May 25 marks the dawn of a new age in consumer privacy. Yet it wasn’t supposed to look like the Promotions tab in Gmail—full of messages that may or may not be useful, none of which you want to click on, all with fine print that makes the information less engaging.

For months, companies have been bombarding inboxes with privacy updates, nominally to comply with the General Data Protection Regulation, a supercharged set of privacy laws in the European Union, which go into effect on Friday. Under GDPR, companies are required to have a legal basis for collecting personal data, such as the user’s consent, or face serious fines. The law applies to companies processing data of people in the EU, which means most major American companies are also affected.

As the deadline approaches, the deluge has only intensified. That’s prompted GDPR critics to point to “consent fatigue” over the notices as a sign that the regulation is burdensome, and that consumers don’t care about privacy anyway. They question whether the new policies offer users any additional protection.

But EU regulators, lawyers, and privacy advocates insist it didn’t have to be this way. GDPR was supposed to inform consumers about the personal data being collected about them, and for what purpose. The idea was to incentivize companies to minimize the amount of data they hoovered up. Consent had to be informed, unambiguous, and freely given. If people were put off by clear explanation of how their personal information was being used, then the behavior would stop.

Instead, many of the law’s defenders say companies are using these emails as a way to avoid the underlying principles of clear disclosure. In some cases, their requests for consent are unnecessary, spamming you when they already had a legitimate reason to have your info; in other cases, organizations are using GDPR to mask the fact that they never had any right to your data in the first place. Then there are the emails that seem to openly flout the law---either threatening to shut down an account unless you agree to new privacy terms, or saying they’ll interpret your silence as consent.

“We are a little bit disappointed,” says Giovanni Buttarelli, who as supervisor of the European data-protection authority is the continent’s top data-protection watchdog. “In our point of view, sorry it’s not enough. So we think we need real change in how the giant tech companies approach people and information about them.”

In an interview, Buttarelli says many of the new policies “are written in perhaps a long and vague approach, perhaps in legalese, and this does not help people so they must be scrutinized carefully.”

'We are a little bit disappointed.' Giovanni Buttarelli, supervisor of Europe's data-protection authority

Buttarelli says the technology companies developing and distributing their new privacy policies “are in the position to benefit from the best legal advice and the most advanced technology in implementing the principle in design.” For companies that are so efficient with data mining and artificial intelligence, why not bring that same forward-thinking technological and design principles to “being ethically oriented,” he asked.

Don’t expect the shortcomings to lead to immediate penalties and fines. “Fines are the last step of the exercise,” Buttarelli says. “We need to first focus on compliance, and therefore what is more important is that people receive shorter, more communicative notices based on very simple and concise language, and where you do not need to make use of artificial intelligence” to interpret it.

Facebook and Google, which collect an extraordinary amount of personal data, have received particular scrutiny. Facebook users in the EU have received emails and pop-up banners instructing them that they have to accept Facebook’s updated terms by Friday to continue using the service.

In response to questions from WIRED about whether that approach is compliant with GDPR, a Facebook spokesperson said the company is “roadblocking” Europeans who come to the service, requiring them to agree to new terms of service. The spokesperson added that users are asked for “their dedicated attention and consent” on three specific, critical topics—sensitive data, facial recognition, and use of outside data to inform ads. Users are “free to consent or decline each of the three choices they are offered,” she said.