There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
In fact the actors that most opposed those laws have always been non Europeans.
Sure, there is an attached cost in having your terms reviewed by a proper lawyer and documenting the entire list of cookie providers, but that's basically where it ends. It's really minimal effort and cost, we talking in the low single digits for the review, and few hours of engineering time.
The biggest issues in European growth are others:
- focus on being an export economy while neglecting the internal market.
- bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
- very conservative and risk-adverse mentality. Young people in college can't wait to graduate and find the best paying lowest effort stable job. That's not a problem if it involves a majority of graduates, I imagine all world is like that, but you do have an immense problem if you have 1% or 3% or 10% of wannabe entrepreneurs.
If you live in country X, you will only ever learn about services from country X or from the US. No one here knows what goes on in neighboring countries.
It's easy to think the EU is like the USA, but it's not, it is still separate sovereign countries with their own language and culture.
It's really true language is a big barrier but honestly the solution cannot be for every single company to offer services in 20 languages. It can't be. English must be adopted.
> English must be adopted.
Look at https://en.wikipedia.org/wiki/List_of_languages_by_number_of... and look at the total speakers vs. native speakers.
Now it should be clear why one is better than the other. The shared language of most is English, so you have the least amount of "extra learning" required.
Also, the number for German is generous in that it includes people that speak wildly "incompatible" dialects and accents. While people in Bavaria technically speak "German" and having them talk to other people that speak "German" (with various dialects) is easier than asking either to speak English as their primary language, that doesn't really solve the problem of even intra-German language rivalry.
Of course one thing will unite Bavarian and Saxon and Swiss and Austrian German and other highly accented/dialectic German speakers: They'd rather speak "German" (and deal with weird pronunciation/words) than English as an official language ;)
China has 1.4 billion people in one country while the combined population of Europe is around half of that, so that's one difference.
But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism. To the Chinese state, protecting Chinese citizens from harmful things (like knowing full details about atrocities perpetrated by their government, or organizing to criticize the government) outweighs other concerns.
I really don't see how Chinese tech companies would have benefited from receiving the diapers.com treatment.
Yeah, the US is missing out.
I am no economist or even that economics-knowledgeable and maybe I'm wrong and maybe China's protectionism is better somehow, but from everything I know or at least from every trope and meme I've ingested, free global commerce eventually leads to better outcomes for all parties.
As we can see everywhere else.
This wouldn’t even be good for the US, just good for the shareholders of these companies.
China is a decade ahead of the rest of the world in different kind of use cases (think their super apps or payments).
TikTok is the most popular social media app out there, and it's chinese.
They are also tremendously competitive in AI despite all the limitations they encounter.
Honestly I think that the last century should be a clear statement that protectionism, sanctions and closeness is a failure whose bills are paid by tax payers.
We've been bailing out and protecting non competitive industries (which have further incentives *not* to invest due to protectionism they benefit from) for decades.
When Trump 1 put high taxes on dishwashers and house appliances it hasn't really pushed US companies to do better, it just allowed them to raise the prices and do very little.
But the fact that some countries play dirty (see China and their industrial espionage and lack of respect of patents and intellectual property), while others are obsessed with being #1 even if it means pursuing that via bullying methods have pushed us in this very negative scenario I don't see how can we leave us behind unless we get a new generation of brighter leaders.
Sadly, that's not how you win consensus and elections today.
How would china be better off? All their tech companies would have been bought out by larger foreign tech companies. Kinda like what happened to many european tech companies.
> To the Chinese state, protecting Chinese citizens from harmful things (like knowing full details about atrocities perpetrated by their government, or organizing to criticize the government) outweighs other concerns.
Yeah that's what the chinese state is worried about /s. Not the neverending misinformation, disinformation and propaganda directed against it.. When china does it, it's "authoritarianism". When "the west" does it, it's fighting against misinformation.
If a situation was "China is producing X and having its taxpayers subsidize cars, steel, etc" then it would be their loss and our advantage. We get great products they get pieces of paper. I couldn't care less.
But considering that the real goal of those bad actors is to annihilate the competition and then pull the rug this is ultimately a bad idea.
Especially when those bad actors, at the same time, do their best at playing dirty and ignoring intellectual property.
I couldn't care less if Europe didn't have a shipping industry, in fact protectionism of it has failed miserably in Europe, and made our yards less, not more competitive. So yes, in that world I agree.
But in a world where an elected (or unelected) government, can suddenly blackmail you or create such an immense strain on your economy (as Russia did with Europe) this is not really like that. And suddenly you realize you should've paid way more, but invested way earlier in diversifying energy-wise.
In an ideal market I'd be 100% with you, in the real world, it's really neither black nor white.
A law whose purpose is protectionism is bad. It invites stagnation, pointless inefficiency, and retaliation.
A law whose side effect is a bit of protectionism has none of these problems.
People are opting for the less efficient options, on purpose now. We live in an era where America is imposing tariffs.
Europe has a lot of problems that result in low ambition and growth, privacy law isn't one of them.
It’s funny you mention a lack of entrepreneurial spirit but then dismiss something that’s clearly a factor (not saying it’s the main factor but obviously it has some effect).
I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
GDPR fines scale based on annual turnover so blocking EU users on a non-commercial product is utterly pointless and just being mean.
Almost nobody goes to France, Germany, Spain, Italy, etc. The mainstays of the European economy. Let alone central or eastern Europe. But if you're a young talented engineer in the middle of nowhere usa, you can just easily move to the bay area without any issue. That cultural unity IMO is America's biggest strength, and the lack of it is Europe's biggest weakness.
Note: I've lived in Ireland, the Czech Republic, and France, so I know first hand how hard it is to move inside Europe, and I understand why people don't do it.
I guess you have been part of software startups and you severely underestimate the bureaucracy that is involved in physical companies nowadays. Farmers, fishermen, factory-owners, and other small to medium size companies all have severe difficulties with ever increasing regulations. By itself the regulations are not always bad, but usually it takes way too long to get through the system which makes it hard to compete with, for example, China.
What exactly is europe competing against china on? Isn't europe's competition the US?
One day I got a letter from the national authority regarding personal data where I was asked to reply to 15 questions regarding a personal project of mine, invoking the GDPR. The sanctions for not complying within 5 days was an incremental fine of 600 euros PER DAY, until I complied. This letter was directed to me as a natural person (not even my company).
Another story: I had a publishing website with some ads on it. The moment full GDPR went into effect, some years ago, revenue instantly dropped by 30% because the cookie banner I was using wasn't part of the approved european framework for cookie banners (they created an entire organization for this, called IAB). Most of the "approved" cookie banners are insanely overengineered nonsense and almost all of them cost a lot of money. And they kill your performance metrics. And when I finally gave in and implemented one of those, revenues dropped even more because I was losing readers who just quit without consenting at all.
Third and final anecdote: at one point I was contracted by a Romanian DTH television company who mostly operated with prepaid customers. According to GDPR, they were supposed to anonymize data they no longer needed, but because their clients were seasonal or less predictable, that turned out to be ridiculously hard. Their legal department, together with external contractors such as us ended up spending months to adjust their systems to conform to GDPR, and the result was their losing business and time, while being unable to properly serve older customers because they could no longer identify them.
So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit. On the contrary, the large companies could afford the legal counseling that they needed, but the smaller ones were hit hardest.
This decision is in response to lobbying from these actors (and their new friend in the white house). It is not supposed to benefit you.
European starts with a vowel in spelling, but actually phonerically begins with a consonant, /j/, so it doesn't trigger the "an" thing.
Similarly some spellings start with a consonant but have vowels (like acronyms, "an SSRI", the name of the letter S, "ess", begins with a vowel)
More to the point I agree with what you're saying. This seems like lazy attribution of cause that is so common in American business and politics. "Of course deregulation will boost growth!" Why? Because of religious beliefs about deregulation boosting growth.
Ah makes sense.
In my head it's never "you"ropean, but "ew" uropean as I'm not a native english speaker and phonetically it's a consonant in english only. In greek, slavic languages, german or latin-derived it's always "ew".
OP already mentioned in his area it's phonetically mostly "ew".
I'd say a lot of germanic areas also do something I'd describe as "oi". That'd also make one inclined to use an "an" when speaking.
There is now a full generation of Europeans who grew up in with this mentality, looking down on Americans for their ridiculous work ethic and comparatively meager benefits.
But it's not sustainable, and the strain is already becoming obvious. Young Europeans will have to work longer and harder for less if they want to move Europe away from being totally dependent on American tech, American defense, and Chinese wares.
Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
Cambodia's GDP growth is over +5% YoY, whereas Switzerland (and the rest of Europe) has more modest GDP growth.
There is some "Work smart, not hard." facet to this, which requires an educated population.
The other fascet is developing countries exist in climates heavily impacted by global warming (look at flooding in VN or TH this year). They make 2 steps forward, and then 3 steps back when a monsoon takes out an entire town.
> Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
Personally, employment makes my life interesting and rewarding. I love the puzzles (and compensation) that my employer provides. The rewards compound, but in career development and via investing the profits.
Unfortunately, I think the one area that isn't accounted for is child care. Societies (rich and poor) continue to extract time away from parenting, via cost of housing near job centers and dual-income families. Offering an extra month of vacation or 4-day work week isn't the same as 1 income household or the parents living 15 minutes from their job.
This is a natural consequence of being an industrially advanced country though.
A lot of GDP growth can come from establishing basic services like a functioning healthcare system, insurance apparatus and financial system. Of course, we can't building out infrastructure like roads, power, etc.
Especially construction can lead to substantial GDP growth, but once you have a basic set of infrastructure and housing in place, growth is much slower and consistent for very obvious reasons.
Once you have that stuff in place, getting consistent growth requires more advanced stuff.
The US is very much an outlier and attributing that soley to a difference in work ethic is ignorant at best.
Right, Europe also has a suffocating business environment which is the primary driver.
Ok, but then compare the GDP of the USA vs Europe as millennials enter the workforce. Entering the 2008 crisis, USA and Europe were neck in neck. Now, the USA has left Europe in the dust.
Declaring the US an outlier seems like an odd choice... What country should you compare Europe to?
The point you are making is exactly the reason why this problem is so existential for Europe. QoL is good, so nobody wants to change anything, or feels the need to.
But structurally, Europe is not sound and European leaders know it (Just look at the surge in rhetoric about Euro independence). Do you know the story of the ant and the grasshopper?[1] Europe is in a 50 year long post soviet era summer. Most young (and now even middle aged!) Europeans only know summer, so it's going to be incredible difficult to get them to collect food for this mythical thing called "winter".
[1]https://en.wikipedia.org/wiki/The_Ant_and_the_Grasshopper
North Koreans think the outside world is going to collapse because they aren't doing what North Koreans are doing, but it's all just propaganda. You need to distinguish what you say from this.
The surge in anti-EU rhetoric seems to be mostly coming from US propaganda bleeding over, and is still a minority.
People have been predicting the immediate collapse of Europe and the immediate collapse of the USA for decades.
Nobody on the ground, who actually buys groceries, trusts official inflation numbers. How much apparent GDP growth is actually just unreported inflation? I saw some food getting 50-100% more expensive over the last 5 years, which is 10% per year. What was GDP growth? Less than 10%...
Many topics condensed into a single comment to conserve rate limit.
This is not a fair question. The roaring 20s had no idea The Great Depression was coming. Most people didn't see the 2008 crash happening. Ukraine signed agreements with Russia to not be attacked. In 2019, no one was worried that their country couldn't produce face masks or mRNA vaccines.
IMHO, the only foreseeable disaster now is climate change and CN/TW conflicts. I'm not smart enough to model the downstream effects of those events and how Europe should be preparing for them.
The USA is forcing TSMC to at least shift some of their output to US soil.
> anti-EU rhetoric
I don't know what you mean by anti-EU rhetoric. Americans have no problems with the a centralized governance for Europe. Generally speaking, we are taught the EU is a good thing Europe (and the USA), because we want strong allies.
Just like how the EU got upset with Greece for poor fiscal responsibility, the US is concerned about the EU's military investments, tech development, and general economic output.
> trusts official inflation numbers
I think you're comparing apples and oranges. The inflation numbers are not supposed to represent any one individual's on-the-ground's inflation numbers. For example, Washington state adding a gas tax might not show up in the national inflation numbers, but if you're a long distance trucker, you're definitely experiencing inflation.
---
Anecdote with heavy sampling bias: When traveling in Southeast Asia, I met tons of Europeans complaining 5 day work weeks is too much and 30 days of PTO isn't enough. One woman in her 30s took an additional month off of unpaid leave so she could have a second holiday in Laos, Malaysia, and Thailand.
IMHO, Europeans should be developing their own tech / biotech / military, instead of demanding 4 day work weeks, and 60d holidays.
E.g. emerging markets tend to outperform advanced ones, because they have more room to grow.
If you think the US stock market has done well in the last few decades, wait till you see India or Peru.
Russsia invading Ukraine, and the US providing the majority of the weapons and cash to stave off Putin should have been a gut-punch wake up call that Europe is in an extremely vulnerable position, and needs to get to work building their own modern tech, their own defense, and their own industry.
Failure to do those things will lead to Europe balkanizing as the economic situation gets worse under the weight of an aging population and shrinking economic output. Young Europeans think they cracked the code of comfortable living, but really they are just in a post-cold war golden period. Very similar to the post-WII era American baby boomers enjoyed (except they had lots of children).
https://en.wikipedia.org/wiki/List_of_countries_by_average_a...
Look at the bottom of the list and then go look at their growth.
Also look at the top ;)
> Russsia invading Ukraine, and the US providing the majority of the weapons and cash
That's beyond false, US provided little non-military help, the money mostly stayed in US and went to US contractors.
I don't need to tell you that those figures are also insanely inflated by crazy costs.
Zelenski himself has stated that he proposed multiple times to, e.g., send its navy to US ports to take the weapons so US taxpayers wouldn't have to bear the costs, but instead tens of billions went into that expense. Why? Because US support to Ukraine is a welfare machine for US contractors.
In total EU has provided around 3 times more between military and non-military.
https://www.kielinstitut.de/publications/ukraine-support-tra...
Population collapse cannot be a good enough reason, either. Older people won't be happier if their servants are robots instead of climate migrants.
This has the energy of "Why are we building rockets to the moon, when there are homeless people in San Francisco"-vibes?"
> give generous UBI to each and every person
Have you seen the movie Wall-e? I don't think society should strive to outsource all labor to AI and robots, nor is that the final end-state of building robots and AI.
Yeah, if we want to be the world superpower we have to work really hard. But we definitely won't get any of the benefits of being the world superpower - just like Americans don't already - all of it accrues to billionaires. And it'll make the rent really high. So why should we want that? Of course, we don't want anyone else to be a world superpower either, because kings/dictators/emperors are bad.
My hot take is that this is a signal for Trump. We play nice with you, you play nice with us.
Big tech is well connected to the current US administration so if the EU were to make theses changes, then they will appease big tech (a little bit) and therefore by extension Trump.
I (like you) don't think that these regulations are the reason the EU doesn't have home grown hyper-scalers a la AWS or GCP or Azure.
I think the EU just fell asleep at the wheel for too long. It basically outsourced its defense to NATO, its tech needs to the US and its manufacturing to China and for a while it worked perfectly.
However the world is changing and the EU is simply in my opinion not up to the task. It's too slow, bureaucratic and messy to be able to adapt rapidly and it lacks the vision necessary to remedy to its weaknesses.
1. We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
2. Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
3. I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters:
https://transparency-register.europa.eu/search-register-or-u...
I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
4. EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
5. There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
> We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
Is that a counterpoint to my NATO comment? If so I agree, I think that the EU countries should exit NATO and form their own military alliance. However it is very clear that investing in military capabilities is not the priority of the EU countries as only a few of them managed to spend the required amount each year as per the NATO treaties. Most likely such alliance will be dead in the water.
> Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
Again I agree with you. I think that the US has caused much suffering by invading Irak and Afghanistan and then Libya (with the help of other countries), thereby causing the refuge crisis and then leaving the EU countries alone to deal with this problem.
> I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters: https://transparency-register.europa.eu/search-register-or-u... I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
She was not elected to be a good politician.
She was a terrible politician in here home country. There was nothing to expect from her at any level and so far she has not disappointed. Her secret deal with Pfizer and her missing text messages are just the tip of the Iceberg.
> EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
That is never going to be the case because all EU countries want different things and for very good reasons. They have different needs and different economies.
So the German government will keep selling out its EU "partners" as long as they can keep selling cars in the US. France or Italy would have done the same.
> There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
I disagree with you on Macron. Macron has no vision besides a "more" federal Europe. The details are not very clear and his policies are constantly changing depending on his approval level in the polls. His promise when he was elected was that to put the far right out of business by the end of his presidency, the reality however is that the far right is now the biggest party in France and is in very strong position to win the 2027 election.
That's quite of a weak argument, every state or county in the US has conflicting interests too. But there has to be defined boundaries in what is the business of EU and what is the business of single states.
I would say that matters like digital data privacy should have one common policy, not 20+ agencies.
And all of it is due to massively overvalued companies in california.
Your health outcomes alone are better in the EU.
I think we all agree that looking at GDP figures needs to be supplemented with wealth distribution data.
In the US. By far!
And migration data backs it up.
Thats kind of the point...
https://en.wikipedia.org/wiki/Control_theory
This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
I think the problem here is more that _some_ people want the heater to be on and _other_ people want the heater to be off.
One group has a lot more money, power, and influence than the other.
Thanks for the link.
Control Theory does not work (in the general) for politics for the simple reason that incentives are misaligned. That is to say that control theory itself obviosuly works, but for it to be a good solution in some political context you must additionally prove the existance of some Nash equilibrium where it is being correctly applied.
Edit: See https://www.youtube.com/watch?v=rStL7niR7gs (CGP Grey - Why Do All Governments Work the Same Way?)
The thesis argues that dictators regularly both harm groups clearly inside the winning coalition, and please groups clearly outside of it. A common, but not the only reason, is ideology.
One has to be careful when using game-theory models on messy human entities. Sometimes it works, sometimes it doesn't, and it's hard to determine just at what point the model breaks down. At least without empirical research.
(Another example is that actual negotiation outcomes rarely end up at the minimax or Nash product equilibria that game theory sequential negotiation concepts would suggest.)
Bizarrely horrible approach. A lot of damage would already be done, most importantly changing the status quo is inherently much harder than doing nothing. So going back won’t necessarily be straightforward.
Claiming that “slippery slope” is always a fallacy is a gross misconception and misinterpretation. It varies case by case, very often it can be a perfectly rational argument.
“Let’s restrict democracy and individual freedoms just a bit, maybe an authoritarian strongman is just what we need to get us out of this mess, we can always go back later..”
“Let’s try scanning all personal communication in a non intrusive way, if it doesn’t solve CSAM problems we can always adjust the law”, right.. as if that was ever going to happen.
Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
I very heavily disagree here, we aren't doing as much of this as we should be.
Society is too complex of a system to predict what consequences a law will have. Badly written laws slip through. Loopholes are discovered after the fact. Incentives do what incentives do, and people eventually figure out how to game them to their own benefit. First order effects cause second order effects, which cause third order effects. Technology changes. We can't predict all of that in advance.
Trying to write a perfect law is like trying to write a perfect program on your first try, with no testing and verification, just reasoning about it in a notebook. If the code or law is of any complexity, it just can't be done. Programmers have figured this out and came up with ways to mitigate the problem, from unit testing and formal verification to canaries, feature flags, blue-green deployments and slow rollouts. Lawmakers could learn those same lessons (and use very similar strategies), but that is very rarely done.
Either it is possible to easy change law to make it worse ("slippery slope" is valid objection) or changing law is "much harder than doing nothing"("slippery slope" is a fallacy).
Too late. We already let the government cross the lines during Covid with freedom of movement and freedom of speech restrictions, and they got away with it because it was "for your protection". Now a lot of EU countries are crossing them even more also "for your protection" due to "Russian misinformation" and "far right/hate speech" scaremongering, which at this point is a label applied loosely to anyone speaking against unpopular government policies or exposing their corruption.
And the snowball effect continues. Governments are only increasing their grip on power(looking enviously at what China has achieved), not loosening it back. And worse, not only are they more authoritarian, but they're also practicing selective enforcement of said strict rules with the justification that it's OK because we're doing it to the "bad guys". I'm afraid we aren't gonna go back to the levels of freedom we had in 2014- 2019, that ship has long sailed.
This is the usual "the market will regulate itself" argument. It works when the imbalance arises organically, not so much when it's intentional on the side with more power and part of their larger roadmap.
The conflict of interest needs to be accounted for. Consequences for whom? Think of initiatives like any generic backdooring of encrypted communication but legislators are exempt. If legislators aren't truly dogfooding the results of that law then there's no real "market pressure" to fix anything. There's only "deployment strategy", roll out the changes slowly enough that the people have time to acclimate.
Control theory doesn't apply all that well to dynamical systems made entirely of human beings. You need psychohistory for that.
Perhaps not when it comes to matters like these.
The world isn't black and white. Flexibility, including selective enforcement, is necessary in a just system.
But the history of selective enforcement strongly suggests that it does not usually lead to just results. It is often instead something that unaccountable officials find themselves easily able to exploit for questionable purposes.
For a notable example, witness how selective enforcement during the War on Drugs was used to justify mass incarceration of blacks, even though actual rates of drug usage were similar in black and white communities.
By that measure every law is a bad law.
Yep, and while we fix that bad law we need judges to be able to say "I won't apply that" or "I won't sentence you to jail for this". That's kinda the point.
(joke)
Unenforceable laws go unenforced, undefined behaviour is undefined and varies based on compiler (law enforcement agency or officer).
Think about how hard it is to write code that has no bugs. Now imagine you're using English and working with a system with so many parameters and side effects that you can't possibly anticipate all eventualities.
And now you want to rigidly apply your operators to this parameter space?
Selective enforcement is necessary for justice, because no law is perfectly just, and selective enforcement helps move toward justice.
It unfortunately also means there is the eventuality of corruption. So you just have to keep vigilant. Because a rigid system with no selective enforcement has no fix for injustice other than "live with it."
That doesn’t seem to be working.
I argue there’s an acceptable level of corruption, only the particular flavours change from time to time.
Come out of government better off than when you when in. Fine, good on ya. No need to tells us about how you’re going about it while you’re going about it.
Learn to be at least a little bit discreet, and at least do something occasionally that comes across as good for the average person.
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
i’d rather something a bit more verbose and clear than cryptic and confusing. there are many actors in the world with different brains.
The world's complicated. "Every complex problem has a solution which is simple, direct, and wrong"
Simplicity is a laudable goal, but it's not always the one thing to optimize for.
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
You're missing the point. Code is separable from hardware per se, even if practically they typically co-occur and practical concerns about the latter leak into the former. The hardware is in the service of our code, not our code in service of the hardware. Targeting hardware is not, in fact, the most straightforward option, because you're destroying portability and obscuring the code's meaning with tangential architectural minutiae and concerns that are distracting.
> you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware
You're mischaracterizing my claim. I didn't say hardware doesn't matter. Tools matter - and their particular limitations are sometimes felt by devs acutely - but they're not the primary focus.
My claim was that code is PRIMARILY for human consumption, and it is. It is written to be read by a person first and foremost. Unreadable, but functioning code is worthless. Otherwise, why have programming languages at all? Even C is preposterously high-level if code isn't for human consumption. Heck, even assembly semantics is full of concepts that have no objective reality in the hardware, or concepts with no direct counterpart in hardware. Hardware concerns only enter the picture secondarily, because the code must be run on it. Hardware concerns are a practical concession to the instrument.
So, in practice, you may need to be concerned with the performance/memory characteristics of your compiled code on a particular architecture (which is actually knowledge of the compiler and how well it targets the hardware in question with respect to your implementation). Compilers generally outperform human optimizations, of course, and at best, you will only be using a general knowledge of your architecture when deciding how to structure your implementation. And you will be doing this indirectly via the operational semantics of the language you're using, as that is as much control as you will have over how the hardware is used in that language.
> Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
In principle, you can write your code as a monolith, and your language's compiler can handle the details of distributing computation. This is up to the language's semantics. Think of Erlang for inspiration.
> People keep building distributed systems because they don't understand, and don't want to understand, hardware.
Unless you're talking about people who misuse "Big Data" tech when all they need is a reasonably fast bash script, that's not why good developers build distributed systems. Even then, it's not some special ignorance of hardware that leads to use of distributed systems when they're not necessary, but some kind of ignorance of their complexity and an ignorance of the domain the dev is operating in and whether it benefits from a distributed design.
> But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
This is neither here nor there. Not only are "network calls" and "caching" and so on abstractions, they're not hardware concerns. Hardware allows us to simulate these abstractions, but whatever limits the hardware imposes are - you guessed it - reflected in the abstractions of your language and your libraries. And more importantly, none of this has any relevance to my claim.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
Regarding code size, it's not just that binary becomes larger, it's that overly aggressive inlining can actually have a detrimental effect on performance for a number of reasons.
If an unethical business gets started due to underregulation and it generates revenue and contributes to GDP, is that a good thing?
There are some "mosquito" businesses that imho provide no net value and we'd be better off if they didn't exist (c.f. Bastiat's window breaker⁰). For example; payday loans, gadget insurance, MLMs, f2p games. The trouble is that there is an apparent need they're meeting, and nobody wants to "destroy jobs" or even worry too hard about exploiting the vulnerable.
Even if I were emperor and believed hese businesses were unjustifiably bad, I'd be worried about the authoritarian consequences of shutting down the less egregious ones. I'd also hope to have the humility to entertain the idea that I don't understand their full benefits.
In conclusion I think it's bad to have unethical businesses, and that even if they make the indicator go up, they are probably a net negative on the economy and society. However, I don't know what's to be done about it.
⁰ https://en.wikipedia.org/wiki/Parable_of_the_broken_window
(Coda: You might say that's impossible, and local loan sharks will spring up to meet the need. That's probably true, but at least those guys merely break your legs, rather than advertising incessantly on daytime tv.)
Deregulated gambling has had a horrible impact on individuals. Repealing Glass—Steagall led to a global financial crisis. Gig economy businesses are exploiting workers by the thousands through self employment loopholes. We have insane monopolistic pricing and practices in the US in eg the telecom industry. Worst of all is that we’ve likely doomed the entire planet based on what is effectively too little environmental regulation.
Yes, but gambling and all vices for that matter, are a centuries old issue that's well studied and well understood by everyone, while AI(hate that term in this case) LLMs are only an issue since November 2022, while most influential politicians are dumbass boomers who don't understand how a PC or the internet works let alone how LLMs work but yet are expected to make critical decisions on these topics.
So then it's safe to assume that the politicians will either fudge up the regulations due to sheer cluelessness, or they will just make decisions based on what their most influential corporate lobbyists will tell them. Either way it's bad.
Let's not be overly pedantic and overly Pius on petty semantics like that. It was clear from my original comment, the context of what I was talking about.
E.g. "if a decision cannot be explained by a human, it should bot be done by a machine" applies to them, too.
Basically, if you read the EU AI Act for example, it's hard to find anything you'd disagree with regardless of whether it's about ML, LLMs or three if statements in a trench coat.
Of course the industry is up in arms about it (just like GDPR)
Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
> insane monopolistic pricing and practices in the US in eg the telecom industry
It's actually regulations deterring competition in telecom who are responsible to those practices.
It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
> too little environmental regulation
In China. You forgot "in China". That is where most of that planet dooming is happening. Good luck promoting environmental regulation there.
Over-regulation being what, minimum wages? Coverage for basic social safety nets? ‘Cause that’s what we lost.
> It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
Bell system was broken up into seven different companies, thanks to regulation. It’s _lack_ of regulation that let telecoms merge together into behemoths. There _are_ small ISPs and telecoms in the US, they just can’t compete due to the size differential.
> In China. You forgot "in China". … Good luck promoting environmental regulation there.
Right, let’s jump for a Tu Quoque. China is destroying the planet so who cares what we do ¯\_(ツ)_/¯
I’m not blind to the existence of plain bad regulation, regulatory barriers and capture — but the overwhelming majority of these arguments have just been used to make regular people’s lives’ worse.
“Cheap housing isn’t being built in the UK because regulation makes it more expensive!” -> remove regulations -> there’s still no cheap housing but anything from 1990s onwards is now also badly built.
As a construction developer I’m sure I’d say there’s still too much regulation though. Gotta bump those margins.
One easy example is regulation making it hard to fire people. Then, naturally, firms will hire just as hard. The tradeoff is thus between a healthy, fast, dynamic and competitive job market with plenty of opportunities but with job insecurity and - fewer jobs, smaller salaries but the lazy unproductive bum slowing everybody down is now impossible to get rid of.
Yes, minimum wage is another. In effect it makes people whose work is worth less than the minimum wage - legally unemployable.
> Bell system
Bell system was a monopoly thanks to government regulation in the first place. The government actually passed a law that made illegal to connect a 3rd party telephone to Bell's network!
Yes, you need more regulation when your regulation f'd up a market. In free markets competition keeps market participants honest and even breaks monopolies. This is why one of the first regulation incumbents lobby for is meant to deter competition.
> Cheap housing isn’t being built in the UK
I do not live in the UK, but I am willing to bet everything that there is still a ton of regulation stopping building there. Last summer I visited London during a heat wave. We were sweating in our AirBnB, complained to the owner but he answered that he couldn't install an A/C because he wasn't allowed to change the building facade...
Privacy is in a different category altogether, but there's more to think about than just how much things cost companies.
Maybe I should have used dumping waste in a river and paying workers below minimum wage as examples. Profits could go up, but most people would agree it should still be illegal.
Normally I'm against overrgulation, but when it comes to privacy more fine for big corp is need if ANY violation is found. Rather NOT have AI than compromise on privacy.
Our ancestors survived perfectly fine with telephone directories dropped at every house for free which contained everyone's name and address.
Are you sure someone knowing your address is that bad?
It's bo longer just "your home address".
Most of us actually don't mind losing a little privacy to read a news article when faced with the alternative of paying money or that news website ceasing to exist at all.
But, hey, keep pushing your warped privacy sense onto all of us, I am sure you are right.
BTW, when presented with clear non-dark-pattern choice 96% of people opt-out of "losing a little privacy": https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-o...
There is no universal measure for that, only each individual can answer the question for herself. GDPR is robbing people of that chance though.
> Is this a small amount
For me, yes. I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
> 96% of people opt-out
I bet they would chose very differently when the alternative is to pay or stop using the product. Just look how many people use privacy-destroying fidelity cards in supermarkets for some measly discounts.
How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
> I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
There's a difference between "one company" and "thousands of companies". And yes, there's an expectation that the company doesn't sell that location data which even in the US results in lawsuits: https://www.reuters.com/legal/litigation/us-court-upholds-ve...
> I bet they would chose very differently when the alternative is to pay or stop using the product.
False dichotomy. You don't need 24/7 suveilance to show ads or monetise products.
Patently untrue. Under GDPR you are not allowed to withhold your services from users refusing to give you "their" data. Their opt-out costs them nothing.
This is what you pretend to care about: "There is no universal measure for [what small amount of privacy constitutes], only each individual can answer the question for herself."
What you actually want (and what is actually happens): "users are not given no privacy whatsoever and every single scrap o user data has to siphoned off and sold to the highest bidder, and the false alternative should be for users to pay to preserve their privacy". That is basically what Facebook is arguing.
So. First you define what "small amount of privacy" is, and put a price on that. And then present users with a choice. Or skip the pretence.
Source: https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-...
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
Your overall point is solid, but I'd like to what I think is another reason that businesses could desire regulation. You're right that a dominant business can use its political power to "regulatory capture" its market and prevent new entrants, but I believe this isn't limited to uncompetitive markets.
Regulation can also prevent "arms races" by acting like explicit collusion. A straightforward example is competitive advertising in a saturated market, like cigarettes. Under the rough assumption that cigarettes are all equivalent and most potential smokers already smoke, then competitve advertising cuts into the profit margin, and companies have to participate or lose out. If you ban advertising then it's as if the bosses all got together and agreed not to compete like that. See e.g. https://pubmed.ncbi.nlm.nih.gov/31547234/
Shame we can’t regulate the quality of regulations.
That's an executive order (regulation) requiring proposed regulations undergo a cost-benefit analysis before being promulgated.
It's why we got mandated backup cameras in cars: the cost-benefit analysis revealed the cost to have these in every new car was dwarfed by the cost in human lives of all the kids who were being run over in driveways bc they weren't visible behind cars.
I was somewhat disappointed, however, to aee that this applies only to "major rules" from "executive agencies" and as such doesn't seem to apply to an executive order. There would have been some recursive satisfaction to see EO12291 itself tested by its own standard.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
There's no reason to expect the warm clothes to be made in the north and the cool clothes to be made in the south.
European people also still have a much stronger national identity than a European identity, especially compared to the US with state vs. country level.
The translation infrastructure is huge, and reasonable-quality machine translation⁰ has been freely available for years now.
I don't mean to refute your experience, but I am suprised by the claim, because it's really not what I've seen here. Could you give some more detail on what you mean.
⁰ EU procedure means there are some notable absences in the list, but it's pretty comprehensive once you include citizens' second languages. See https://european-union.europa.eu/principles-countries-histor...
All of this is correct, and that's why the single market for goods (except for booze and tobacco) has been such a massive success. However, lots of growth (particularly in the US) comes from services, and for this, languages matter a lot more.
Sure, lots of continental Europeans speak multiple languages, but the vast discrepancies in languages and regulations (insolvency, capital markets etc) means that there are dis-economies of scale in the EU. Like, there's a reason that companies start selling in their home market and then move directly to the US.
A common language can't be assumed across the EU, while other large blocs (China, US) can make this assumption which is important for services trades in particular, as well as bespoke goods trade.
(This despite Ireland and Malta having it as an official language, and the Nordics often having better English skills than natives.)
Come to Ireland, we have Guinness!
And that is just one of many new regulations.
coats have gotten higher, but across the board for different countries
What have we gained by framing it as such other than an extremely biased take pro unregulated business?
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
Oh no. How are you going to build your new ChatGPT wrapper without selling user data to thousands of "privacy-preserving partners"?
GDPR (and a very small number of other applicable regulations) are somewhere between place 1000 and 1500 of things that hinder startups. And unless you are a complete moron those regulations will maybe apply to you when you reach 10 million+ users.
No. GDPR was presented as a company ending regulation. You make a mistake - you are doomed. The fines are in revenue percentages. User data was said to be "toxic". You touch it, you better know what you are doing or else.
This kind of regulation has a strong chilling effect on the budding founder. Countless web-startups were never created because the most common monetization model (ads) became basically illegal (for European startups only, US/Chinese competitors kept enjoying full freedom).
> and a very small number of other applicable regulations
But it's not a small number. And regulations have a cumulative effect. See, startups are like distance running. You know it's a hard thing, but you believe you can try to do it. But then regulations are like potholes. You run around a few, but the more potholes to avoid the harder the run, until your main job turns from running to avoiding potholes. Then you simply say "why bother" and give up.
The more regulations you have, the more obstacles you put in front of startups, the fewer young people choose the entrepreneur path and decide to just get some bureaucratic job instead.
This is the tragedy we are living in the EU right now, in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
Bullshit
> You make a mistake - you are doomed. The fines are in revenue percentages.
Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations without telling me
> This kind of regulation has a strong chilling effect on the budding founder.
A moron who gets their advice from ads industry, sensationalist headlines and HN? Perhaps.
> But it's not a small number.
It is.
> The more regulations you have, the more obstacles you put in front of startups
GDPR is not an obstacle. It quite literally is "do not scrape user data and sell it to third parties without user consent".
> in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
Yeah, "entrepreneurs" complain about a lot, and then make a surprised pikachu face when they are told in no uncertain terms that no, sending precise geolocation data to third parties to store for 12 years is not okay: https://x.com/dmitriid/status/1817122117093056541
As a matter of fact, I am the founder&owner of a small ISV (nothing ad, privacy, crypto or AI-related) in the Eastern EU. Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
How about you?
> Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
Strange that you then spew absolute bullshit about GDPR.
> How about you?
I've worked in large multinational corporations (banking, streaming) that were "hit" with GDPR and spent several years making sure they are compliant. Not because GDPR is bad, but because no one really cared about the data collected, and where it ended up. [1]
Startups had it and have it easy since they can just not siphon all the data. Especially now, when you have all the tools to handle data properly. Hell, a decade ago you couldn't even get privacy-preserving analytics. Now you're drowning in them.
We're also preparing to launch a few (admittedly small scale) projects with friends, and what do you know? GDPR is the absolute last thing that even bothers us. You know why? We know what data to collect and for how long to store it, and we're not sending that data to thousands of "privacy-preserving partners".
"Company-destroying fines" boogeyman or whatever other "chilling effect" bullshit belongs in the mind of children and morons. Hell, I've seen banking regulators come, list issues, and give a deadline to fix them. Much less GDPR.
[1] That's not entirely true. Payment and payment-adjacent regulations are significantly more stringent than GDPR, so everything related to that was and is extremely serious. As anything related to things like "data of persons under state protection". It's never black and white.
However, in big companies, especially at the time, you would eventually end up with a lot of data duplicated across many systems, often barely connected. 10 years ago cleaning up that mess required companies to reverse engineer and document 10-15 years of bad/hasty/adhoc decisions and assumptions. Surprisingly often that resulted in just retiring certain internal microservices wholesale (they just were no longer needed) and/or significantly reducing bandwidth and storage requirements in certain cases (because you no longer cary and store heavy duplicate objects around).
So the main opposition to GDPR came not from "poor chilled startups", but from companies like Facebook and Google who rely on 24/7 surveillance exclusively, ad industry, and large corporations who didn't want to deal with cleaning up internal messes.
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
People bemoan bureaucracy (which is a totally fair criticism) without understanding its deeper meaning:
Bureaucracy is how it works
That's it. Digital government is also bureaucracy. Applying to YC is also bureaucracy.
Of course the meaning drifted with the times, but it still means that
First definition here https://dictionary.cambridge.org/dictionary/english/bureaucr...
"it's a regulation therefore it's good"
I said
"saying 'it's regulation therefore it's bad' is something bootlickers do"
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
religion was classically politics. Moses's tablets were Law. the circle of life.
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
Heres the full text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
That's some serious speed reading! :-)
Or perhaps they also never read the law they are chiding others for not reading.
The text is 56k words, novella length but dry and tedious. This is hours of reading.
I’m not saying it’s unreasonable to read this document if your work involves GDPR compliance. But this is not a quick or easy read.
I’m not lying, why would I provide the source if I was?
You also didn’t read 56k words in 20 minutes. This is nonsense, at 46 words per second.
and yes it took 20 minutes, it’s not the dense legalese you’re implying.
it’s just not. unless the dense one here is not the text.
What I cannot believe is that you would in any way imagine that this is normal. Speed readers know that they read faster than other people and do not casually assume others could read The Hobbit in 34 minutes.
So no, I don’t actually believe you read this in 20 minutes, at >4 pages per minute, >46 words per second, and 10x faster than an average reader. Generously I would say you perhaps skimmed the doc in that time.
On the off chance that this is true, again congrats. You should know for the future that your experience reading does not map to the typical person who literally reads about 10x slower than you.
Jesus Christ, it’s like talking to a brick wall.
The amount of effort I’ve spent replying to you is more than was necessary to understand the entire fucking text.
Every statement is very clear what they’re saying, don’t record what you don’t need, how do you define what you need, make sure personal information can be deleted, what constitutes personal information.
It’s really really really fucking easy, like dude; you’re halfway through a sentence you know exactly what they’re getting at. You finish it anyway in case there’s an exception or something, and it’s never the case that there is.
Whatever… you believe whatever the fuck you wanna believe don’t call me a fucking liar though you cunt.
That the other replies to you said basically the same should clue you in that this is not realistic for others even if it were realistic for you.
> don’t call me a fucking liar though you cunt.
You could have easily just walked your claim back and said “Okay, 20 minutes is an exaggeration but it’s not a hard law to read”. Instead you repeatedly doubled down and backed yourself into a corner where the only possible options are that you are an ultra speed reader at 10x normal pace or you are a liar.
Not my problem if you don’t like those options.
Normally one tries to hire lawyers that have read the law and formed an opinion already…
The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/#:~:tex...
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
Have you missed all the large AI companies in US loudly demanding and otherwise lobbying for more regulation?
Regulations can be good for companies when you can make sure that they are written in a way that entrenches them against any new competitors.
It allows them to force startups to match their (slow) pace of development.
My feeling is that in 9 years you could read it.
However, I read most of the relevant bits in an afternoon. Most people on HN making preposterous claims about GDPR have never in their life read anything but industry's take on it.
> it's actually super easy to comply, you can read it yourself, it's one sentence!
It's trivial to comply with for the absolute vast majority of companies, you can very easily read it yourself, the bits that are relevant to most businesses shouldn't even take an hour to read.
Thank you for illustrating my original point about this being religious dogma here.
Every HN thread about GDPR devolves into this circular argument. It’s getting so tiring. There are many issues with the actual reality of its implementation which I’ve explained in my other comments. You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
The only reason it devolves into a "circular argument" is that the vast majority of anti-GDPR comments on HN come from people who have never ever read even a single line from the regulation and just parrot the same old "GDPR requires these stupid banners".
> You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
Yup. And this is the other reason: bad faith word soup that doesn't even pretend to be coherent, mixes up everything together, and goes from non-sequitur to non-sequitur.
So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
this is exactly the attitude of these people
for most legitimate businesses the "pain" of the GDPR consisted of maybe removing Google Analytics from their website
the entire point is to stop the shitty companies (facebook) data harvesting everything they can get their dirty mits on
I have seen people that are fanatical on privacy. Cheers to them!
Ok. I hereby do. The only complaint I have is that it isn't enforced automatically and that we often don't have a way to force the worst offenders, because they have the military we rely on on their side.
On one end we have regulations as part of regulatory capture. Opposite effect of regulations that would help say a small business compete fairly.
you didn't really say anything
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
try untangling the tracking code from the rest of the javascript code which is required for the sites to work - simply unrealistic.
> They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater.
Then large law abiding sites can still do enormous amounts of tracking, and can do lots with my data that they currently are not doing.
You have the immense power of denying them access to your money, which turns out is a very compelling argument :)
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
> The scope of this opinion is indeed limited to the implementation by large online platforms
Separately, in the first couple of paragraphs, they basically complain that they don't like the alternative that platforms can legally implement of paywalls for all. :shrug: Which they may not like, but is legal. So consent or pay is essentially a realpolitik deal to not implement paywalls.
In the main, because the GDPR is an attack on advertising-supported services. You cannot build a business on context-free ads given they pay somewhere between 1/100 and 1/10000 as much as ads that profile.
Thus news orgs basically told regulators that the options were no free news (or realistically, the mess America is in, where real news orgs charge and the free ones are propaganda arms) or being allowed to do consent or pay. Because a paywall complies with all laws but has negative societal effects.
It took me to move to Germany to figure that privacy is a spectrum, and I, despite being a crazy on privacy and security, actually don't want that much.
I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
My colleagues had 3 bikes stolen in a week bc we have no CCTV cameras.
Privacy definitely has costs, and not only for business, but for regular people in daily life. It should, as anything, be balanced against costs of doing business, people security concerns.
Same goes for security: few private cctvs are ok, massive coordinated surveillance and chat control not ok. Everything is on spectrum and is a trade off.
You may have your laptop snatched, go to the police station and show them the exact location of the thieves using e.g. find my Mac. The will do nothing, even if it's in the building across the street.
Now, showing them some blurry (at best) faces in CCTV footage and ask them to investigate? Good luck.
It sounds interesting but I'm not sure what it means. Could you clarify this?
Related, recently in the UK news. British Transport Police won't even look at CCTV for bike theft at train stations (because of resource constraints, but the presence of CCTV doesn't automatically mean it will be used).
Most cookie banners are non-compliant, so I doubt that.
The law only concerns itself with tracking. If you don't use a mechanism to uniquely identify people over multiple visits and/or websites, you're fine. You can store simple preferences in a cookie without asking. No need to bother your users with a cookie wall for that.
There are different regulations, but basically they are technology agnostic (a good thing). If you as a compnay want to use data that could theoretically be used as an identifyer for me, you need my consent. For any type of use. Except if it is absolutely necessary to provide the basic service. Or if we have a contractual relationship, but there are also protective rules in place to protect the customer.
Different regulations handle storing data (like cookies, but also local/session storage and similar things on the devices of your users. But those are separate from GDPR.
GDPR is - as said - only concerned with data that could be theoretically linked to me as an individual. Regardless what this data is. Could be an id in a cookie, could be a fingerprint, could be smoke signals. It could even be the combination of different data points, that taken together allow for an identification.
Theoretical example: Imagine I live in a village with 500 people. The company tracks the location and that I am male (so roughtly 50% of the population), that I am between 45 - 50 (say about 10% of the population), have multiple cats (say maybe only three people now in that village, use a Linux based machine - bingo: You found me. And now you have a set of data that falls under the GDPR. Welcome in having to ensure you only use this data in a way that I gave consent to.
See: The law doesn't even just look at marketing or tracking data. Or what happens in an app or a browser. It covers all data that is either pointing ti me as an "ID" - like a cookie ID, or at personal identifiable data - like bei combination in my example.
That's actually part of these changes. It's mentioned in the linked article about halfway down.
GitHub doesn't have a cookie banner: https://github.blog/news-insights/company-news/no-cookie-for...
That said, looks like what you asked is happening: https://www.macrumors.com/2025/11/19/europe-gdpr-cookie-chan...
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
That’s very market and country specific. Spain makes more than 1k tweaks to it’s food regulations each year, which would kill lots of restaurants if they were to be in compliance.
The result is that everyone tries to make as much money as they can and build a “inspection fund”, because you’re guaranteed to get a fine if inspected.
This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas.
I disagree.
Imagine I ban health potions in my realm. I am running a Darwininistic experiment to make my people the most resilient people of the world and I want them to succeed through survival of the fittest. I tolerate non magical medicine but anything else will pay 1000% duties or be confiscated. A merchant comes by with a delivery of health potions to "Johnathan Man". The guards point to the "Survival of the ssssttttrrroooong" banner, while the merchant throws a fit saying she has a very powerful uncle that just happens to be a known warlord. The guards laugh, close the gates and go back inside for another pushup context. Meanwhile Johnathan and the merchant complain things about jurisdiction to no one in particular.
So if I'm understanding your analogy correctly, the guards can't really do anything, so the merchant and the buyer will be the ones going about their business.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
You are not allowed to sell Heroin to anyone in Germany. I don't see you making the argument, that we should - in the same fashion as with digital spyware using companies - not target drug dealers. Becase hey, people can just decide to not buy drugs.
[Edit]: Typo
It must be opt-in, truly a free choice, and informed consent, and declining must be as easy as accepting.
I think it makes sense. Either pay, or consent to effective ads. There's no free lunch
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
Or install something like pi-hole and watch how many analytics calls to Adobe Analytics the Adible app is sending out. Even if just idle in the background. Given the fact that you pay Adobe by the server call, Audible clearly must earn a shitload of money, if they can burn tracking calls like this.
If you are on a Mac, try Little Snitch and see where your data is going while surfing the net. No wonder in the US there are companies, that can sell you a clear image of all relevant data on nearly any person to enable algorithmic wage discrimination [1].
I know, that industry is trying to push EU further and further towards less consumer protections. But we have a great example of what that means for workers, consumers and all of us in the US.
[1]: https://pluralistic.net/2025/11/10/zero-sum-zero-hours/
So anywhere there is a YouTube embed we instead display a static thumbnail with 2 inline buttons underneath. 1 button to accept cookies and then load the embed and 1 button to view the video directly on YouTube in a new tab.
It works nicely and also pushed us to switch most of our videos to being first party hosted instead of YouTube.
Secondary conclusion - it might be more beneficial if one just contacted the EDPB and said since this browser setting exists and nobody is using it please issue a ruling if the browser setting must be followed, set it to go into effect by this date giving people time to implement it, and if they agreed the browser setting would be adequate to represent your GDPR wishes they might also conclude that it would be an onerous process to make you go through a GDPR acceptance if it were turned on, howe ver as this article is saying that they are "scaling back" the GDPR that would seem to be dead in the water, which is why I said under "the current GDPR".
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
> GDPR that would seem to be dead in the water
I agree, and I don't like that.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
https://coveryourtracks.eff.org
I assume a subset of these bits could be used, meaning the "unique" or not claim of this test probably doesn't reflect if you can be tracked. I also assume that a VPN would help tremendously.
For that test, as is, I get "unique" every refresh when using Brave Browser. With Safari and Chrome, I get a fail an subsequent sessions.
The one that Google keeps tracking? https://www.tomsguide.com/news/going-incognito-in-chrome-doe...
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
--- end quote ---
ISPs used to provide email addresses for people, and it was part of the cost.
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".
Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".
He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.
Sometimes though bosses need some contradiction, for the business to be successful. It is not the best approach to have no opinions or ethics.
> Usually at that point they will find someone else
is not really something a lot of people can afford to risk
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
But yes, more people should tell other people that they won't do that.
Most commercial software doesn’t have a warranty either.
I think a lot of commercial software that is not open source or free software, doesn't have licenses in the same sense. They are proprietary and they might have an EULA, that prohibits you from reverse engineering or something like that, or that declares the no warranty. But not licenses like for example GPL or MIT license. Such a license would be useless for proprietary software projects, because the user isn't supposed to ever get the code.
Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.
Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
Like with meta: They know they mke 7 billion annualy from serving 15 billion scam ads daily. They calculated that they will have at most have to pay about a billion in governmental fines all over the world, if they should one day be regulated for that.
So it is a clear business decision to go on shoing 15 billion+ scam ads per day to their "users". Were some interesting journalistic pieces on that a few days ago.
And exactly those companies are the reason we need stronger protection. And these protections more heavily enforced.
At which point it also counts as PII and is subject to the GDPR rules.
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
People put the banners up because they see other people doing it and it seems safest. That all of this would be so should have been perfectly obviously to whoever contemplated bringing the regulation into existence. Therefore they are either imperceptive or malign.
Those are the people who should know best what is meant by "ask visitors for consent before you track them.".
Lawyers and more work is needed if you want to track anyway and look for ways to make people accidentally consent. "Let's ask the question, but hide the unwanted answer as deeply as possibly without breaking the law."
You may blame EU bureaucrats, I blame the unwillingness of the companies to fulfill the spirit of the law and putting all the work into pretending.
This knowledge is taught in school and we also had one lecture in university and I am not even studying CS or anything computer adjacent. You can very much rely on CS graduates to know this, and even if they don't, the company could organize a training day, like they do for all the other stuff. This is really a dumb excuse for a company.
The compliance of the cookie banner regulation has measurable negative externalities - one estimate suggests a EUR 14B/year productivity hit in the EU
Most modern browsers allow you to disable all cookies if you like. You can always use incognito mode if you want to be selective about it.
In an ideal world, the EU could have simply educated their constituents about privacy controls available in their browser.
Well yeah, cause your sentence relies on itself.
_Too many_ regulations is a bad thing.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
And that's probably the same for 99% of websites.
Obviously you need to consider what happens in the large.
Advertisements, among other things, for political views, influencing voter behavior. Which lots of interest groups care about
Targeting political ads? Debatable - whether AI is somehow involved or not.
Multiple people keep talking about selling hard drugs in the comments. Seems a tad dramatic.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
tell that to Ads advertising business that bringing billions every year, and its legal btw
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Of course it'd be awesome if the world had no ads, but most people prefer free with ads to paid without ads.
Many services worked without the ass fucking. We did it for a very long time.
> but most people prefer free with ads to paid without ads.
No, you can't actually say this, because part of the deal is that nobody actually knows HOW or WHAT they are giving up for this free service.
Things like GPDR or consent, again, do not outlaw the actual thing. Ads are still legal, personalized ads are still legal, tracking is still legal. It just forces you to ask consumers. If what you're saying is true, then GPDR is fantastic!! All the users should click 'accept all cookies', because that's what they actually want right?
Unless, wait, you think... maybe that's not what they want? And they're only agreeing to the current situation because they don't know what they're agreeing to? Hmm... what a conundrum!
Contextual advertising works fine for many sites, especially those with a specific targeted audience (for example a gaming website can show ads for gaming related products).
for some people and I mean some people in this are entire industry that working with directly and indirectly. this is the only way to earn a living for them and you saying this people cant do that????
"If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for."
well. you are free to choose not to?????? what we even doing here? life its about choice and you are free to not sign up service that scummy
it literally totally difference case that worth another article/post for that
Who are those people who literally can't earn a living in any way other than working on personalized ads?
1. Consumers can't just 'not use something' because of network effects, and you know that. Don't play stupid with me.
2. The service is scummy because they lie. That's the scummy part. Sit back and read what I wrote. I'm not saying services CAN'T commit crimes against humanity. They can! I'm saying they must DO IT HONESTLY.
If this is about choice, and you want users to choose what they want, then you have to be on my side. It's not optional. IF what you're saying is true, and consumers have the choice "not sign up service that scummy", THEN they must know if the service is scummy. Necessarily!
You are literally agreeing with me!
No, the competing solution/alternative its not better
if there are better ways to do this, it would be born already
That's not how it works in capitalism. If there are more profitable ways to do this, then it would have been adopted. But better is subjective - better for whom? For the users? The businesses don't give a fuck about the users, only about their money.
In a free market, consumers will pick the better option right? The one where they don't pay more for less?
Right?
Maybe don't build stuff in such a dumb and lazy way?
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
You don't have to convince me of the foolishness of mad dashes. Or the emptiness of consumerist culture. But is the EU not consumerist? Does it even have any viable or good ideas about alternatives? Without consumerism, the modern world doesn't know what to do with itself. It has no other modus vivendi. Consumption is all it knows.
> a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in.
Sounds great, and I do not contest these as aspirations. And economies are supposed to serve the objective good of human beings. But is the EU on the path of greater cultural richness, or one of cultural decadence?
> If there is a good set of regulations in place. And that is where EU is not consistent
Bingo. What is good regulation, not as just an expression of principle and aspiration, but as a matter of practicality and prudence in the given circumstances?
It also takes more than good regulation as well. You have to ask: what does it take - and that's possible within morally licit limits - to encourage a richer culture, a culture that is also more conducive to health, and a tech industry that serves the human good? Is the EU succeeding, or merely stagnating and reacting defensively (for better or worse) to the changing conditions of the world?
Some things are only possible in vibrant economies, and where tech is concerned, the EU is not exactly vibrant.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Thanks Google.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Chat control is stupid.
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
This is the number one issue in computing today. Everybodys running around trying to get rich building shitty extensions and frameworks without looking at the bigger picture. We need collective action. Imagine a movement where everybody becomes millitant about adblockers. Like install them on every computer and deflate the advertising industry. Smarter people than me can probably think of better ideas
Right now its death by 1000 cuts. There needs to be a big change or we could lose everything in just 20-30 years in my opinion
Seems there are efforts to bring openness to platforms that inherently have an interest to resist it and while the progress is slow.. there is progress
Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
Well I care about privacy. And so should anybody with an ounce of common sense.
"I'll use my l33t hacker skillz to avoid it on my own" is a losing strategy in the long run.
A similar thing happens with the proliferation of cameras and license-plate readers.
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
Would be oxymoronic if there were one.
Schools of thought are theories. It’s saying there can be as many theoretical universes as theoretical physicists can think up.
This is true for any social construct, of course. But anarchy’s nature means you get less alignment.
You can argue that hierarchical organization is fundamentally more efficient, but by the same logic authoritarian governments ought to always outcompete democracies militarily, yet it's clearly not as simple as that.
One could also argue that in a world where anarchist modes of organization are the norm, an attempt by some group to organize for the purpose of conquering neighbors would be treated as a fundamental threat by basically all other groups and treated as an imminent threat that warrants legitimate community self-defense. Of course, then the question is how you get to that state of affairs from the world of nation-states.
I don't have answers to these questions, but it should also be noted that it's not a binary. Look at Rojava for an example of a society that, while not anarchist, is much closer to that, yet has shown itself quite capable of organizing specifically for the purpose of war (they were largely responsible for crushing ISIS, and are still holding against Turkey).
making it complex helps nobody - everyone has to have a default
and default of "do not trust the glowies. EVER" is the better one
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
Not really. The goal is to prevent people from being unhappy enough that they revolt. But so long as that is not a real possibility, the company - or the state - is quite willing to make the population less happy if that means more productivity that can be extracted.
The example you gave - free education - is precisely about that. The point of schools is not to make the people happy, it's to make the people productive. But, also, ideally to brainwash them into being "good citizens" (meaning compliant and not causing problems). It can even mean "happy", but that is not necessarily the desirable state of affairs from the citizens' perspective, either - e.g. in USSR under Stalin, the cult of personality was strong enough that many people were genuinely happy to participate in it, and genuinely sad when the guy finally died; but it wasn't actually good for them!
No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
The reasonable position then is to demand governance that is actually in the interests of those governed. And one can reasonably argue that the resulting entity is not a state.
Beliefs like that are self-fulfilling prophecies. People who believe in that often give up trying to influence the state and exclude themselves from its interests. If too many people do that, the state will not care about them.
There is a trade-off based on the size of the state. Small states are easier to influence and more likely care about their citizens. Politicians stay more in touch with other citizens, and the average citizen is more likely to know some politicians in their everyday life. But small states often make amateurish mistakes, because they are governed by amateurs without access to sufficient expertise on various topics.
Large states have an easier time finding the expertise they need. But they tend to develop a political class out of touch with ordinary citizens. Political leaders become powerful and important people who mostly associate with other elites.
I believe the ideal size of a state is in single-digit millions, or maybe up to 10 or 20 million. Like most European countries and US states.
It can't be liberalism, since that tradition considers the state separate from society, and the state's purpose to provide liberty to the latter.
Communists of the 'tankie' variety (i.e. 'authoritarian' rather than 'libertarian' or anarchist) believe the state is or ought to be made up of its citizens, but they are aiming for scientific industrial administration and would never describe the state as an organism.
The tendency that does describe the state in that way, is fascism.
If the state inherently wanted all that for its citizens, why have people formed unions and militant organisations and struggled to achieve things like common education and so on?
No. Hackers should understand that government is force. This is the definition of government.
And force is the antithesis of the hacker ethos.
https://en.wikipedia.org/wiki/Louisiana%27s_4th_congressiona...
The people who voted for him are very happy with what he does and that's why they vote for him again. They voted 75% for trump.
They don't want what you or I want.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
At minimum, government will be useful as defence against worse government.
I know that some anarchist had dream of a stateless world, but it is not viable.
And while I am not going to say that any government is ideal, many are better than USSR, Third Reich or Cambodia under Pol Pot.
And the enemy of your enemy is not your friend. It can be a temporary ally, but you always have to be wary of it becoming strong enough because you can become its enemy tomorrow.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
It made me feel kinda sad for a few days.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
I like to frame it in terms of capital goods, even if I didn't think of it at that time: The personal computer's promise was that everyone would own their own digital foundry and factory, creating value for them, controlled by them, and operating according to their own best interests.
Nowadays, you're just renting whatever-it-is from BigCorp, with massive lock-in. A tool for enacting other people's decisions at you.
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
Regarding regulation, I do have to note that in many cases when you try to root-cause corporate power, it turns out that it hinges on active government regulation in practice. For example, consider the fundamentals of capitalism, namely, accumulation of capital. Why do we get those huge monopolies in the first place? Well, because more capital means more way to generate wealth (or, more precisely, to appropriate wealth generated by your workers), which can be invested into more capital etc - there is a natural positive feedback loop here. So at a first glance it feels like you need government to actively do something to prevent companies from becoming too large. But consider: what does it mean for a company to own something? It's not a person, so it can't really have physical possession of things. It's all abstract property rights, and the only reason why that works is because the society as a whole acknowledges those rights and legitimate, and, crucially, because there is a state providing infrastructure (police, courts etc) to enforce them. Now imagine what would happen if, for example, the state simply refused to acknowledge property rights past a certain limit and simply wouldn't enforce them on behalf of the property owners.
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
I'd love to live in a world where one can neatly compartmentalize reality and view life-altering political shifts with "a lens of curiosity", but that isn't how the world works.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
The original claim was centered around the timeline of purchasing Instagram and Whatsapp. TikTok came much, much later.
Anyways, I disagree - this is not the case. If you read the filings and their slides, the FTC argues Meta is a monopoly in the personal networking space.
They essentially carve a market out of thin air to selectively exclude Snapchat, TikTok, and Shorts. The judge has understandably called this for what it is.
It was a phenomenally poorly litigated case, most experts at the time doubted it would succeed, but it did wonders for Lina Khan's popularity. Seems to have served her well with NYC and all.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
Why? Is META relevant only on merit?
Me too. But losing on merit requires an (at least somewhat) fair marketplace.
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
Europeans here steer more in the "we can, but should we?" category, while Americans are in the "move fast and break things" category.
I literally see upvotes during the day (Europe) and then downvotes during the night. Mostly. But the trend is there.
You can say lots of things, many that go against the hive mind will just get you more or less instantly grayed or even flagged
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
Their track record is pretty good.
(I would still prefer the world without either, though.)
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
Some industries naturally tend torwards monopolies. In social networks, this effect is very strong.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
It might surprise you, but success is not always rooted in having done great things for the world
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
Where can I read more about that phenomenon?
https://zeotap.com/wp-content/uploads/2025/06/Zeotap_-Time-t...
What the law wanted: putting regulatory friction on tracking cookies by requiring collecting consent will make sites do less tracking.
What the law did: endless cookie banners.
What the law wanted: ending the torrent of people's inboxes filling with ads.
What the law did: nothing because they caved to the industry and let people send ads anyway. actual spammers never followed the law anyway and real companies who ship ads weren't at all burdened by an existing customer relationship requirement.
What the law wanted: companies will stop keeping your personal information on their servers forever.
What the law did: nothing because they again caved to the industry and it just got added to the cookie banner consent screen or the company just said they kept the data for "value add" services like personalization.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
A few weeks ago, there even was an attempt to have air-traffic-style medicals beginning at 60, which, in a society that becomes both older AND worse at public transit, was highly unpopular.
You may think that's a little thing. The issue is: these little compound. And every time they come around the corner with a new regulatory clown act, people remember ... when lighting bulbs were a few cents instead of the energy-saving 10-euro new bulbs mandated by brussles ... when we were forbidden to have powerful vacuum cleaners or showerheads (yes, the new ones are not really worse, but they sound worse), ... and a hundred other little annoyances.
Not to mention that national governments like to blame Brussles for stuff they wanted, but which were highly unpopular. "Unfortunately, we cannot do anything, it was an EU decision (which we openly supported)".
And eventually, people become eurocritic. Which is one of the reasons why people start to vote for right-wing, eurocritic to anti-EU parties.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
Even worse, bought Whattsapp.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
[1] James Boasberg; "Meta prevails in historic FTC antitrust case, won’t have to break off WhatsApp, Instagram" https://apnews.com/article/meta-antitrust-ftc-instagram-what...
That said, Google stripped away +must +include +terms from their searches so I do blame them some and not just SEO
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
But uncertainty in compliance and time spent navigating compliance is nearly pure waste.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.
These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.
The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.
I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.
But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?
I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.
You say IP addresses are PII and this has long been determined.
Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:
> > logging an IP address.... > Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement. > Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so. > More on that: https://missinfogeek.net/gdpr-consent/
So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.
Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)
I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?
In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.
(not a lawyer, but this is my understanding)
> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.
> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
That I cannot answer, or have not thought about in sufficient depth.
> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
There are workarounds like exemptions for small businesses, but this creates all kinds of new issues like a regulatory ceiling, which results in enormous new costs on some arbitrary day for a business once it crosses some kind of user or revenue threshold. Ramp-ups are difficult or impossible to legislate in this context. Further, two or multi-tiered regulatory systems are highly inefficient and arguably unfair. They're very difficult for everyone to navigate. Generally speaking, from countless examples around the world, rules should apply to everyone.
Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
Yeah, forcing companies to write food ingredients on the package is bad for business. And I don't care about business more than about the well-being of society and myself. Same with tracking.
> Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
Politicians, who usually aren’t experts in the field.
Industry leaders, who have every incentive to make the rules tougher for everyone.
Small businesses in particular do not have staff or the capacity to to deal with a large amount of compliance overhead. The biggest help for small businesses (and large businesses alike) would probably be if the GDPR would be less vague on the rules surrounding typically collected data
While everyone talks about souvereign data processing in the EU, both the commission as well as the governments of its member states completely failed in pampering a domestic cloud industry during the last 15 years. Mercy killing.
But it's really hard to tinker as a single hacker when a German legal troll firm can come for you for linking Google fonts on your web page (i.e. transferring IPs so breaching privacy)
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I've been through several startups after GDPR went into effect, it's really not a problem.
Yes, it forced these small businesses to think about how they're handling personal data, but that should be the fucking point, I don't care if a company is Facebook or if it's a 2 person startup, neither should be collecting and redistributing personal data and tracking people.
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
You can still turn cookies off in your user agent though.
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
But they weren't prepped to take action yet.
The only reason why the advertisers were so unhappy about it is because what they do is neither good nor sensible by most people's standards.
If I (a complete stranger to you) walk up to you and kiss you on the lips, it doesn't make a difference whether you're wearing a t-shirt informing everyone you don't want strangers to kiss you on the lips or not - I don't have any basis on which I can presume to have obtained your consent so I'd still be violating your rights.
This is very much a "tech bros don't understand consent" case: if you do something without consent, you better have a damn good reason other than "but it's good for meeee" (or "good for my bottom line"). "My business model depends on it" also isn't a good justification - there are plenty of business models that depend on things that are unquestionably illegal, we just refer to them as "criminal enterprises" rather than "disruptive startups".
Actually it's worse, DNT headers are like posting a wall of text on facebook saying you do not consent to them using your images or posts for some purpose.
Track doesn't have a consistent definition across contexts, to regulate this you would have to fix it to something - what are your suggestions? DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
If you have a better write on regulation lets hear it.
What most people miss about the GDPR is that most of it (as well as the ePrivacy Directive covering more technical aspects like cookies) really only exists because of the one big thing at its core most people are either not aware of or intentionally omitting:
The GDPR establishes a user's right to ownership and control of their personally identifiable information as an inalienable and irrevocable fundamental human right. This is what makes all the rest of it necessary: it's not about "cookie banners", it's about requiring others to obtain consent for what they want to do with that information; it's not about writing "privacy policies", it's about explaining what you do with that information and how you guarantee their rights are respected by you and disclosing who you're passing it on to and how you're ensuring they too respect those rights.
The alternative to consent dialogs (whether as "pop-ups" or via confirmations when prompting for relevant information) would be requiring every website to have a written contract with each user. Consent is only valid if it is demonstrably informed (and non-coerced but that's a different story) and it must be specific and revocable. You can't have users blanket opt-in to everything you'd like - they wouldn't even know what consent they'd need to withdraw later if they reconsider.
By the way, courts recently seem to have started ruling that the way many AIs work the companies training them are in violation of copyright laws by using intellectual property as training data without permission and in order for contracts to be legally binding, anything given by one party has to be given consideration by the other (i.e. anything of value given by one party has to be balanced out with something of value given by the other party) - so I wouldn't be too quick to ridicule the idea that using Facebook means Facebook can do with your data whatever its terms of service say they can do, even if posting on Facebook can probably not be considered an effective way of informing Meta about your disagreement.
The only thing required to make a signal like that legally binding is the power of law. It just wasn't there for DNT.
Or it will take one clear message from the regulators saying they're equivalent.
Compliance costs almost nothing. If you collect data, explain why and what for. If people ask you to delete it, do that. If you want to share data with others, ask first (or just, you know, don't).
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
So either you're lying or your lawyers are lying to you.
In 9 years you could've finally read and understood the rather small law yourself.
It's not a lawyer's job to answer that question because the answer is necessarily "yes" unless you intentionally did the illegal thing (i.e. intentionally did what the law explicitly tells you not to do) - and even then you might be able to defend it somehow.
The question is whether you have a good enough case for a ruling in your favor. And again, lawyers can't answer that because the question is always "it depends" - they're not in the business of fortune telling.
If you ask a lawyer for legal advice, it's their job to give you sufficiently good and accurate enough advice that if you tried to sue them over giving you bad or inaccurate advice they'd have a good enough chance of winning that lawsuit. How much they're willing to speculate about things like what's good enough for you and how high they'll set the bar depends on a variety of factors again.
There's literally no guarantee you can successfully defend something in front of a judge. The law is the law and the facts are the facts. If you end up in court, it helps if you have solid paperwork and a solid papertrail you can use to demonstrate you did everything correctly and in good faith - this is about creating facts that can be used to your advantage.
But the amount of expense required to do literally everything perfectly to the letter of the law and reliably document that you did so would make running a profitable operation impossible regardless of what laws we're talking about, so you necessarily have to strike a balance. And where you strike that balance is a business decision because it's about managing the risk of doing business. And that's not something your lawyer can decide for you - that's something you have to decide for yourself if you run the business. Because at the end of the day it's about your personal liability - whether through financial risk if your business is held liable or direct liability if you get personally held liable for your actions.
But this is not legal advice, I'm not a lawyer. I just know enough about (EU privacy and general German) law to be dangerous and accidentally trick actual lawyers into thinking I have a law degree.
By the way, that's also where that line comes from: it's saying "you can't hold me liable for decisions you make based on what I told you" - even when what a lawyer says is perfectly reasonable and sound to them they'll likely tell you it's "not legal advice" unless you are willing to pay the price tag of being able to hold them liable for what they said.
For the absolute vast majority of companies GDPR compliance is trivial.
For the absolute vast majority of remaining companies GDPR compliance is simple.
There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).
I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy
No wonder you have "trouble complying with GDPR".
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
How the hell do you expect everyone else to?
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.
Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:
https://ico.org.uk/for-organisations/advice-for-small-organi...
Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.
So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.
You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.
I've implemented it like a half-dozen times. Why do you think I'm so confident? It's truly not very difficult, particularly if you don't have to retrofit some hell-app that uses a billion cookies. For the most part, collecting PII is already a liability and you don't want to do this anyway outside of critical information (e.g., email).
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Etc. Etc.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Here's a good primer: https://trustarc.com/resource/schrems-ii-decision-changed-pr...
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
But sorry, saying "literally everything" is a gross exaggeration. Debugging a program with the help of ChatGPT is not using user data. Editing a logo is not using user data. Storing code on a web platform is not using user data. And others...
And even then, for some of the services (like mail, communication, erp, etc.) there are alternatives companies in Europe that work just fine.
I think GDPR is not perfect, but I do welcome measures to prevent over-collection of data by whomever.
There are only two possible interpretations of this sentence:
1. You have just confessed to a crime. Do your engineers store user data in Notion?
2. You have just confessed to not having even a single clue about GDPR and what it entails. Your engineers using Notion will not make your company liable for GDPR unless bullet point 1.
> This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Ah yes. Your shitty company selling user data left and right to "our privacy-preserving partners" is the same as "access to US intelligence in the context of Russia-Ukraine"
No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion (and is against HN guidelines).
So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
You think yourself more important than you really are. I've replied to many comments in this discussion, and three of them, I think, happened to be yours. Two of them happened in the same thread. This one.
> No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion
Ah yes. Where good faith is "GDPR is bad because wellfare state and US intelligence"?
> So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
So, good faith and non-circular arguments are assigning words to opponents and trying to make them argue something they never said, apparently.
Imagine if anti-GDPR crowd actually argued in good faith. I can't. Because of behaviour like this.
"This generation" lol. I'm 45.
What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".
> Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Governments have deficit spending because we subsidize private inefficiency at a social level and refuse to run them efficiently. It's insisting on letting private entities run things that is clearly not working.
Different rules for different people huh?
Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.
You would be subject to one rule for your small company and another rule as it grows.
This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
In the traditionally implied sense of different rules for different social classes.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
I wish you were right though.
https://www.independent.co.uk/news/world/americas/asa-baker-...
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
The content of the comment is my unique opinion and my unique writing and I mostly also make sure to remove stupid things like directional quotation marks.
But yes, it is possible to be very much human but also trigger certain peoples AI detectors.
Finally!
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services.
[...] we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really."We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services listed above will be used. You may change your selection on which cookies to accept by clicking "Manage Cookies" at the bottom of the page to change your selection. This selection is maintained for 180 days. Please review your selections regularly. "
Straw man argument.
The rule equally applies to sites with just one tracker and no dark patterns.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
[1] https://techgdpr.com/blog/data-protection-digest-3062025-the...
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
I hate how everyone and their mother ships all my data to google and others just because they can.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Or assign the user an anonymous session cookie that lasts an hour but contains nothing but a random GUID.
Or simply pipe your log output through a service that computes stats of accessed endpoints.
None of this requires a cookie banner.
You can deduplicate but you cannot store or transmit this identity information. The derived stats are fine as long as it’s aggregated in such a way that preserves anonymity
So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie. Hash it together. Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes). And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
Not rocket science.
Sure you do if for example you want to know how many unique users browse your site per day or month. Which is one of the most commonly requested and used metrics.
> So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie.
That looks a lot like a unique identifier which does require a user's consent and a cookie banner.
> Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes)
The EU Court of Justice has ruled in the past that hashed personal data is still personal data.
> And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
It will also happen after 30 minutes have passed which will happen all the time.
> Not rocket science.
And yet your solution is illegal according to the GDPR and does still not fulfil the basic requirement of returning the number of unique users per day or month.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
Not really, proponents of GDPR are aware that GDPR explicitly blocking trackers would be extremely hard as there is a significant gray area where cookies can be useful but non-essential, so you'd have to define very specifically what constitutes a tracker or do a blanket ban and hurt legitimate use-cases. Both are bad.
For some reason though people think that the body that institutes laws that try to make the world a better place, when loopholes are found and abused for profit, this is somehow the standard body making a mistake, rather than each individual profit-seeking loophole-abusing entity being the problematic and blame-worthy actor.
I never understand why, I guess you work somewhere that makes money off of this.
However, you are still required to provide a list of essential cookies and their usage somewhere on the website.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
No tracking, no banner.
Or respect the now deprecated DNT flag, no banner necessary.
Now we get DNT 2.0 and the website owner will once again maliciously comply.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
I remember the early day cookie banners of Tumbler accept all or deselect 200 tracking cookies by clicking each checkbox.
https://en.wikipedia.org/wiki/Do_Not_Track
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
But this one alone opens the door to behavior similar to tracking cookies, where accepting all was easy and not accepting was hard af.
Instead of a different cookie pop-up on every single site you visit
>Instead of the central browser controls?
This is the central browser control. The header is how the browser communicates it to the websites.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
Those banners often list up to 3000 ”partners”.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... does a similar thing.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
Cookies are a client-side technology.
Why does the government need to be involved?
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
It covers all data processing whether automatic or manual.
The law literally doesn't talk about cookies. Or any other ways of tracking. (well, it does. In the preamble. The regulation itself is tech agnostic)
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
--- end quote ---
etc.
> (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
> Why would you store the language preference client site anyhow?
You're not storing the language preference in the cookie, you're storing a cookie that identifies the user so that the server can remember their language preference.
Consider the two possible ways that this can work: 1) if the cookie identifies the user then using it for anything outside of the "strictly necessary" category requires the cookie banner, or 2) if the cookie is used for any strictly necessary purpose then you can set the cookie even if you're also using it for other purposes, in which case anyone can set a strictly necessary cookie and then also use the same cookie to do as much tracking as they want without your consent.
Both of these are asinine because if it's the first one they're putting things like remembering your language preference outside of the strictly necessary category and requiring the dumb cookie banner for that, but if it's the second one the law is totally pointless.
But one row before it mentions "such as accessing secure areas of the site.". If the secure cookie has 12 months validity, this is basically a different way to implement "remember username/password".
Besides, all my browsers (Firefox, Chrome) remember the users and passwords for all the site I access, so are we even talking about this? Is Safari that bad that it doesn't remember your user/password (no experience with that one)?
> You're not storing the language preference in the cookie, you're storing a cookie that identifies the user
Ok, I agree that for sites without username / password that will not work. On the other hand, personally I rarely end up on any site that is not in a language that I can read and on top the browser has a language preference : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/l... . So, in practice, I think there are extremely few cases for sites require a language cookie for a not authenticated user.
Which could be read as allowing session cookies but not ones that allow you to save your login if you come back later. But it's also kind of confusing/ambiguous, which is another problem -- if people don't know what to do then what are they going to do? Cookie banners everywhere, because it's safer.
> Ok, I agree that for sites without username / password that will not work.
How would it work differently for sites with a username and password? The login cookie would still identify the user and would still be used to remember the language preference.
Again, is there any browser nowadays that doesn't save the login? I don't know any, personally but I do not know all of them. And if they are, how much market share they have? (If I myself build tomorrow a browser without the functionality, that can't be an argument that the legislation is wrong...)
> How would it work differently for sites with a username and password?
Generally for sites where you use a username, the site will load from the server several information to display (ex: your full name to write "Hello Mister X", etc.). In the same request you can have the user preferences (theme/language/etc.), and the local javascript uses them to do whatever it needs to do. Even with a cookie, there needs to be some javascript to do some actions, so no difference.
Or you could just redirect via a URL that has the user preferences once he logged in (ex: after site knows you are the correct user it will redirect you to https://mysite.com?lang=en&theme=dark)
There are many technical solutions, not sure why everybody is so crazy about cookie (oh, maybe they think of the food! Yummy)
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
Server logs can provide this information.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
And no, you can't just "wait 2 weeks and check for the actual sales volume difference". The example I gave requires individual anonymized tracking. Pretty much anything that has to do with correlations in customer behavior requires individual tracking. And that's how businesses improve.
Also, it's not just giving up "some percentage points". There are a huge number of small businesses that can only exist because Facebook ads work so well in targeting very precise customer segments who would never know about their product otherwise. Targeting advertising does actually work, and you'd be putting tons of small business owners out of work if you got rid of it.
What I see though is many shops closing, because more and more people buying online. What I hear is people buying crap from Amazon and throwing it very fast, or using fast fashion from the like of Shein. Neither seem to me a great outcome.
I did a cursory look and I found this https://www.pewresearch.org/short-reads/2024/04/22/a-look-at... , will quote "The number of high-propensity business applications – those that are highly likely to turn into businesses with payrolls – remained relatively stable between 2009 and 2019,". This for me does not support the idea that of "huge number" that only exist due to Facebook (business exits have also grown over the period, more data at https://data-explorer.oecd.org/), but of course this is an interpretation.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I'll keep blocking all ads and tracking anyway.
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
https://noyb.eu/en/project/cookie-banners (edit: link)
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
I talked with our then national information law official (funny fact, same person is currently president of our country), rule of thumb is if you're not using your users' personal data to pay for other people's services (e.g Google analytics) or putting actual personal data in them, you're generally fine without the banner.
Further, if you're a small shop or individual acting in good faith and somehow still violated the law, they will issue a warning first so you can fix the issue. Only the blatant violations by people who should've known better will get a fine instantly (that is the practice here, anyway, I assumed that was the agreement between EU information officers)
That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
0. https://guides.libraries.psu.edu/european-union/official-ser...
1. https://www.europarl.europa.eu/portal/en
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.
Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
What is not fine is giving away your users' personal data to pay for your analytics bill.
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
Just let Estonia run the programme [1].
[1] https://e-estonia.com/solutions/estonian-e-identity/id-card/
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
Good kid mode[0].
[0] https://www.lego.com/en-gb/product/retro-telephone-31174
The goal of regulations is to prevent undesirable behaviours by making it "too costly" to do. The goal is not to take 30% on every app sale.
Complaining about regulations as a concept is usually about forgetting those that work and seeing exclusively those that annoy you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
Also businesses are not people. People may not do illegal things "just because they are illegal" or because they want to be "good" (e.g. I agree that we should not litter, I wouldn't even need a regulation for that).
Businesses are profit-maximising machines. If it it profitable to litter, a business will do it. The framework in which businesses maximise is set by regulations, which represent what society wants. That's how capitalism works.
The limit of capitalism is when businesses are more powerful than the entities in charge of enforcing the regulations. If "enforcing a regulation" means having lawyers work on it, but the businesses themselves have orders of magnitudes more lawyers trying to prevent those entities from doing their jobs, then we have a problem. That's a limit of capitalism, IMO.
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
We tried to get rid of any tracking banners but have been unable to do so.
Is that like I’m strangled with my start up of “cheapdvds.com” because I can’t sell someone else’s data?
“25% of our users that arrived from the newest ad came from Facebook and 85% of those were mobile users.”
So abusive. So much selling.
RIGHT?!
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
Good! I don't want ads to be a thing in the first place. It's a good thing that industry is being strangled by regulation.
GOOD!
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
This part seems mis-informed.
https://www.arenaev.com/mercedes_gets_level_3_autonomous_dri...
https://www.arenaev.com/bmw_ix3_gets_handsoff_motorway_assis...
European cars from almost every brand, already have emergency braking, adaptive cruise control, lane keeping, lane switching, etc., which get us 70% of the way there in terms of road safety.
I don't want to be experimented on by companies like Tesla:
Let them kill US citizens and keep lying and hiding things:
https://www.arenaev.com/tesla_robotaxi_troubles_grow_with_se...
> Understanding exactly whose fault these crashes are is tricky because of how Tesla fills out its forms. Automakers must send reports to the National Highway Traffic Safety Administration (NHTSA). Most companies explain the crash in a written section called the narrative. This narrative tells the public whether another driver ran a red light or if the computer made a mistake.
> Tesla chooses to block out this information and redacts the narrative section entirely. This prevents the public from knowing the truth, but it is entirely legal, even if it frustrates data analysts. Without the story, nobody knows if the Robotaxi caused the crash or if it was a victim. Fans of the brand often argue that other drivers cause these wrecks. That might be true. But since the company hides the proof, nobody can say for sure. Other autonomous companies like Waymo share these details openly.
That statement includes Ursula by the way.
They need more strict financial regulation than politicians do!
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
for example:
- bureaucracy creates less bureaucracy
- price controls create more supply
- adding more rules creates more freedom
- government is good at understanding technology
- the more people you have the better your decisions will be
- the further someone is from a problem, the better they can solve it
etc
- adding more rules creates more freedom. Imagine the US without a constitution. It’d be madness. In a lawless country, people would be less free to do things they actually want to do because they’re so occupied with just surviving.
I quite like not having my personal data stolen by foreign megacorps for nefarious purposes. In that, I am freer than Americans thanks to Europeans regulations.
There are dozens of stories how registering a business alone can take several months and tons of paperwork.
Some countries are extremely strict, others are more lax. Where I live (Norway), starting a business is pretty easy and straightforward. Other countries, like Germany, are notoriously difficult from what I've read.
And again, some countries have very strict laws and guidelines you need to follow, once you've started a certain type of business. Where I live it is relatively easy to start a LLC, but you'll need to put some money into it, and you can easily get fined - or even face jail - if you don't follow the laws for accounting/auditing. It becomes problematic, quite fast, if there's no unified codes for these things, if everyone's going to be able to operate cross borders.
Not to mention all the other laws (consumer laws, etc.)
Registering a business in Estonia is famously relatively straightforward, while it is an absolute pain here in Germany. But business registration is the responsibility of the countries themselves and it should remain that way
1. Prepare the foundation deed and the articles of association. 2. Identify the beneficial owner(s). 3. Pay the share capital and obtain the bank certificate or auditor’s statement. 4. Submit the registration application for the limited company to the Swedish Companies Registration Office (Bolagsverket) and wait for approval. 5. If applicable: submit a certified copy of your passport (non-Swedish citizens). 6. Apply for F-tax approval and VAT registration and wait for the decision. 7. Register as an employer if you will pay salaries. 8. Keep continuous bookkeeping and prepare the annual accounts each financial year. 9. Submit the annual report to Bolagsverket every year.
Optional:
1. Obtain business and personal insurance. 2. Register trademarks or protect other intellectual property. 3. Choose an auditor if you want one or when the company later reaches the required thresholds. 4. Register a cash register if you accept cash or card payments. 5. Meet requirements for import/export and obtain an EORI number. 6. Follow rules for buying/selling goods or services within or outside the EU. 7. Keep a staff ledger if required for your industry. 8. Follow reverse-charge VAT rules if you operate in construction. 9. Apply for permits if your specific business activity requires them.
This is not what I'd call a straightforward process, personally. Also speaking from personal experience. Sorry for the formatting.
It's a (check)list....what could be more straightforward?
What does this even mean? You have examples from ALL of Europe? Each country has its own process, and at least in "my" country it is very easy.
This is a step back. All these years of clicking those banners is now for nothing.
While our company was very good at handling customer data already, it forced us to up even our game.
Other companies, however, were absolutely miserable at it.
GDPR has improved user privacy for the billion+ Internet users across the board, whether they are EU citizens or not, and most won’t even know about it.
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
https://ec.europa.eu/transparency/documents-register/detail?...
https://ec.europa.eu/transparency/documents-register/detail?...
Not a done deal.
They did not have the same fervor for SaaS or cloud, if you recall. You needed sales people for that tech and they were compensated well bc its hard closing a multi year, potentially multi million dollar deal.
But AI needs no sales people to sell its value prop. CEOs have fully bought in. And now, even European bureaucrats, the most bureaucratic of bureaucrats, are loosing regulations. And these are the same group of people who thought cookie banners would help with privacy. Strange times.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
Source?
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
For 'central browser control', what is technically mechanism behind this? Is it something like an entirely new request header sent by the browser? Or re-using some existing RFC? Also curious if the regulation will compel browsers to implement this or something.
Managing cookie permissions at the browser level always made the most sense, but implementing it with regulation is what seems hard.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
https://www.theguardian.com/lifeandstyle/wordofmouth/2008/no...
I don’t see a problem woth mandating truth in advertising.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
It is perfectly possible to not train them on personal information, to remove or rewrite names, to remove IP addresses, etc.
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
Our product makes it easy to capture and share knowledge on the factory floor, which is very important when many of your workers about to retire. Interest is enormous. It is a simple SaaS. You'd think selling would be easy. And it is: In the USA. In Europe the mere existence of the regulations (not what's in them) delays us by 6 months at least per deal.
No european executive really understands what is in the GDPR, and eventhough we are 100% compliant, there is nothing we can do to take away this fear. This means that when we talk to European companies, IT and Legal departments always have to be closely involved, leading to all sorts of political games; each department conjures up non-existing risk by talking vaguely about data privacy, just so they appear important. Half a year later when the dust has settled, the executive buys the product, or their mind has moved to other things.
My point is this: What is in the laws is not important to me. What is important is that current perception of laws turn companies into slugs. I want us to mentally move back to 2018 where we could "just buy SaaS" without worrying endlessly about data privacy. I understand hesitency when it comes to cyber security, but that is not what is slowing us down.
One of our workarounds currently is simply never to mention we use AI.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
PII has a very clear definition. Posts on a public forum are not part of it.
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
It absolutely isn't. I set up a blog for a friend where she shows her art and publishes an appearances itinerary/schedule. It doesn't collect ANY info from visitors, therefore requires no cookie banner at all. Simple as that.
HTTP logs are retained for 7 days for security analysis and then wiped. No analytics available, although my understanding is that a self-hosted Matomo instance set to anonymize the last 2 IP bytes of every logline it ingests would still be considered exempt from a banner.
There you go. The moment you save any information that can help identify someone for any period, you are within the scope of the law. God forbid you keep the IPS for any reason.
> for security analysis
The law doesnt give a zit about what you do it for. If you retain any personal info or set any cookie, you have to tell the user about it and give options.
> Matomo instance
Hahaha - matomo itself is non-compliant with the law. Its developers think that anonymizing info or collecting bits and pieces for functional info and setting a cookie for that purpose allows you not to show a banner. That's wrong. It doesnt matter for what you collect info or set a cookie - the moment you set a cookie, you have to show a cookie banner and tell exactly what you are collecting and what you are using it for. Even for functional cookies.
The only way you can be compliant with this law is by setting an apache header or something to delete all cookies the moment they are set so that you wont leave any cookie. Even in that case, you may be responsible for you are holding that information even for a few miliseconds. (yeah, you as a techie think that its not important, but law doesnt work that way). Best chance is to have a server that does not set any cookie or collect any info in any way. Good job preventing spam, fraud, ddos with such a setup.
Europe's cookie nightmare is crumbling. EC wants preference at browser level
Better late than never, but it's insane it took them almost a decade to figure this out.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
This is just another dumb EU reg that hurts everyone
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
https://ictrecht.shop/en/products/handboek-avg-compliance-in...
European Commission plans “digital omnibus” package to simplify its tech laws
The CBDC, the “Digital Euro”, will be nail in the coffin.
In Italy they’re pretty advanced with the Digital ID, for example.
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
This actually is already the case, see the recent CJEU C‑413/23 P. Currently the main question is if the recipient has a way to unmask the user. In case of IP address the answer is almost always yes since the recipient could ask competent authority to unmask the IP address if there is crime involved. That was the exact reasoning provided in the Breyer case.
In C‑413/23 P the recipient didn't have any reasonable way to map the opinion to real person so it was determined that it's not PII from recipient's POV but it was from the data controller's.
One of the issues in the new proposal is that it lowers the standard quite a bit compared to C‑413/23 P.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
"Well, you can say what you like but it doesn't change anything 'Cause the corridors of power, they're an ocean away"
Legislation can’t change culture.
The original claim was that the compliance was done for malicious reasons to change the law. Another possibility is that lawyers are a cautious bunch and advise their clients to take a less risky option when implementing a legal requirement. From personal experience, I would saw that latter is much more likely and would also explain why government agencies interpret these rules the same way when developing their websites.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
To "follow" every rule, all you really need is another layer of UX friction. Another modal. Another "consent wizard." A few toggles buried under Manage Settings → Advanced → Optional → Something You'll Never Click → Opt Me Out.
If you want to be sneaky, add a dark pattern. Make "yes" mean "no." Delay the buttons loading behind some animation, while showing other buttons from the start. (Users will always mash the first one that looks vaguely like "close" without reading anything.)
Or just bribe them, "Get 200 extra points for opting in! Only 45,000 more to redeem a free small drink!" Congratulations -- you're now "compliant.
In practice, GDPR mostly results in one more click. That's the whole impact. A seemingly smart privacy law reduced to just an annoyance tax.
(This is a big reason I run Firefox with uBlock Origin, and NextDNS on my router and phone, with Steven Black's block list. Ha. I do value my privacy, and the more ads and trackers you can block the better shot you'll have at keeping some of it. At least until you go and do something stupid like join a social network or messenger app, or start clicking accept to get 200 extra points.)
* StevenBlack/hosts: Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories. // https://github.com/StevenBlack/hosts
* NextDNS - The new firewall for the modern Internet // https://nextdns.io/
* uBlock Origin – Get this Extension for Firefox (en-US) // https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
Hold the line. Don't make the same mistake we did in the US. Your data is your data.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
That's nonsensical. The GDPR doesn't require "cookie banners and pop-ups". Obtaining consent for things you can't do without consent does - if you insist on handling it that way. And "'non-risk' cookies", i.e. technical cookies required to fulfil the functionality requested by the user (e.g. maintain a login session) definitionally don't require consent and thus no "pop-up" or "banner". So what is the actual change here?
As an EU citizen, this is shameful and even kind of pathetic to read.
Will we start outsourcing all our IT needs to USA again?
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
That's an odd way to say EU regulations....
No doubt that now the flood gates are open, powerful interests will do everything they can to water down the protections even more. This is already bad enough as it is.
No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens
The question is what AI will do with these data and whether giving away privacy is good.
There is no transparency or trust and for this reason I want to keep my privacy.
But now, I am robbed out of this based on majority votes and not common sense.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
The only space where there's still laws from people is in the social media world, where the outcome are laws that don't change the life of anything but make you feel good. Eg. minorities, women, etc. still have low income, bad life outlook, etc., but hey now you need to clearly state that the programmer job is also for women and trans people. Assholes can be assholes as long as they use the right pronoun, whole industries thriving on lowering the baseline (delivery, etc.) of what humane treatment at a workplace is celebrate and pinkwashing. Everyone is "happy".
Also on the ecological side. Laws that that would change something fail, but everything that can be exploited in terms of taxation passes - seriously look at summaries on voting on directives. It's completely split at this line, and all the "liberals" celebrate how great they are for driving essentially tax funded electric cars.
It's no surprise that companies reacted by making the most obnoxious cookie banners instead of removing the need to having those in first place (fun fact: you do NOT need those for cookies at all). Whenever you read a "We care about your privacy" that is an outright lie. If they even remotely did there would be no need to have such banners. Even for much of the more shady stuff you don't need to. And still most companies don't even adhere to the GDPR. They just have a meeting do pick some pieces and forget about it.
Democracies sadly have become a real farce. I think the world has over-optimized for it, companies have "min-maxed" for the current set of laws and now well intended laws are effectively meaningless, cause smart people came up with nice hacks to not really have to care about it. It's just like a video game, where people realize that your skill set is nice, but you can just max out DPS and bring along a tank, where you realize and realize that the debuff on your armor doesn't matter if it doesn't hit you and where the penalty on item costs is meaningless because you don't know where to put your money anyways.
And honestly, finding such strategies to optimize for "just not breaking the law" or getting around it entirely is extremely fun, compared to all the boring work at a job.
What people used to call "honest work" just doesn't work outside of very localized and small scale setting, and even there it's hard. To compare with video games again, it's like all the "soloing is possible" and yeah sure, sometimes it works, but if the big guys decide to crush you they will. So best to join up with them which is exactly what is happening.
We also see that in other laws. Monopolies are forbidden? Well either keep at least one competitor alive (iOS vs Android, AMD and Intel, etc.) or make a cartel, even a completely passive one where you just do "market analysis" to have a similar price. If your competitor raises prices, it is your job to adapt your prices to increase profits. If your competitors use cheaper materials, etc. it's the same. You never ever need to interact with your competitors.
Working together in one way or another is what made humans really productive, it works well for companies, yet somehow there is that believe that magically this won't happen and instead it's all fierce competition, which is ridiculous when the biggest threat to large successful companies is literally the market changing. So they just take safe bets and buy all the smaller largely already working products and call it innovation on their side.
It's a good, smart, reasonable strategy. But it's also very obviously not as intended.
The thing is that big surprise, it's the same for privacy protection laws. Companies don't care about your privacy at all and most people are in fact ordered to store data just to have it. They make sure it's annoying so both to make you accept them and to complain about the law. It's a real farce to think that somehow people, governments, etc. think that companies (at large) are nice and just want you, the world and everyone to be good and happy. It is baffling that people really believe that and somehow always think their favorite brand is magically different, because they met a nice lad working there in marketing.
I would say something like "the issue is that 'people' are underestimating how many ugly characters there are, in the private as well in the corporate spheres" but that doesn't mean much anymore because people adapt against their interest just to display competence. "Ugly business practices" have become the norm.
It even trickled down into culture via funny little behavioral nudges like "nett is das neue Scheisse" (German for something like “Being ‘nice’ is the new way to be awful.” or "Nice is the new toxic." but mostly meant to say "Politeness is the new bullshit."). I'm quite certain it was a clever mid-term Machiavellian marketing play which paved the high speed Autobahn for the Right Wing and faux-cause refugee aid and further downstream also the acceptance of misinformation about the escalated and long ignored civil conflict in Ukraine. But that's a long stretch and beside the point.
Regulations serve to keep the balance. Rules can be broken. Linguistics and just being a horny fucking human create more loopholes and blind spots than anyone can count and this dynamic evolves and becomes more complex.
When it seems like you have to choose between a police state and a state which allows "AI companies to legally use personal data to train AI models", meaning unrestricted, unhinged economical practices that will have it even easier to get into teen heads and all the minds who just don't have the time and energy to evolve after a 9-5 day to raise their kids with abilities to defend against all the ugly bullshit that ugly business practices use to advance their proprietary propaganda(s) while the civil weight that is supposed to balance and positively offset the resulting negatives--the counter-movement, the counter force--is reduced to a motherfucking s k e l e t o n that our current civil society is, which can barely hold it's own few pounds, because too many people are busy being more productive and efficient or are numbing their brains with some drugs or meds and doom-scrolling or something with the content-creator economy or something else "with media", meaning when they are literally working for the other side against their own interest because it's cooler, then we all will get both, a police state with a subscription model for tickets out of jail, court as well as an economy that doesn't have to nudge and prime and co-evolve with customers, workers, employees, citizens, people anymore, because the law permits reverse lobotomies, marketing campaigns that create new needs and new desires via straight injection into your brains, including all the good PR that turns the bad PR into nothing but showmastership.
Our intelligence agencies, police and judicial representatives of the people are constantly looking away because citizens don't point the spear at what the tip already knows. Our law and the maintainers of justice should have evolved to investigate way more than they have done and they continue to disappoint.
The people have been misinformed, deceived, nudged, primed, exhausted for decades and with inter-generational effects, where the old don't defend and protect the minds of the young and the young then hijack the minds of the old or tire them out additionally and vice versa. Everybody just thinks or feels and perceives that "this the world", "this is the way" when it's the opposite, the absence of critical thought in your own interest. "They" (whatever that means to you), are selfish against all your interests while selling you their interests and how they want you to be.
Dramatic emphasis: THERE MUST BE BALANCE. And shoving the people back on the right side, not by moving them directly, which would be "fiddling with them" as much as ugly corporate and smaller business people do, but by offsetting and countering, HACKING corporate "dark patterns", ugly business practices (and I don't mean shiny buttons and countdowns), for HACKINGS sake.
If I hadn't been fucking poisoned and spiked god fucking how many times and had my brain been capable of recovering from that shit a bit fucking quicker, I'd be on the fucking frontlines of all that obvious, ridiculous fucking shit. I don't believe so many of you just roll with this shit because you are ok with it. How is all that not exactly the hacking challenge, the systems design challenge you are looking for? So many are doing so much on small scales and with tiny projects. Where is the hell is the weight. It has nothing to do with behavioral locks. You can remain in that lock, the world has chosen. BUT THAT IS NOT IT.
There are a lot of you who know and see and who were not poisoned and whose feet were not fucking poured into concrete bullshit and walled in by a jealous wannabe-fathist-coping-with-inferiority-instead-of-actively-evolving-others-to-evolve-their-offspring pthycho-thothial environment ...
"I don't care, I'm just doing my thing, you know ..." (which is not his thing but it got him that marshmallow and there's this thing previous generations, who believe that "history repeats" while the people writing it advance their interests, can't teach you because it's covered in new language, memetics, symbols, which are hidden behind misinformation enough other, slightly younger people are perfectly aware of but keep lying to themselves want their abilities enable them to do, but they are just doing their thing, which is not their thing but it gets them that marshmallow ...) only leads to the propagation of proprietary agendas, the results of which, if not offset properly, will be disliked adequately, way way way too late. I don't know what means exactly, but I know that enough of you have those conversations all the time and a lot of it was spelled out in various books; in fiction, science-fiction and more than enough of it in historical and current non-fiction.
I'm just wondering.
I could have said something about constraints, self-organizing systems and organic emergence of cultural phenomena via the non-linear propagation of imperative regulations between co-evolving colonies that are reaching for a state that maximizes the architectural potential of all areas of civilization for the sake of the minimum amount of conflict necessary to ensure survival and thriving in a changing world, which requires just enough friction and oil to keep the temperature down, but you all know that.
Someone smart, published, internationally recognized, and with humble origins in a current or former war zone, I believe, once noted that the middle class/ middle working class needs be heard so that their perspective can be accounted for when dealing with and for a world--and future, full of uncertainty, colorful swans, emerging and re-emerging constraints, calculated probabilities of instability in the various areas affected by climate change (the fact, not the debate), and so on ... well, above are some bits to start with.
The sentences "What the fuck are you serious? Give my kind time and the peace of mind to raise my children in a way that offsets some of the bullshit systematically taught in schools off-curriculum and they will help you. You need help. This is wrong, pathetic, only funny if you are drunk or drugged and in a particularly sassy mood that makes even the help- and hopeless feel cool and powerful. If we did our jobs like you do yours, everything would burn." kind of sum up some more bits ...
Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
You have no business stealing my personal data until we enter an equal agreement.
I feel like, there's nothing in my statement you can actually disagree with, so you're just expressing general frustration with the state of the world.
That's fine. You can set up aggressive PII laws, you're a big boy sovereign nation. But then you will not get domestic tech giants. That's not like, my opinion, that is the reality we are in.
I am describing that reality, and that the EU is unhappy with it, and your response is "Here's why we set up laws!". OK. I'm not sure what you are looking for here. We all know how you got here.
There are tons of business that can run without collecting any or extremely minimal PII. We already let the big companies take this data unnecessarily, let's not also let them brainwash us all into thinking unfettered surveillance is somehow essential to building a software business.
That's good, there should be no big tech companies like FAANG at all. These monstrosities wield to much power and need to be brought in line.
I assume you mean the AI related stuff?
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[1] Western, Educated, Industrialized, Rich, Democratic
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
It's the only power left that stands for rule of law.
EU: WE SHALL BUILD XYZ FOR EVERYONE
(years pass)
EU citizens: WE HATE XYZ PROTECTIONS
So, yes, the default should be that companies are inherently ill-intentioned to society, because that gets them an unfair advantage and gets more "value to the shareholders".
History tells us they are. Well technically, they are not ill intentioned. They just don't care if they do harm on their search for profit
In Europe there is a particular concept of freedom.