see how Klout would have its problems with GDPR’s rules, as the tool pulled data from a wide variety of sites, each with their own terms of service and privacy policies in place. Getting consent to access that data would definitely have been a challenge, if not impossible.

Source: Lithium

To their credit, GDPR may not have entirely forced the service to stop. After being acquired by Lithium Technologies, a customer relationship management service, Klout lost much of its unique value. Marketers simply weren’t relying on Klout scores as much as they had in the past. That, combined with the upcoming wave of GDPR restrictions, proved too much for Klout to handle, and on May 25, Lithium quietly shut down the service. 

5. Facebook Offers Vague Promises

Most of the major internet players, like Google, Microsoft, and Amazon, updated their legal documents in time for GDPR, but a recent study claims some haven’t made their changes clear enough.

The European Consumer Organisation (BEUC), a consumer protection group, has created an experimental artificial intelligence system whose purpose is to analyze privacy policies and check for GDPR compliance. Dubbed “Claudette,” the A.I. scans for language it considers “potentially problematic” and checks for instances of “insufficient” information. In other words, it sees if companies are being transparent enough about their practices.

After work began, Claudette immediately flagged one of the biggest — and most predictable — offenders: Facebook. According to the researchers, Claudette found that while Facebook’s privacy statement appears to acknowledge GDPR, it offers vague “legal terms, buzzwords, and catchphrases” instead of a “truly user-centric” GDPR policy.

As it’s written now, Facebook’s privacy policy gives little detail on how exactly the platform collects and manages user data, how it handles data requests, and how it allows third parties to access user data. The BEUC warns that without proper clarification, Facebook may be infringing on consumers’ rights, as laid out by GDPR. Time will tell if they’ll make the necessary changes.

This post originally appeared on Anura.