I'm not understanding, as an European who's been part of multiple startups how's that supposed to boost growth.
There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
In fact the actors that most opposed those laws have always been non Europeans.
Sure, there is an attached cost in having your terms reviewed by a proper lawyer and documenting the entire list of cookie providers, but that's basically where it ends. It's really minimal effort and cost, we talking in the low single digits for the review, and few hours of engineering time.
The biggest issues in European growth are others:
- focus on being an export economy while neglecting the internal market.
- bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
- very conservative and risk-adverse mentality. Young people in college can't wait to graduate and find the best paying lowest effort stable job. That's not a problem if it involves a majority of graduates, I imagine all world is like that, but you do have an immense problem if you have 1% or 3% or 10% of wannabe entrepreneurs.
I would go farther. Privacy laws seem like an excellent way to tighten the internal European market and develop homegrown competitors, which (one might argue) Europe really needs. If Europe is loosening up those laws, does that help Europe? Or does it help Meta and Google and Microsoft?
Europe has a shitload of homegrown competitors. The problem is that users here in Europe either goes for a national service or for an US service. They don't look up what their EU neighbor has to offer. In fact, most don't bother translating their services to appeal to the entire EU market.
If you live in country X, you will only ever learn about services from country X or from the US. No one here knows what goes on in neighboring countries.
It's easy to think the EU is like the USA, but it's not, it is still separate sovereign countries with their own language and culture.
I never really looked at it that way, but I think you're right.
Although, non-European-owned companies aren't necessarily incentivized to look towards European companies.
Looking towards your European neighbors mostly comes down to logistical situations. In those sectors, multilingual services are more common.
This argument in favor of protectionist industrial policy is almost universally opposed by most modern economists, for a good reason.
Nations don’t outsource critical national security industries even though economists might say that’s more efficient. The question is whether they should outsource critical tech infrastructure to huge quasi-monopolistic US firms that can turn it off or abuse European data at will. I don’t have the answer to that question, but I have to imagine it’s a worthwhile debate. The data we have cuts both ways: China applied protectionist policies to its own Internet companies, and it’s hard to argue that this has been economically devastating for them.
>China applied protectionist policies to its own Internet companies, and it’s hard to argue that this has been economically devastating for them.
China has 1.4 billion people in one country while the combined population of Europe is around half of that, so that's one difference.
But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism. To the Chinese state, protecting Chinese citizens from harmful things (like knowing full details about atrocities perpetrated by their government, or organizing to criticize the government) outweighs other concerns.
Define "better off". Companies like Meta and Google are enormous behemoths that make their money through advertising. One advantage of their size is that they have lower costs, but a greater advantage is that they have much larger market power: they can purchase competitors and demand higher rents for advertising space. Is society genuinely better off from this kind of concentrated market advantage? One might argue that there are different kinds of 'efficiency' at play here, and not all of them are in society's interest.
> But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism.
I really don't see how Chinese tech companies would have benefited from receiving the diapers.com treatment.
Disagree. China has had incredible benefits from its own social media and commerce platform growth.
Yeah, the US is missing out.
But the US could have benefitted from China's social media and commerce platforms and China could have benefitted from the US's. That's my point.
I am no economist or even that economics-knowledgeable and maybe I'm wrong and maybe China's protectionism is better somehow, but from everything I know or at least from every trope and meme I've ingested, free global commerce eventually leads to better outcomes for all parties.
What would have happened is the US platforms would have moved into China and stifled the competition.
As we can see everywhere else.
This wouldn’t even be good for the US, just good for the shareholders of these companies.
Maybe, maybe not.
China is a decade ahead of the rest of the world in different kind of use cases (think their super apps or payments).
TikTok is the most popular social media app out there, and it's chinese.
They are also tremendously competitive in AI despite all the limitations they encounter.
Honestly I think that the last century should be a clear statement that protectionism, sanctions and closeness is a failure whose bills are paid by tax payers.
We've been bailing out and protecting non competitive industries (which have further incentives *not* to invest due to protectionism they benefit from) for decades.
When Trump 1 put high taxes on dishwashers and house appliances it hasn't really pushed US companies to do better, it just allowed them to raise the prices and do very little.
But the fact that some countries play dirty (see China and their industrial espionage and lack of respect of patents and intellectual property), while others are obsessed with being #1 even if it means pursuing that via bullying methods have pushed us in this very negative scenario I don't see how can we leave us behind unless we get a new generation of brighter leaders.
Sadly, that's not how you win consensus and elections today.
> But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism.
How would china be better off? All their tech companies would have been bought out by larger foreign tech companies. Kinda like what happened to many european tech companies.
> To the Chinese state, protecting Chinese citizens from harmful things (like knowing full details about atrocities perpetrated by their government, or organizing to criticize the government) outweighs other concerns.
Yeah that's what the chinese state is worried about /s. Not the neverending misinformation, disinformation and propaganda directed against it.. When china does it, it's "authoritarianism". When "the west" does it, it's fighting against misinformation.
While I agree with you 100%, I think most modern economists fail to account for bad actors.
If a situation was "China is producing X and having its taxpayers subsidize cars, steel, etc" then it would be their loss and our advantage. We get great products they get pieces of paper. I couldn't care less.
But considering that the real goal of those bad actors is to annihilate the competition and then pull the rug this is ultimately a bad idea.
Especially when those bad actors, at the same time, do their best at playing dirty and ignoring intellectual property.
I couldn't care less if Europe didn't have a shipping industry, in fact protectionism of it has failed miserably in Europe, and made our yards less, not more competitive. So yes, in that world I agree.
But in a world where an elected (or unelected) government, can suddenly blackmail you or create such an immense strain on your economy (as Russia did with Europe) this is not really like that. And suddenly you realize you should've paid way more, but invested way earlier in diversifying energy-wise.
In an ideal market I'd be 100% with you, in the real world, it's really neither black nor white.
Yes, and the reasons why they do so has little to do with why this law exists.
A law whose purpose is protectionism is bad. It invites stagnation, pointless inefficiency, and retaliation.
A law whose side effect is a bit of protectionism has none of these problems.
Something that is good for a country as a whole isn't necessarily good for the economy. On the flip side, being good for the economy isn't necessarily good for the population of a country.
[deleted]
Which would make sense when everyone is part of open markets.
People are opting for the less efficient options, on purpose now. We live in an era where America is imposing tariffs.
We wouldn't be banning any law abiding company from operating.
Sure but the laws are probably relevant for the startups you _haven’t_ been a part of. The ones that never got started.
It’s funny you mention a lack of entrepreneurial spirit but then dismiss something that’s clearly a factor (not saying it’s the main factor but obviously it has some effect).
I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
Of course it's easier to do a bad job of something or to give up and not do it. That has no bearing on whether or not doing it the right way is actually onerous.
Can you share the projects? In most cases it is very, very easy to comply with the *"random laws" (not that GDPR is much different from California's CPRA. Are you blocking Californian users too?)
Sorry, that's nonsense. cpra has a carveout for small businesses. gdpr has your one person company obey the same rules as meta.
This brings up the point that for some reason we're all terrified of the government. Maybe because we see the daily abuse from the USA? But if you accidentally violated the GDPR while in good faith trying to follow it, the most likely outcome is being ordered to fix it.
> I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
GDPR fines scale based on annual turnover so blocking EU users on a non-commercial product is utterly pointless and just being mean.
> bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
I guess you have been part of software startups and you severely underestimate the bureaucracy that is involved in physical companies nowadays. Farmers, fishermen, factory-owners, and other small to medium size companies all have severe difficulties with ever increasing regulations. By itself the regulations are not always bad, but usually it takes way too long to get through the system which makes it hard to compete with, for example, China.
> it hard to compete with, for example, China.
What exactly is europe competing against china on? Isn't europe's competition the US?
How am I underestimating it when it's literally in the quote you provided?
Here's my take, as a Romanian developer (since 2004ish).
One day I got a letter from the national authority regarding personal data where I was asked to reply to 15 questions regarding a personal project of mine, invoking the GDPR. The sanctions for not complying within 5 days was an incremental fine of 600 euros PER DAY, until I complied. This letter was directed to me as a natural person (not even my company).
Another story: I had a publishing website with some ads on it. The moment full GDPR went into effect, some years ago, revenue instantly dropped by 30% because the cookie banner I was using wasn't part of the approved european framework for cookie banners (they created an entire organization for this, called IAB). Most of the "approved" cookie banners are insanely overengineered nonsense and almost all of them cost a lot of money. And they kill your performance metrics. And when I finally gave in and implemented one of those, revenues dropped even more because I was losing readers who just quit without consenting at all.
Third and final anecdote: at one point I was contracted by a Romanian DTH television company who mostly operated with prepaid customers. According to GDPR, they were supposed to anonymize data they no longer needed, but because their clients were seasonal or less predictable, that turned out to be ridiculously hard. Their legal department, together with external contractors such as us ended up spending months to adjust their systems to conform to GDPR, and the result was their losing business and time, while being unable to properly serve older customers because they could no longer identify them.
So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit. On the contrary, the large companies could afford the legal counseling that they needed, but the smaller ones were hit hardest.
Did you consider running non-tracking ads? Of course not because even after the 30% drop, the spyware still pays more, right? But destroying websites with spyware is literally what the law is for - the people have voted to nuke your website from orbit.
IMO the biggest barrier is internal mobility. The European silicon valley never happened, because people don't want to move around. The biggest single barrier is language. I'm Irish, and young Irish people often emigrate (way more than in other countries). When I look at where my college classmates ended up, it's mostly America or the UK. We also emigrate a lot to Australia and New Zealand. In other words, we only really emigrate to English speaking countries.
Almost nobody goes to France, Germany, Spain, Italy, etc. The mainstays of the European economy. Let alone central or eastern Europe. But if you're a young talented engineer in the middle of nowhere usa, you can just easily move to the bay area without any issue. That cultural unity IMO is America's biggest strength, and the lack of it is Europe's biggest weakness.
Note: I've lived in Ireland, the Czech Republic, and France, so I know first hand how hard it is to move inside Europe, and I understand why people don't do it.
I think (I'm an American so take with a grain of salt) even the "proper lawyer reviewing terms" part can be deferred quite a while by being conservative with PII (which you should be doing anyway) and using a service like iubenda to deal with terms and cookie warnings when you first start out.
> In fact the actors that most opposed those laws have always been non Europeans.
This decision is in response to lobbying from these actors (and their new friend in the white house). It is not supposed to benefit you.
> an European
European starts with a vowel in spelling, but actually phonerically begins with a consonant, /j/, so it doesn't trigger the "an" thing.
Similarly some spellings start with a consonant but have vowels (like acronyms, "an SSRI", the name of the letter S, "ess", begins with a vowel)
More to the point I agree with what you're saying. This seems like lazy attribution of cause that is so common in American business and politics. "Of course deregulation will boost growth!" Why? Because of religious beliefs about deregulation boosting growth.
> European starts with a vowel in spelling, but actually phonerically begins with a consonant
Ah makes sense.
In my head it's never "you"ropean, but "ew" uropean as I'm not a native english speaker and phonetically it's a consonant in english only. In greek, slavic languages, german or latin-derived it's always "ew".
That's pretty cool. I'm from the Southeast US (redneck), and it sounds like "Yur-uh-pee-in"
Really depends on where you're from.
OP already mentioned in his area it's phonetically mostly "ew".
I'd say a lot of germanic areas also do something I'd describe as "oi". That'd also make one inclined to use an "an" when speaking.
I speak other languages where it starts with an E sound. But I'm not aware of any native English speaking place where it doesn't have /j/ in English.
Maybe they say it as an "ew" diphthong instead? As an ESL, that makes sense to me.
The biggest hurdle Europe has to face is the cultural shift away from the post-soviet era of "Don't take work too seriously, enjoy life".
There is now a full generation of Europeans who grew up in with this mentality, looking down on Americans for their ridiculous work ethic and comparatively meager benefits.
But it's not sustainable, and the strain is already becoming obvious. Young Europeans will have to work longer and harder for less if they want to move Europe away from being totally dependent on American tech, American defense, and Chinese wares.
The data [0] begs to differ: in richer countries workers and fewer hours. The gap not shown here is working hours per capita (instead of worker), but I couldn’t find that data quickly.
Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
I think your data agrees with OP, you're just misunderstanding it. Yes, richer countries work few hours and richer countries also see modest GDP growth.
Cambodia's GDP growth is over +5% YoY, whereas Switzerland (and the rest of Europe) has more modest GDP growth.
There is some "Work smart, not hard." facet to this, which requires an educated population.
The other fascet is developing countries exist in climates heavily impacted by global warming (look at flooding in VN or TH this year). They make 2 steps forward, and then 3 steps back when a monsoon takes out an entire town.
> Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
Personally, employment makes my life interesting and rewarding. I love the puzzles (and compensation) that my employer provides. The rewards compound, but in career development and via investing the profits.
Unfortunately, I think the one area that isn't accounted for is child care. Societies (rich and poor) continue to extract time away from parenting, via cost of housing near job centers and dual-income families. Offering an extra month of vacation or 4-day work week isn't the same as 1 income household or the parents living 15 minutes from their job.
> richer countries also see modest GDP growth.
This is a natural consequence of being an industrially advanced country though.
A lot of GDP growth can come from establishing basic services like a functioning healthcare system, insurance apparatus and financial system. Of course, we can't building out infrastructure like roads, power, etc.
Especially construction can lead to substantial GDP growth, but once you have a basic set of infrastructure and housing in place, growth is much slower and consistent for very obvious reasons.
Once you have that stuff in place, getting consistent growth requires more advanced stuff.
The US is very much an outlier and attributing that soley to a difference in work ethic is ignorant at best.
>The US is very much an outlier and attributing that soley to a difference in work ethic is ignorant at best.
Right, Europe also has a suffocating business environment which is the primary driver.
> This is a natural consequence of being an industrially advanced country though.
Ok, but then compare the GDP of the USA vs Europe as millennials enter the workforce. Entering the 2008 crisis, USA and Europe were neck in neck. Now, the USA has left Europe in the dust.
Declaring the US an outlier seems like an odd choice... What country should you compare Europe to?
Why do we use GDP though? On average quality of life, Europe left the USA in the dust. GDP just measures how expensive everything is. More expensive things is bad.
GDP is a measure of productivity, which is (normally) corrected for inflation.
The point you are making is exactly the reason why this problem is so existential for Europe. QoL is good, so nobody wants to change anything, or feels the need to.
But structurally, Europe is not sound and European leaders know it (Just look at the surge in rhetoric about Euro independence). Do you know the story of the ant and the grasshopper?[1] Europe is in a 50 year long post soviet era summer. Most young (and now even middle aged!) Europeans only know summer, so it's going to be incredible difficult to get them to collect food for this mythical thing called "winter".
Can you provide convincing evidence that this is the case? What is the winter that is coming? And that your proposal will prevent it? And what exactly is your proposal anyway?
North Koreans think the outside world is going to collapse because they aren't doing what North Koreans are doing, but it's all just propaganda. You need to distinguish what you say from this.
The surge in anti-EU rhetoric seems to be mostly coming from US propaganda bleeding over, and is still a minority.
People have been predicting the immediate collapse of Europe and the immediate collapse of the USA for decades.
Nobody on the ground, who actually buys groceries, trusts official inflation numbers. How much apparent GDP growth is actually just unreported inflation? I saw some food getting 50-100% more expensive over the last 5 years, which is 10% per year. What was GDP growth? Less than 10%...
Many topics condensed into a single comment to conserve rate limit.
> This is a natural consequence of being an industrially advanced country though.
E.g. emerging markets tend to outperform advanced ones, because they have more room to grow.
If you think the US stock market has done well in the last few decades, wait till you see India or Peru.
Joining the rat race isn't worth it, in the near-term, which is why the threat is existential. Europe has been sleeping on it's laurels for 30 years now, and the signs are clear; borderline stagnating economies, low working hours, generous benefits, and most importantly still relying on the exact same industries as 30 years ago. Europe totally missed out on the tech boom, and is now also missing out on the AI boom. And Europeans response has largely been "Whats the issue, we can just buy it from the Americans/Chinese?".
Russsia invading Ukraine, and the US providing the majority of the weapons and cash to stave off Putin should have been a gut-punch wake up call that Europe is in an extremely vulnerable position, and needs to get to work building their own modern tech, their own defense, and their own industry.
Failure to do those things will lead to Europe balkanizing as the economic situation gets worse under the weight of an aging population and shrinking economic output. Young Europeans think they cracked the code of comfortable living, but really they are just in a post-cold war golden period. Very similar to the post-WII era American baby boomers enjoyed (except they had lots of children).
Look at the bottom of the list and then go look at their growth.
> Look at the bottom
Also look at the top ;)
> Russsia invading Ukraine, and the US providing the majority of the weapons and cash
That's beyond false, US provided little non-military help, the money mostly stayed in US and went to US contractors.
I don't need to tell you that those figures are also insanely inflated by crazy costs.
Zelenski himself has stated that he proposed multiple times to, e.g., send its navy to US ports to take the weapons so US taxpayers wouldn't have to bear the costs, but instead tens of billions went into that expense. Why? Because US support to Ukraine is a welfare machine for US contractors.
In total EU has provided around 3 times more between military and non-military.
IMHO, the US and China’s hurry to expand into every possible corner is unsustainable. Unless we are actually trying to get ready to face an extraterrestrial threat, our endless effort to maximize our tech and become more and more efficient and profitable is unneeded and puts too much stress on earthlings, which is definitely not sustainable. Do you really believe that when we are able to pass production of almost anything to AI and robots and give generous UBI to each and every person, they will be happy and satisfied? It is a dead end, a loss of meaning that we are racing to reach ASAP.
Population collapse cannot be a good enough reason, either. Older people won't be happier if their servants are robots instead of climate migrants.
The standard of living in China is bad for most people. IMHO, they need to expand in order to provide the same lifestyle as offered in the USA.
This has the energy of "Why are we building rockets to the moon, when there are homeless people in San Francisco"-vibes?"
> give generous UBI to each and every person
Have you seen the movie Wall-e? I don't think society should strive to outsource all labor to AI and robots, nor is that the final end-state of building robots and AI.
Maybe so. In the meantime, Europe will continue to fall behind economically.
We could just, like, not give billionaires so much money, and there will be more left for everyone else.
Yeah, if we want to be the world superpower we have to work really hard. But we definitely won't get any of the benefits of being the world superpower - just like Americans don't already - all of it accrues to billionaires. And it'll make the rent really high. So why should we want that? Of course, we don't want anyone else to be a world superpower either, because kings/dictators/emperors are bad.
I know a friend who was building his first website, he asked in our startup group how to handle the GDPR cookie banner, it likely wasted 1 day on that, when he had invested maybe a whole othery day on the project.
At that moment in time the GDPR cookie banner amounted of 50% of the effort.
It killed momentum, it killed willpower with beuracracy.
It should have asked himself how to get users, not how to comply with GDPR for a website that in that moment had 0 users.
It's pure ideology that "cutting red tape" will lead to growth. Unfortunately I don't think there's much to understand, perhaps beyond the US giving the EU some kind of kickback for complying.
The Elysium-Cloud needs your data
I agree with you partially.
My hot take is that this is a signal for Trump. We play nice with you, you play nice with us.
Big tech is well connected to the current US administration so if the EU were to make theses changes, then they will appease big tech (a little bit) and therefore by extension Trump.
I (like you) don't think that these regulations are the reason the EU doesn't have home grown hyper-scalers a la AWS or GCP or Azure.
I think the EU just fell asleep at the wheel for too long. It basically outsourced its defense to NATO, its tech needs to the US and its manufacturing to China and for a while it worked perfectly.
However the world is changing and the EU is simply in my opinion not up to the task. It's too slow, bureaucratic and messy to be able to adapt rapidly and it lacks the vision necessary to remedy to its weaknesses.
Few things.
1. We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
2. Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
3. I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters:
I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
4. EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
5. There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
Are you sure you meant to respond to me? I agreed with you on most of what you said regarding the regulations but just in case let me respond to your points:
> We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
Is that a counterpoint to my NATO comment? If so I agree, I think that the EU countries should exit NATO and form their own military alliance. However it is very clear that investing in military capabilities is not the priority of the EU countries as only a few of them managed to spend the required amount each year as per the NATO treaties. Most likely such alliance will be dead in the water.
> Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
Again I agree with you. I think that the US has caused much suffering by invading Irak and Afghanistan and then Libya (with the help of other countries), thereby causing the refuge crisis and then leaving the EU countries alone to deal with this problem.
> I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters: https://transparency-register.europa.eu/search-register-or-u...
I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
She was not elected to be a good politician.
She was a terrible politician in here home country. There was nothing to expect from her at any level and so far she has not disappointed. Her secret deal with Pfizer and her missing text messages are just the tip of the Iceberg.
> EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
That is never going to be the case because all EU countries want different things and for very good reasons. They have different needs and different economies.
So the German government will keep selling out its EU "partners" as long as they can keep selling cars in the US. France or Italy would have done the same.
> There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
I disagree with you on Macron. Macron has no vision besides a "more" federal Europe. The details are not very clear and his policies are constantly changing depending on his approval level in the polls. His promise when he was elected was that to put the far right out of business by the end of his presidency, the reality however is that the far right is now the biggest party in France and is in very strong position to win the 2027 election.
> That is never going to be the case because all EU countries want different things and for very good reasons. They have different needs and different economies.
That's quite of a weak argument, every state or county in the US has conflicting interests too. But there has to be defined boundaries in what is the business of EU and what is the business of single states.
I would say that matters like digital data privacy should have one common policy, not 20+ agencies.
[flagged]
> Btw, this is why the US alone has a larger economy than your entire geographic region combined.
And all of it is due to massively overvalued companies in california.
But where would you rather be an average Joe ?
Your health outcomes alone are better in the EU.
I think we all agree that looking at GDP figures needs to be supplemented with wealth distribution data.
>But where would you rather be an average Joe?
In the US. By far!
And migration data backs it up.
[flagged]
>There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
Thats kind of the point...
I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
I strongly agree with this position. This is basically the foundation of Control Theory!
This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
> This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
I think the problem here is more that _some_ people want the heater to be on and _other_ people want the heater to be off.
And when it comes to privacy, consumer advocate types and privacy wonks (I include myself in this group) want the heater to be on, and technology companies and advertising companies and all of their hangers-on want the heater to be off.
One group has a lot more money, power, and influence than the other.
[dead]
And, at least in your example, sometimes you need both at the same time!
Reminds me of the book Thinking in Systems.
Thanks for the link.
It is the perfect and correct antidote to any slippery slope argument. If the consequences of the law turns out to be as bad as you say they will be then we adjust the law.
Nothing is more permanent in politics than temporary solution. As a Norwegian, for example, I am still paying a temporary 25% on all spending that was enacted as a "temporary" measure over 100 years ago.
Control Theory does not work (in the general) for politics for the simple reason that incentives are misaligned. That is to say that control theory itself obviosuly works, but for it to be a good solution in some political context you must additionally prove the existance of some Nash equilibrium where it is being correctly applied.
The thesis argues that dictators regularly both harm groups clearly inside the winning coalition, and please groups clearly outside of it. A common, but not the only reason, is ideology.
One has to be careful when using game-theory models on messy human entities. Sometimes it works, sometimes it doesn't, and it's hard to determine just at what point the model breaks down. At least without empirical research.
(Another example is that actual negotiation outcomes rarely end up at the minimax or Nash product equilibria that game theory sequential negotiation concepts would suggest.)
> they will be then we adjust the law.
Bizarrely horrible approach. A lot of damage would already be done, most importantly changing the status quo is inherently much harder than doing nothing. So going back won’t necessarily be straightforward.
Claiming that “slippery slope” is always a fallacy is a gross misconception and misinterpretation. It varies case by case, very often it can be a perfectly rational argument.
“Let’s restrict democracy and individual freedoms just a bit, maybe an authoritarian strongman is just what we need to get us out of this mess, we can always go back later..”
“Let’s try scanning all personal communication in a non intrusive way, if it doesn’t solve CSAM problems we can always adjust the law”, right.. as if that was ever going to happen.
Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
> Bizarrely horrible approach
I very heavily disagree here, we aren't doing as much of this as we should be.
Society is too complex of a system to predict what consequences a law will have. Badly written laws slip through. Loopholes are discovered after the fact. Incentives do what incentives do, and people eventually figure out how to game them to their own benefit. First order effects cause second order effects, which cause third order effects. Technology changes. We can't predict all of that in advance.
Trying to write a perfect law is like trying to write a perfect program on your first try, with no testing and verification, just reasoning about it in a notebook. If the code or law is of any complexity, it just can't be done. Programmers have figured this out and came up with ways to mitigate the problem, from unit testing and formal verification to canaries, feature flags, blue-green deployments and slow rollouts. Lawmakers could learn those same lessons (and use very similar strategies), but that is very rarely done.
In the same post you are arguing for and against "slippery slope".
Either it is possible to easy change law to make it worse ("slippery slope" is valid objection) or changing law is "much harder than doing nothing"("slippery slope" is a fallacy).
>Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
Too late. We already let the government cross the lines during Covid with freedom of movement and freedom of speech restrictions, and they got away with it because it was "for your protection". Now a lot of EU countries are crossing them even more also "for your protection" due to "Russian misinformation" and "far right/hate speech" scaremongering, which at this point is a label applied loosely to anyone speaking against unpopular government policies or exposing their corruption.
And the snowball effect continues. Governments are only increasing their grip on power(looking enviously at what China has achieved), not loosening it back. And worse, not only are they more authoritarian, but they're also practicing selective enforcement of said strict rules with the justification that it's OK because we're doing it to the "bad guys". I'm afraid we aren't gonna go back to the levels of freedom we had in 2014- 2019, that ship has long sailed.
The libertarian approach to COVID would be that infecting someone is assault and you are justified in shooting someone who is trying to do that.
> If the consequences of the law turns out to be as bad
This is the usual "the market will regulate itself" argument. It works when the imbalance arises organically, not so much when it's intentional on the side with more power and part of their larger roadmap.
The conflict of interest needs to be accounted for. Consequences for whom? Think of initiatives like any generic backdooring of encrypted communication but legislators are exempt. If legislators aren't truly dogfooding the results of that law then there's no real "market pressure" to fix anything. There's only "deployment strategy", roll out the changes slowly enough that the people have time to acclimate.
Control theory doesn't apply all that well to dynamical systems made entirely of human beings. You need psychohistory for that.
So, you do think “useCase.regulation” being a single dial. It’s a pretty reductive framework. I have an easier framework where in 90% of cases current law was already good enough and we don’t need to tweak that dial
The road to hell is paved with “good enough”.
Is the road to nowhere paved with "perfect"?
Perhaps not when it comes to matters like these.
It's a funny thing to say because the popular saying you're modifying says the exact opposite.
In practice, “good enough” is rarely actually good enough.
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
Not only in the executive/enforcement, but in the actual impact of the regulation in practice as applied by millions in a distributed system. Regulations influence decision paths as opposed to encoding deterministic code paths.
The worst possibility is selective enforcement.
There's a reason we call them judges. Selective enforcement is there for a reason. Lawmakers can't anticipated everything. Just look at how bad of an idea zero tolerance policies in schools have been with thinks like getting expelled for biting a sandwich into the shape of a gun.
The world isn't black and white. Flexibility, including selective enforcement, is necessary in a just system.
The reason that selective enforcement exists is that it is very hard to avoid having rules selectively enforced.
But the history of selective enforcement strongly suggests that it does not usually lead to just results. It is often instead something that unaccountable officials find themselves easily able to exploit for questionable purposes.
For a notable example, witness how selective enforcement during the War on Drugs was used to justify mass incarceration of blacks, even though actual rates of drug usage were similar in black and white communities.
You’re arguing that the mass incarceration of more people would have been better?
Yes, I would argue that it would be better for more to have been incarcerated, for that would bring greater focus to injustice and the law would be changed. Selective enforcement interferes with the feedback mechanism that would otherwise make the law work better.
If a law were to mass incarcerate people from affluent white neighborhoods it would be quickly repealed
Actually it would have never been passed. Nixon started it as a way to put blacks in their place.
Any instance of selective enforcement being necessary is ipso facto evidence of a bad law. This is completely orthogonal to the matter of the world not being black and white - you're right, it's not, but a good law recognizes that fact, and laws can also be amended as needed.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
By that measure every law is a bad law.
Legislation is much worse than organically derived common law, for the common law comprises decisions that apply to particular conditions with all their details while the former are mere idealizations.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
Yep, and while we fix that bad law we need judges to be able to say "I won't apply that" or "I won't sentence you to jail for this". That's kinda the point.
If the law is code, then law enforcement is a JITter
(joke)
Optimised compiler makes sense though.
Unenforceable laws go unenforced, undefined behaviour is undefined and varies based on compiler (law enforcement agency or officer).
A jitter is like a lawyer on retainer. Law enforcement is more like the OS that segfaults you when you fail to follow the lawyers advice.
Law enforcement is more like a toddler holding a glass of water over your CPU and saying "stop transistoring!"
The problem with laws that both the enforcer and the subject (enforcee?) agree are bad, is that enforcement is variable. And that leads to corruption. Every damn time.
The fix for corruption is vote the bums out of office. It is not to go whole hog into blind application of the law.
Think about how hard it is to write code that has no bugs. Now imagine you're using English and working with a system with so many parameters and side effects that you can't possibly anticipate all eventualities.
And now you want to rigidly apply your operators to this parameter space?
Selective enforcement is necessary for justice, because no law is perfectly just, and selective enforcement helps move toward justice.
It unfortunately also means there is the eventuality of corruption. So you just have to keep vigilant. Because a rigid system with no selective enforcement has no fix for injustice other than "live with it."
> The fix for corruption is vote the bums out of office.
That doesn’t seem to be working.
I argue there’s an acceptable level of corruption, only the particular flavours change from time to time.
Come out of government better off than when you when in. Fine, good on ya. No need to tells us about how you’re going about it while you’re going about it.
Learn to be at least a little bit discreet, and at least do something occasionally that comes across as good for the average person.
Bad law enforced perfectly is also undesirable.
I'm not convinced. Perfect enforcement would be a great signal exposing bad law much more clearly, so it can be rewritten/scrapped.
Until a bad law takes your friends and family out of the gene pool.
Sure, but what about those who got hit by that bad law in the meantime?
Usually laws are created because of the people being harmed because the law doesn't exist. So it could go either way.
And lines of code is like the mass of an airplane.
Just put all code on one line then. Statements (or tokens) is what matters.
In general you want as few as possible of both.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
this is wrong for the same reason using single letter variable names to keep things concise is usually wrong.
i’d rather something a bit more verbose and clear than cryptic and confusing. there are many actors in the world with different brains.
that's right. This is the reason all my code looks like an entry to PerlGolf. /s
The world's complicated. "Every complex problem has a solution which is simple, direct, and wrong"
Simplicity is a laudable goal, but it's not always the one thing to optimize for.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
As soon as you start developing web sites/applications, you are entering distributed systems.
> code and computer systems are inseparable and the most straightforward and simple code is code that leverages and makes sense for it's hardware
You're missing the point. Code is separable from hardware per se, even if practically they typically co-occur and practical concerns about the latter leak into the former. The hardware is in the service of our code, not our code in service of the hardware. Targeting hardware is not, in fact, the most straightforward option, because you're destroying portability and obscuring the code's meaning with tangential architectural minutiae and concerns that are distracting.
> you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware
You're mischaracterizing my claim. I didn't say hardware doesn't matter. Tools matter - and their particular limitations are sometimes felt by devs acutely - but they're not the primary focus.
My claim was that code is PRIMARILY for human consumption, and it is. It is written to be read by a person first and foremost. Unreadable, but functioning code is worthless. Otherwise, why have programming languages at all? Even C is preposterously high-level if code isn't for human consumption. Heck, even assembly semantics is full of concepts that have no objective reality in the hardware, or concepts with no direct counterpart in hardware. Hardware concerns only enter the picture secondarily, because the code must be run on it. Hardware concerns are a practical concession to the instrument.
So, in practice, you may need to be concerned with the performance/memory characteristics of your compiled code on a particular architecture (which is actually knowledge of the compiler and how well it targets the hardware in question with respect to your implementation). Compilers generally outperform human optimizations, of course, and at best, you will only be using a general knowledge of your architecture when deciding how to structure your implementation. And you will be doing this indirectly via the operational semantics of the language you're using, as that is as much control as you will have over how the hardware is used in that language.
> Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
In principle, you can write your code as a monolith, and your language's compiler can handle the details of distributing computation. This is up to the language's semantics. Think of Erlang for inspiration.
> People keep building distributed systems because they don't understand, and don't want to understand, hardware.
Unless you're talking about people who misuse "Big Data" tech when all they need is a reasonably fast bash script, that's not why good developers build distributed systems. Even then, it's not some special ignorance of hardware that leads to use of distributed systems when they're not necessary, but some kind of ignorance of their complexity and an ignorance of the domain the dev is operating in and whether it benefits from a distributed design.
> But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
This is neither here nor there. Not only are "network calls" and "caching" and so on abstractions, they're not hardware concerns. Hardware allows us to simulate these abstractions, but whatever limits the hardware imposes are - you guessed it - reflected in the abstractions of your language and your libraries. And more importantly, none of this has any relevance to my claim.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
`inline` in C has very little to do with inlining these days. You most certainly don't need to actually use it to have functions in the same translation units inlined, and LTO will inline across units as well. The heuristics for either generally don't care if the function is marked as `inline` or not, only how complex it is. If you actually want to reliably control inlining, you use stuff like `__forceinline` or `[[gnu:always_inline]]`.
Regarding code size, it's not just that binary becomes larger, it's that overly aggressive inlining can actually have a detrimental effect on performance for a number of reasons.
Modern cpus are optimized for calling functions. Spaghetti code with gotos is actually slower.
One of the problems with regulation is that politicians "understand" complex systems like computers or software or "the platforms" almost entirely by way of analogy. Yet at the point of actually introducing rules about (for example) tracking or what happens to your data, you need to throw away analogy entirely and start talking and thinking (and implementing) not an analogy but what the thing _actually_ is. Rarely do they resolve down to this last stage where you move from analogy to how things really work, or might work. I see this everywhere I have touched government and regulation over many years.
But how do you actually do that?
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
I’m not saying the following regarding Draghi’s report or particular regulation in mind:
If an unethical business gets started due to underregulation and it generates revenue and contributes to GDP, is that a good thing?
That depends, are the people who are negatively impacted aware, and able to do anything about it?
There are some "mosquito" businesses that imho provide no net value and we'd be better off if they didn't exist (c.f. Bastiat's window breaker⁰). For example; payday loans, gadget insurance, MLMs, f2p games. The trouble is that there is an apparent need they're meeting, and nobody wants to "destroy jobs" or even worry too hard about exploiting the vulnerable.
Even if I were emperor and believed hese businesses were unjustifiably bad, I'd be worried about the authoritarian consequences of shutting down the less egregious ones. I'd also hope to have the humility to entertain the idea that I don't understand their full benefits.
In conclusion I think it's bad to have unethical businesses, and that even if they make the indicator go up, they are probably a net negative on the economy and society. However, I don't know what's to be done about it.
Pay day loans are generally good _for the borrower_ - they aren't just window breaking. The consequences of missing an important payment can be way worse than the high interest on the pay day loan, e.g. if you don't pay for a course in time, they disenroll you and you no longer get to take the course; if you don't pay rent in time, you might get eviction proceedings filed against you; if you don't pay for your car repairs the garage will not return your car and you will lose time every day taking public transport.
I won't argue that the availability of payloans (or any other product) is a net positive for the rational consumer. I'd still be willing to bet that (ceteris paribus) a society like the ones we live in is better off without them than with.
(Coda: You might say that's impossible, and local loan sharks will spring up to meet the need. That's probably true, but at least those guys merely break your legs, rather than advertising incessantly on daytime tv.)
If the net social cost is less than the cost from overregulation, yes
Lmao you can’t be serious. This is something that can only be said if you can’t/won’t quantify social cost.
Deregulated gambling has had a horrible impact on individuals. Repealing Glass—Steagall led to a global financial crisis. Gig economy businesses are exploiting workers by the thousands through self employment loopholes. We have insane monopolistic pricing and practices in the US in eg the telecom industry. Worst of all is that we’ve likely doomed the entire planet based on what is effectively too little environmental regulation.
>Deregulated gambling has had a horrible impact on individuals.
Yes, but gambling and all vices for that matter, are a centuries old issue that's well studied and well understood by everyone, while AI(hate that term in this case) LLMs are only an issue since November 2022, while most influential politicians are dumbass boomers who don't understand how a PC or the internet works let alone how LLMs work but yet are expected to make critical decisions on these topics.
So then it's safe to assume that the politicians will either fudge up the regulations due to sheer cluelessness, or they will just make decisions based on what their most influential corporate lobbyists will tell them. Either way it's bad.
ML and other automated systems are not new, and we know enough about automated systems to come up with regulations like "no, you should not use these in a certain set of specific circumstances" or "if you're unleashing this onto the world, you have to show that you understand what you're doing" etc.
>ML and other automated systems are not new
Let's not be overly pedantic and overly Pius on petty semantics like that. It was clear from my original comment, the context of what I was talking about.
Even for LLMs the same thinking applies.
E.g. "if a decision cannot be explained by a human, it should bot be done by a machine" applies to them, too.
Basically, if you read the EU AI Act for example, it's hard to find anything you'd disagree with regardless of whether it's about ML, LLMs or three if statements in a trench coat.
Of course the industry is up in arms about it (just like GDPR)
> Gig economy businesses are exploiting workers
Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
> insane monopolistic pricing and practices in the US in eg the telecom industry
It's actually regulations deterring competition in telecom who are responsible to those practices.
It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
> too little environmental regulation
In China. You forgot "in China". That is where most of that planet dooming is happening. Good luck promoting environmental regulation there.
> Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
Over-regulation being what, minimum wages? Coverage for basic social safety nets? ‘Cause that’s what we lost.
> It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
Bell system was broken up into seven different companies, thanks to regulation. It’s _lack_ of regulation that let telecoms merge together into behemoths. There _are_ small ISPs and telecoms in the US, they just can’t compete due to the size differential.
> In China. You forgot "in China". … Good luck promoting environmental regulation there.
Right, let’s jump for a Tu Quoque. China is destroying the planet so who cares what we do ¯\_(ツ)_/¯
I’m not blind to the existence of plain bad regulation, regulatory barriers and capture — but the overwhelming majority of these arguments have just been used to make regular people’s lives’ worse.
“Cheap housing isn’t being built in the UK because regulation makes it more expensive!” -> remove regulations -> there’s still no cheap housing but anything from 1990s onwards is now also badly built.
As a construction developer I’m sure I’d say there’s still too much regulation though. Gotta bump those margins.
> Over-regulation being what
One easy example is regulation making it hard to fire people. Then, naturally, firms will hire just as hard. The tradeoff is thus between a healthy, fast, dynamic and competitive job market with plenty of opportunities but with job insecurity and - fewer jobs, smaller salaries but the lazy unproductive bum slowing everybody down is now impossible to get rid of.
Yes, minimum wage is another. In effect it makes people whose work is worth less than the minimum wage - legally unemployable.
> Bell system
Bell system was a monopoly thanks to government regulation in the first place. The government actually passed a law that made illegal to connect a 3rd party telephone to Bell's network!
Yes, you need more regulation when your regulation f'd up a market. In free markets competition keeps market participants honest and even breaks monopolies. This is why one of the first regulation incumbents lobby for is meant to deter competition.
> Cheap housing isn’t being built in the UK
I do not live in the UK, but I am willing to bet everything that there is still a ton of regulation stopping building there. Last summer I visited London during a heat wave. We were sweating in our AirBnB, complained to the owner but he answered that he couldn't install an A/C because he wasn't allowed to change the building facade...
It's not just China. It's everybody.
The logical extreme there is legalizing murder for hire, human trafficking, and a bunch of other crazy stuff.
Privacy is in a different category altogether, but there's more to think about than just how much things cost companies.
That's a straight up slippery slope logical fallacy.
That's technically true, but I was using it to prove my point that there's more to think about than company profits.
Maybe I should have used dumping waste in a river and paying workers below minimum wage as examples. Profits could go up, but most people would agree it should still be illegal.
We’ve had “legitimate” for-profit firms supplying authoritarian governments with phone malware that they allegedly used to spy on and sometimes murder their dissidents. The slippery slope isn’t a fallacy, we’ve seen what happens if it isn’t guarded.
>latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course.
Normally I'm against overrgulation, but when it comes to privacy more fine for big corp is need if ANY violation is found. Rather NOT have AI than compromise on privacy.
"I'm against overrgulation, but when it comes to privacy"
Our ancestors survived perfectly fine with telephone directories dropped at every house for free which contained everyone's name and address.
Are you sure someone knowing your address is that bad?
How about "we store your precise geolocation with all associated device ids, travel and purchasing habits across all areas of your life for a decade and sell it/share it with thousands of other entities"? https://x.com/dmitriid/status/1817122117093056541
It's bo longer just "your home address".
Interesting that you have privacy so high on your list of priorities. The general public usually considers other small thing like "cost" and "convenience" when thinking about privacy.
Most of us actually don't mind losing a little privacy to read a news article when faced with the alternative of paying money or that news website ceasing to exist at all.
But, hey, keep pushing your warped privacy sense onto all of us, I am sure you are right.
There is no universal measure for that, only each individual can answer the question for herself. GDPR is robbing people of that chance though.
> Is this a small amount
For me, yes. I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
> 96% of people opt-out
I bet they would chose very differently when the alternative is to pay or stop using the product. Just look how many people use privacy-destroying fidelity cards in supermarkets for some measly discounts.
> GDPR is robbing people of that chance though
How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
> I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
There's a difference between "one company" and "thousands of companies". And yes, there's an expectation that the company doesn't sell that location data which even in the US results in lawsuits: https://www.reuters.com/legal/litigation/us-court-upholds-ve...
> I bet they would chose very differently when the alternative is to pay or stop using the product.
False dichotomy. You don't need 24/7 suveilance to show ads or monetise products.
> How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
Patently untrue. Under GDPR you are not allowed to withhold your services from users refusing to give you "their" data. Their opt-out costs them nothing.
Nope.
This is what you pretend to care about: "There is no universal measure for [what small amount of privacy constitutes], only each individual can answer the question for herself."
What you actually want (and what is actually happens): "users are not given no privacy whatsoever and every single scrap o user data has to siphoned off and sold to the highest bidder, and the false alternative should be for users to pay to preserve their privacy". That is basically what Facebook is arguing.
So. First you define what "small amount of privacy" is, and put a price on that. And then present users with a choice. Or skip the pretence.
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
> Businesses have absolutely zero incentive to say that regulations are not bad.
Your overall point is solid, but I'd like to what I think is another reason that businesses could desire regulation. You're right that a dominant business can use its political power to "regulatory capture" its market and prevent new entrants, but I believe this isn't limited to uncompetitive markets.
Regulation can also prevent "arms races" by acting like explicit collusion. A straightforward example is competitive advertising in a saturated market, like cigarettes. Under the rough assumption that cigarettes are all equivalent and most potential smokers already smoke, then competitve advertising cuts into the profit margin, and companies have to participate or lose out. If you ban advertising then it's as if the bosses all got together and agreed not to compete like that. See e.g. https://pubmed.ncbi.nlm.nih.gov/31547234/
The number of regulations is not as important as the quality of those regulations.
Shame we can’t regulate the quality of regulations.
That's an executive order (regulation) requiring proposed regulations undergo a cost-benefit analysis before being promulgated.
It's why we got mandated backup cameras in cars: the cost-benefit analysis revealed the cost to have these in every new car was dwarfed by the cost in human lives of all the kids who were being run over in driveways bc they weren't visible behind cars.
Right, but that's a follow on to regulations about increased rear and side still heights for occupant protection, and that's a follow on from increased vehicle sizes, and that's a follow on from commercial vehicles being sold to the general public instead of regular passenger vehicles due to tax breaks, etc.
That's actually pretty cool.
I was somewhat disappointed, however, to aee that this applies only to "major rules" from "executive agencies" and as such doesn't seem to apply to an executive order. There would have been some recursive satisfaction to see EO12291 itself tested by its own standard.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
> Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?
There's no reason to expect the warm clothes to be made in the north and the cool clothes to be made in the south.
At scale, no. But when very small there is a reason that people from Norway made rain jackets, and the brand cachet follows that too.
European people also still have a much stronger national identity than a European identity, especially compared to the US with state vs. country level.
Languages are the biggest trade barrier in the EU.
Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
The translation infrastructure is huge, and reasonable-quality machine translation⁰ has been freely available for years now.
I don't mean to refute your experience, but I am suprised by the claim, because it's really not what I've seen here. Could you give some more detail on what you mean.
> Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
All of this is correct, and that's why the single market for goods (except for booze and tobacco) has been such a massive success. However, lots of growth (particularly in the US) comes from services, and for this, languages matter a lot more.
Sure, lots of continental Europeans speak multiple languages, but the vast discrepancies in languages and regulations (insolvency, capital markets etc) means that there are dis-economies of scale in the EU. Like, there's a reason that companies start selling in their home market and then move directly to the US.
A common language can't be assumed across the EU, while other large blocs (China, US) can make this assumption which is important for services trades in particular, as well as bespoke goods trade.
Ah, you're absolutely right. Only when reading your comment did I realise that I'll often go to the UK for some human-mediated service I need in English.
(This despite Ireland and Malta having it as an official language, and the Nordics often having better English skills than natives.)
> go to the UK for some human-mediated service I need in English.
Come to Ireland, we have Guinness!
Murphy's is clearly superior
I mean, clearly Beamish is actually superior (mind you, I'm from Cork so I'm legally required to make this distinction ;) ).
Dowtcha biy!
Seems pretty real. E.g. CRA official impact assessment estimates one-time (in addition to ongoing costs) compliance cost at €500K per one product. That is enough for 10 man years per product.
And that is just one of many new regulations.
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
should you filter out the covid era from that?
coats have gotten higher, but across the board for different countries
Ok let’s take this at face value. Not being able to use child labor is a 40%+ tariff.
What have we gained by framing it as such other than an extremely biased take pro unregulated business?
Such unhinged takes are one of the reasons EU has fallen behind so much. Nobody is arguing for child labor. We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
> We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Oh no. How are you going to build your new ChatGPT wrapper without selling user data to thousands of "privacy-preserving partners"?
GDPR (and a very small number of other applicable regulations) are somewhere between place 1000 and 1500 of things that hinder startups. And unless you are a complete moron those regulations will maybe apply to you when you reach 10 million+ users.
> GDPR [...] somewhere between place 1000 and 1500 of things that hinder startups.
No. GDPR was presented as a company ending regulation. You make a mistake - you are doomed. The fines are in revenue percentages. User data was said to be "toxic". You touch it, you better know what you are doing or else.
This kind of regulation has a strong chilling effect on the budding founder. Countless web-startups were never created because the most common monetization model (ads) became basically illegal (for European startups only, US/Chinese competitors kept enjoying full freedom).
> and a very small number of other applicable regulations
But it's not a small number. And regulations have a cumulative effect. See, startups are like distance running. You know it's a hard thing, but you believe you can try to do it. But then regulations are like potholes. You run around a few, but the more potholes to avoid the harder the run, until your main job turns from running to avoiding potholes. Then you simply say "why bother" and give up.
The more regulations you have, the more obstacles you put in front of startups, the fewer young people choose the entrepreneur path and decide to just get some bureaucratic job instead.
This is the tragedy we are living in the EU right now, in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
> No. GDPR was presented as a company ending regulation.
Bullshit
> You make a mistake - you are doomed. The fines are in revenue percentages.
Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations without telling me
> This kind of regulation has a strong chilling effect on the budding founder.
A moron who gets their advice from ads industry, sensationalist headlines and HN? Perhaps.
> But it's not a small number.
It is.
> The more regulations you have, the more obstacles you put in front of startups
GDPR is not an obstacle. It quite literally is "do not scrape user data and sell it to third parties without user consent".
> in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
Yeah, "entrepreneurs" complain about a lot, and then make a surprised pikachu face when they are told in no uncertain terms that no, sending precise geolocation data to third parties to store for 12 years is not okay: https://x.com/dmitriid/status/1817122117093056541
> Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations
As a matter of fact, I am the founder&owner of a small ISV (nothing ad, privacy, crypto or AI-related) in the Eastern EU. Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
How about you?
(long time no reply due to hitting HN's rate limit)
> Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
Strange that you then spew absolute bullshit about GDPR.
> How about you?
I've worked in large multinational corporations (banking, streaming) that were "hit" with GDPR and spent several years making sure they are compliant. Not because GDPR is bad, but because no one really cared about the data collected, and where it ended up. [1]
Startups had it and have it easy since they can just not siphon all the data. Especially now, when you have all the tools to handle data properly. Hell, a decade ago you couldn't even get privacy-preserving analytics. Now you're drowning in them.
We're also preparing to launch a few (admittedly small scale) projects with friends, and what do you know? GDPR is the absolute last thing that even bothers us. You know why? We know what data to collect and for how long to store it, and we're not sending that data to thousands of "privacy-preserving partners".
"Company-destroying fines" boogeyman or whatever other "chilling effect" bullshit belongs in the mind of children and morons. Hell, I've seen banking regulators come, list issues, and give a deadline to fix them. Much less GDPR.
[1] That's not entirely true. Payment and payment-adjacent regulations are significantly more stringent than GDPR, so everything related to that was and is extremely serious. As anything related to things like "data of persons under state protection". It's never black and white.
However, in big companies, especially at the time, you would eventually end up with a lot of data duplicated across many systems, often barely connected. 10 years ago cleaning up that mess required companies to reverse engineer and document 10-15 years of bad/hasty/adhoc decisions and assumptions. Surprisingly often that resulted in just retiring certain internal microservices wholesale (they just were no longer needed) and/or significantly reducing bandwidth and storage requirements in certain cases (because you no longer cary and store heavy duplicate objects around).
So the main opposition to GDPR came not from "poor chilled startups", but from companies like Facebook and Google who rely on 24/7 surveillance exclusively, ad industry, and large corporations who didn't want to deal with cleaning up internal messes.
When we let the market bubble-up protective conditions through buyer behavior, we advantage innovation at the cost of accepting more harms, because the market response is always reactive instead of proactive, and the reaction can sometimes take decades or more (like GHG emissions and global warming).
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
Based take. It is rarely back and white when it comes to social-technical challenges like this.
The challenge with regulation is that its the result of those in charge of a power imbalance being able to decide what is "good" PR "bad."
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
[deleted]
I agree
People bemoan bureaucracy (which is a totally fair criticism) without understanding its deeper meaning:
Bureaucracy is how it works
That's it. Digital government is also bureaucracy. Applying to YC is also bureaucracy.
Of course the meaning drifted with the times, but it still means that
Stuff like e.g. ChatControl is also regulations, so no, it doesn't follow at all. If in practice the people doing the regulating don't have your interests in mind, more regulations is indeed bad.
I didn't say
"it's a regulation therefore it's good"
I said
"saying 'it's regulation therefore it's bad' is something bootlickers do"
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
>Unfortunately politics has become the religion of modernity.
religion was classically politics. Moses's tablets were Law. the circle of life.
Because both is trying to create a better society. One by internal, the other one by external motivation.
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
Hear hear.
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
> 87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
That's some serious speed reading! :-)
20 minutes to “read” 87 dense pages of legalese? Perhaps you meant to say “skim over.”
Perhaps they meant 200 minutes.
Or perhaps they also never read the law they are chiding others for not reading.
Try reading it, it's like 10 sentences per page and plain language.
What is the point of lying about this? Anyone can open up the PDF and see this is an untrue statement.
The text is 56k words, novella length but dry and tedious. This is hours of reading.
I’m not saying it’s unreasonable to read this document if your work involves GDPR compliance. But this is not a quick or easy read.
Maybe I have an advantage because I am natively english and learned to read at a young age, idk.
I’m not lying, why would I provide the source if I was?
It is an outright lie that there are “10 sentences per page”. You can open the PDF and see that this is not even a little bit correct. 10 sentences per page would maybe be appropriate for an Early Reader book. It’s certainly not we have here.
You also didn’t read 56k words in 20 minutes. This is nonsense, at 46 words per second.
Maybe “statements” is better than “sentences”, but I meant what I meant..
and yes it took 20 minutes, it’s not the dense legalese you’re implying.
it’s just not. unless the dense one here is not the text.
I could suspend my disbelief for a moment and imagine that you are capable of reading 46 words per second. Sure. You happen to read about 10x faster than the average person at 250-300 words per minute. Congrats.
What I cannot believe is that you would in any way imagine that this is normal. Speed readers know that they read faster than other people and do not casually assume others could read The Hobbit in 34 minutes.
So no, I don’t actually believe you read this in 20 minutes, at >4 pages per minute, >46 words per second, and 10x faster than an average reader. Generously I would say you perhaps skimmed the doc in that time.
On the off chance that this is true, again congrats. You should know for the future that your experience reading does not map to the typical person who literally reads about 10x slower than you.
clearly, you haven’t tried reading it.
Jesus Christ, it’s like talking to a brick wall.
The amount of effort I’ve spent replying to you is more than was necessary to understand the entire fucking text.
Every statement is very clear what they’re saying, don’t record what you don’t need, how do you define what you need, make sure personal information can be deleted, what constitutes personal information.
It’s really really really fucking easy, like dude; you’re halfway through a sentence you know exactly what they’re getting at. You finish it anyway in case there’s an exception or something, and it’s never the case that there is.
Whatever… you believe whatever the fuck you wanna believe don’t call me a fucking liar though you cunt.
At no point did I say the law was very difficult to read. I said that your claim that it should take 20 minutes to read is absurd.
That the other replies to you said basically the same should clue you in that this is not realistic for others even if it were realistic for you.
> don’t call me a fucking liar though you cunt.
You could have easily just walked your claim back and said “Okay, 20 minutes is an exaggeration but it’s not a hard law to read”. Instead you repeatedly doubled down and backed yourself into a corner where the only possible options are that you are an ultra speed reader at 10x normal pace or you are a liar.
Not my problem if you don’t like those options.
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
I would call this the religious zeal response, it's been parroted so many times here that it's become fact, even though this is false.
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
Big enterprises like regulation because it enables them to capture the market and slow startups down: that's why they invest so much in standardization, for instance.
It allows them to force startups to match their (slow) pace of development.
> Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
Have you missed all the large AI companies in US loudly demanding and otherwise lobbying for more regulation?
Regulations can be good for companies when you can make sure that they are written in a way that entrenches them against any new competitors.
> The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long
My feeling is that in 9 years you could read it.
However, I read most of the relevant bits in an afternoon. Most people on HN making preposterous claims about GDPR have never in their life read anything but industry's take on it.
> it's actually super easy to comply, you can read it yourself, it's one sentence!
It's trivial to comply with for the absolute vast majority of companies, you can very easily read it yourself, the bits that are relevant to most businesses shouldn't even take an hour to read.
You’ve addressed nothing in my comment and have simply repeated the religious chant: it’s easy to read so easy to comply!
Thank you for illustrating my original point about this being religious dogma here.
Every HN thread about GDPR devolves into this circular argument. It’s getting so tiring. There are many issues with the actual reality of its implementation which I’ve explained in my other comments. You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
> Every HN thread about GDPR devolves into this circular argument.
The only reason it devolves into a "circular argument" is that the vast majority of anti-GDPR comments on HN come from people who have never ever read even a single line from the regulation and just parrot the same old "GDPR requires these stupid banners".
> You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
Yup. And this is the other reason: bad faith word soup that doesn't even pretend to be coherent, mixes up everything together, and goes from non-sequitur to non-sequitur.
So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
> So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
this is exactly the attitude of these people
for most legitimate businesses the "pain" of the GDPR consisted of maybe removing Google Analytics from their website
the entire point is to stop the shitty companies (facebook) data harvesting everything they can get their dirty mits on
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Well, I see multiple in this thread, one of which is currently adjacent to your comment.
Ok. I hereby do. The only complaint I have is that it isn't enforced automatically and that we often don't have a way to force the worst offenders, because they have the military we rely on on their side.
Thanks for confirming my point with regard to acknowledging shortcomings. :-)
Then I don't get your point at all. You think when I like a law that much, that I say it should be used more, it is a drawback of the law?
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
The regulation good/bad dichotomy has been very effective reducing the thinking of the constituents of modern neolibs in the US.
On one end we have regulations as part of regulatory capture. Opposite effect of regulations that would help say a small business compete fairly.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
you didn't really say anything
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
Well he is saying something here, because as pointed out, many people approach this from an ideological place.
Your midbrow dismissal only makes sense if there is nobody who denies that regulation is nuanced. In fact, the entire political landscape is set up around a "regulation is GOOD" vs "regulation is BAD" worldview.
false equivalence describes a false equivalence. the equivalence that I pointed out was true. he didn't say anything.
The thing you pointed out is barely even grammatical.
There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
> There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
try untangling the tracking code from the rest of the javascript code which is required for the sites to work - simply unrealistic.
It's not more effective and trustworthy, particularly as you can do both. The laws also cover dramatically more than tracking scripts and cookies.
> They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater.
Then large law abiding sites can still do enormous amounts of tracking, and can do lots with my data that they currently are not doing.
The problems are in the details: why are news organizations exempt from this rule in Europe? You can’t read news websites unless you accept all cookies or pay to read.
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
> You can’t read news websites unless you accept all cookies or pay to read.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
It seems there were lawsuits but "pay to reject" is apparently legal as long as the pay is reasonable. I despise it personally.
Are you sure they are exempt? I was always under the impression that their practice is pretty obviously illegal. I just did a quick google search and didn't find anything about exemption. So they are as exempt from the GDPR as much as Al Capone was exempt from taxes ;)
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
the edpb did not. that was explicitly -- in the very first paragraph -- under the DSA, not GDPR:
> The scope of this opinion is indeed limited to the implementation by large online platforms
Separately, in the first couple of paragraphs, they basically complain that they don't like the alternative that platforms can legally implement of paywalls for all. :shrug: Which they may not like, but is legal. So consent or pay is essentially a realpolitik deal to not implement paywalls.
> why are news organizations exempt from this rule in Europe?
In the main, because the GDPR is an attack on advertising-supported services. You cannot build a business on context-free ads given they pay somewhere between 1/100 and 1/10000 as much as ads that profile.
Thus news orgs basically told regulators that the options were no free news (or realistically, the mess America is in, where real news orgs charge and the free ones are propaganda arms) or being allowed to do consent or pay. Because a paywall complies with all laws but has negative societal effects.
> But when we talk privacy and personal data there should be no gray zone.
It took me to move to Germany to figure that privacy is a spectrum, and I, despite being a crazy on privacy and security, actually don't want that much.
I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
My colleagues had 3 bikes stolen in a week bc we have no CCTV cameras.
Privacy definitely has costs, and not only for business, but for regular people in daily life. It should, as anything, be balanced against costs of doing business, people security concerns.
Same goes for security: few private cctvs are ok, massive coordinated surveillance and chat control not ok. Everything is on spectrum and is a trade off.
I'm curious how the CCTV would have prevented the bike theft?
Yeah, I can tell you that the only thing CCTV does is making the thief wear hoodies. And you get some clips of them carrying expensive bikes around the corner out of CCTV range to their parked transporter.
Even without hoodie… who was it? Some dude.
True. I don't know from where people get the idea that the police would bother with an investigation for your (personally important) case if you had full-on surveilance.
You may have your laptop snatched, go to the police station and show them the exact location of the thieves using e.g. find my Mac. The will do nothing, even if it's in the building across the street.
Now, showing them some blurry (at best) faces in CCTV footage and ask them to investigate? Good luck.
> I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
It sounds interesting but I'm not sure what it means. Could you clarify this?
Related, recently in the UK news. British Transport Police won't even look at CCTV for bike theft at train stations (because of resource constraints, but the presence of CCTV doesn't automatically mean it will be used).
Private CCTVs are legal, you just can’t have it film a public area. And I’m grateful for that.
That cookie banner needs to be standardized and offered by the browser. It should be like a certificate popup. Why is every website forced into doing a shoddy job ?
They aren't forced, they choose to. They're forced to get user permission before tracking them across websites and sharing info with 3rd parties, but how they do it is left up to the industry. And the industry chose dark patterns, hoping to annoy the users into complaining to the EU about them.
It is the fault of the EU. If you leave a steak on the floor you don't punish the dog for eating it. Site operators just chose to do what was most convenient for them within the boundaries of the law, as would you.
We had a do-not-track header that has been deprecated. Simply enforcing the header legally and having it on by default would suffice and it would be much easier to test, because it's not bespoke from the client side of things.
I assume it's because a business has different ideas about what to collect from their users and users are more or less willing to share some data with some specific businesses. Hence, every business needs their own consent rules. The fact that this is achieved with a cookie banner for 99,9% of all businesses is a side-effect. Could there be a better solution? Probably. But the law and the incentives aligned to cookie banner hell.
> Probably. But the law and the incentives aligned to cookie banner hell.
Most cookie banners are non-compliant, so I doubt that.
> That cookie banner needs to be standardized and offered by the browser.
That's actually part of these changes. It's mentioned in the linked article about halfway down.
Aren’t tracking cookies mostly irrelevant nowadays, because every browser can be uniquely fingerprinted anyway?
The law doesn't even mention cookies. This is a common misunderstanding and causes a lot of annoyance as I've seen websites ask for permission to store cookies even when they don't need explicit permission.
The law only concerns itself with tracking. If you don't use a mechanism to uniquely identify people over multiple visits and/or websites, you're fine. You can store simple preferences in a cookie without asking. No need to bother your users with a cookie wall for that.
No. The regulation is about processing your personal information, cookies are just an implementation detail.
Fingerprinting is actually covered by the regulations and needs to be "consented" to.
There are different regulations, but basically they are technology agnostic (a good thing). If you as a compnay want to use data that could theoretically be used as an identifyer for me, you need my consent. For any type of use. Except if it is absolutely necessary to provide the basic service. Or if we have a contractual relationship, but there are also protective rules in place to protect the customer.
Different regulations handle storing data (like cookies, but also local/session storage and similar things on the devices of your users. But those are separate from GDPR.
GDPR is - as said - only concerned with data that could be theoretically linked to me as an individual. Regardless what this data is. Could be an id in a cookie, could be a fingerprint, could be smoke signals. It could even be the combination of different data points, that taken together allow for an identification.
Theoretical example:
Imagine I live in a village with 500 people. The company tracks the location and that I am male (so roughtly 50% of the population), that I am between 45 - 50 (say about 10% of the population), have multiple cats (say maybe only three people now in that village, use a Linux based machine - bingo: You found me. And now you have a set of data that falls under the GDPR. Welcome in having to ensure you only use this data in a way that I gave consent to.
See: The law doesn't even just look at marketing or tracking data. Or what happens in an app or a browser. It covers all data that is either pointing ti me as an "ID" - like a cookie ID, or at personal identifiable data - like bei combination in my example.
I mean, websites don't need to use non-functional cookies in the first place. If they use it, they have to declare it. It's a problem created by website owners themselves.
How would that even work? The browser has no way to know what a cookie is for.
They are regulating websites anyway, surely they can just invent some standard format to say what function each cookie has. How about requiring that the name of every cookie has to start with one of "Strictly Necessary", "Functional", "Performance", and "Targeting/Advertising"?
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
> Most of the harsher regulations only come into effect when the company hits a specific size.
That’s very market and country specific. Spain makes more than 1k tweaks to it’s food regulations each year, which would kill lots of restaurants if they were to be in compliance.
The result is that everyone tries to make as much money as they can and build a “inspection fund”, because you’re guaranteed to get a fine if inspected.
Why isn't #1 an import duty sales tax system instead and you need to declare the proper value as part of shipping, or the good is rejected / confiscated?
Actually, online shops that mail stuff to Australian customers who request them to do so don't have to collect or pay any sales tax. The Australian government might stomp their feet and declare otherwise, but they have no legal or jurisdictional authority to do so, nor any real means for enforcement.
This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas.
> This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas
I disagree.
Imagine I ban health potions in my realm. I am running a Darwininistic experiment to make my people the most resilient people of the world and I want them to succeed through survival of the fittest. I tolerate non magical medicine but anything else will pay 1000% duties or be confiscated. A merchant comes by with a delivery of health potions to "Johnathan Man". The guards point to the "Survival of the ssssttttrrroooong" banner, while the merchant throws a fit saying she has a very powerful uncle that just happens to be a known warlord. The guards laugh, close the gates and go back inside for another pushup context. Meanwhile Johnathan and the merchant complain things about jurisdiction to no one in particular.
I have no idea what you're even trying to say here. Australia is welcome to try and confiscate goods that are mailed without paying sales tax, but we both know they lack the ability to actually execute that. And their ability to do anything about digital sales is basically non-existent.
So if I'm understanding your analogy correctly, the guards can't really do anything, so the merchant and the buyer will be the ones going about their business.
75,000 is very small for a business.
In fact, "too many" is the exact point at which it becomes excessive. :P
I think this is an excellent point. More is almost always worse, but if there is a genuine need for regulation it should be absolute.
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
If you want to do business in the EU, just follow the law.
You are not allowed to sell Heroin to anyone in Germany. I don't see you making the argument, that we should - in the same fashion as with digital spyware using companies - not target drug dealers. Becase hey, people can just decide to not buy drugs.
[Edit]: Typo
[deleted]
That’s not how the GDPR and cookie laws work at all
That’s how most news websites work in Europe: accept the cookies, or pay.
Yes, but opt-out tracking data which is not necessary for the operation of the primary use case of the app is not allowed.
It must be opt-in, truly a free choice, and informed consent, and declining must be as easy as accepting.
My search told me that unless you are a gatekeeper, offering a reasonably priced ad-free tier allows to make the ad-monetized version personalized only.
I think it makes sense. Either pay, or consent to effective ads. There's no free lunch
I'm 100% on the same page as you. I just wanna point out that apparently, the enforcement of said regulation just failed. There are way too many businesses that don't give you a single "reject all" button and get away with their dark patterns. A regulation that can't be enforced consistently is not desirable and failed to some degree.
I recently registered a complaint with my local data protection authority. This then got routed to their colleagues in North Rhine-Westphalia that are responsible, as the company in question had their business location there.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
That cookie thing should a browser's default.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
GDPR allows for essential cookies with no popup.
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
No pop-ups on apple.com!
embedding youtube is enough to be non-cookiebanner-compliant??
Look at what YT loads in terms of tracking, when opening a page with an embedded YT video - even if you do not play that.
Or install something like pi-hole and watch how many analytics calls to Adobe Analytics the Adible app is sending out. Even if just idle in the background. Given the fact that you pay Adobe by the server call, Audible clearly must earn a shitload of money, if they can burn tracking calls like this.
If you are on a Mac, try Little Snitch and see where your data is going while surfing the net. No wonder in the US there are companies, that can sell you a clear image of all relevant data on nearly any person to enable algorithmic wage discrimination [1].
I know, that industry is trying to push EU further and further towards less consumer protections. But we have a great example of what that means for workers, consumers and all of us in the US.
So anywhere there is a YouTube embed we instead display a static thumbnail with 2 inline buttons underneath. 1 button to accept cookies and then load the embed and 1 button to view the video directly on YouTube in a new tab.
It works nicely and also pushed us to switch most of our videos to being first party hosted instead of YouTube.
That would be fine, if there was a law that forced every browser to have this setting and every company to respect the setting.
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
The browser setting already exists (DNT), so I don't know what you want to conlude.
My conclusion would be that under the current GDPR that if someone had the browser setting on, if a company did not respect that setting and kept private data, that they could be reported for GDPR violations and then the issue could be adjudicated, i.e that the courts would then decide if in fact GDPR violations occur by not following that browser setting.
Secondary conclusion - it might be more beneficial if one just contacted the EDPB and said since this browser setting exists and nobody is using it please issue a ruling if the browser setting must be followed, set it to go into effect by this date giving people time to implement it, and if they agreed the browser setting would be adequate to represent your GDPR wishes they might also conclude that it would be an onerous process to make you go through a GDPR acceptance if it were turned on, howe ver as this article is saying that they are "scaling back" the GDPR that would seem to be dead in the water, which is why I said under "the current GDPR".
In the absence of any explicit consent, no-consent is always assumed by the GDPR. The absence of a DNT header definitely doesn't count as consent, so that header is kind of useless, since the GDPR basically requires every request to be handled as if it has a DNT header.
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
> GDPR that would seem to be dead in the water
I agree, and I don't like that.
If there were any companies that provided value for tracking people would turn on a track me header, but there are none. so I agree.
I mean I run Debian, and voluntarily enabled popularity-contest, so is not like these examples don't exist.
Like Do Not Track?
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
Private browsing is equivalent to creating an ephemeral browser profile everytime. It might get rid of more browser storage, but for how tracking works now-a-days, it is useless. It is only for what you want to store on your disk, not for how you want to be seen to remotes.
I'll admit I may have fallen for "private" browser marketing. Is this representative to current methods?
I assume a subset of these bits could be used, meaning the "unique" or not claim of this test probably doesn't reflect if you can be tracked. I also assume that a VPN would help tremendously.
For that test, as is, I get "unique" every refresh when using Brave Browser. With Safari and Chrome, I get a fail an subsequent sessions.
[deleted][deleted][deleted]
Are you sure cookies get scrapped after you close a tab? Does opening a single session-based web site in multiple tabs work (eg. logged into Amazon in a private browser)? What browser are you using?
In Chrome and Firefox, all the private windows share a session that gets scrapped when you close them all. Safari keeps them separate.
> You can do this trivially in modern browsers: private browsing.
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
--- end quote ---
I don't use browsers made by ad companies, because I fully expect that browser to stay out of the way of their revenue stream. There are many browsers out there that care about privacy.
Doesn't matter. Companies will keep tracking you in incognito mode.
[deleted]
Yeah idk why there's a law trying to poorly enforce this instead
Every regulation has some unforeseen consequences. Most of the time it's impacts are worse than the effect we wanted to regulate from the start. Us humans discard the effects we can't predict as benign even over smaller inconveniences we can see.
> Every regulation has some unforeseen consequences.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
Realistically speaking, how much are people willing to pay for email, communications, cloud backups, social media? This is the hard question.
They already do as part of their internet subscription at home and data plans on mobile.
ISPs used to provide email addresses for people, and it was part of the cost.
Once they lobbied in "legitimate interest" as the exception to the opt-in requirement, the whole regulation de facto became a farce for the end user.
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
I'm guessing that in many cases, it's not one software developer who decides. Most people are told what to do, and for many websites I'm guessing that it's just some kind of Wordpress add-on.
Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".
Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".
That's why we need to realize, that decisions in the small constitute what happens in the large. If some person comes and tells me to implement dark patterns into the consent popup, I'll tell them that this is illegal. I'll also tell people, when their current consent is manufactured or when their cookie/consent popup does not conform with GDPR. Been there, done that. Only unfortunate, that it was not my role to deal with that. It was simply that most people didn't care (I must assume frontend developer knew better, otherwise they were utterly uninformed about their job), some people who should have known better didn't (everyone else in the engineering team), some people wanted dark patterns to be in there (project management and marketing/sales, as usual), and I was the only one pointing out the tiny problem with the law. Of course no one ever thanked me for that.
It's not that people who implement those things don't care, per se. It's that they care about getting their paycheck more (or, in the current climate, retaining their job). And they are also acutely aware that if they refuse to do it, a replacement that won't is easy to find.
Your moral integrity is tested, when your paycheck depends on it, not when it doesn't have repercussions to you.
I have been in that situation in a startup. The boss would come to me and ask for some dark pattern (not cookies, I don't remember exactly what it was). I said I wouldn't do it. They literally asked a guy in the adjacent room, and he took it as a new task and did it.
He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.
Both understandable and good that you stood up to it!
Sometimes though bosses need some contradiction, for the business to be successful. It is not the best approach to have no opinions or ethics.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
It might be hard in some places, with especially toxic higher ups. A good start is pointing out the law a few times. If that doesn't get them to stop, what you can do is ask them to give you a signed piece of paper, where it says, that against your objection and warning about this being illegal, they want you to still do that. Usually at that point they will find someone else, or stop trying to do it.
I agree with everything you say, except
> Usually at that point they will find someone else
is not really something a lot of people can afford to risk
This is why am glad to live in a country with comparatively good employee protections. In other countries, where people can be fired at will, this might be more problematic. But at least in this country, it would be a very clear cut case, if your employer asks you to do something illegal, that they will not be able to legally fire you. Of course you might have to go to court to get your right.
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
Lucky you. In my experience it ends up with talks to HR, where they will explain that "you are being difficult to work with" and "things are going to have to change" or "we are going to have to look for alternative avenues"
Maybe you could still program a website. But you might not be able to do it professionally.
But yes, more people should tell other people that they won't do that.
Should contributing code to open source software require professional licensure?
As far as I know most (all?) open source and free software licenses include terms, that explicitly states, that there is no warranty. So I think maybe a license there wouldn't be required. It is an interesting question though.
But many people are paid by their companies to work on OSS.
Most commercial software doesn’t have a warranty either.
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
But that's a great example of why we might not need to turn into professionally licensed experts: the risk of messing the implementation of GDPR up is nowhere near messing a bridge or even a single family home up.
Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
How much incompetence do we accept or tolerate, before we deem it negligence? If someone adds a consent popup or similar thing to a website, usually knowing, that there is a reason why this must be done, and that this reason is GDPR, it seems quite incompetent to not know the first bit about what is required, and not doing their due diligence to read up on it when not one doesn't know.
Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.
> Business never respects anything, but profits
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
We had our underground parking and storage units broken into in apartment building. And we couldn't see the CCTV camera, to be on a lookout for the thief and call cops. Only cops could see it. Thieves have higher protection than your property.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
Are cookies really tracking you? 3rd party cookies don’t work in any browser. Ads are passing session data on the URLs instead. You can alow easily change some settings to stop persistent cookies. You can install privacy extensions like ghostery to block beacons. You can use features like ICloud private relay to prevent IP tracking. Solutions are all there and they aren’t because of any law.
Everything you mentioned is advanced knowledge. An average person, who doesn't deal with all these technicalities simply doesn't know this. It's like Telegram saying that it's the most secure messenger while not offering encrypted chats by default and not allowing to have encrypted group chats. An average person in tis case ends up completely unprepared and unprotected.
Don't mix PII data and cookies (or any other similar tech). There are different regulations in place here.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
There are a bunch of sites that stop working if you tweak privacy related settings. Twitter straight up tells you that if you experience problems, you should disable Firefox's tracking protection.
And by that they are actually in violation of GDPR. But hey - since when was Musk interested in following regulations. And since when has a governmental or supra-governmental entity been able to curb that tendency of the super rich and biggest cooperations.
Like with meta: They know they mke 7 billion annualy from serving 15 billion scam ads daily. They calculated that they will have at most have to pay about a billion in governmental fines all over the world, if they should one day be regulated for that.
So it is a clear business decision to go on shoing 15 billion+ scam ads per day to their "users". Were some interesting journalistic pieces on that a few days ago.
And exactly those companies are the reason we need stronger protection. And these protections more heavily enforced.
> Ads are passing session data on the URLs instead
At which point it also counts as PII and is subject to the GDPR rules.
[dead]
Why not accept and let cookie autodelete delete it after closing the site?
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
I think we better remove the problem itself that come up with more and more ways to mitigate it.
It's not just about cookies but any kind of tracking, including fingerprinting.
The problem is paternalism and assuming the user is too dumb to take control their privacy preferences.
The compliance of the cookie banner regulation has measurable negative externalities - one estimate suggests a EUR 14B/year productivity hit in the EU
Most modern browsers allow you to disable all cookies if you like. You can always use incognito mode if you want to be selective about it.
In an ideal world, the EU could have simply educated their constituents about privacy controls available in their browser.
GDPR is not a cookie regulation it is a tracking regulation.
It's broader, it's about users data. For example, you can store my address so you can send the item I ordered to me. You can't, without permission, use that to send me marketing stuff.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
Since you asked: I care. I leave sites which insist on tracking me and appreciate that it is now mandatory for said sites to inform me about their intentions. So this is a solution to a problem I actually have.
There are sites which place a "reject all" button above all and make this easy for me. Others try it the sneaky way, by making me turn off every single tracking vendor and then a lot more hidden under legitimate interest. Those are the sites I leave and never come back.
The hurdle in question has a lot of simple solutions. 1, don't use cookies. Github does that AFAIK. 2, be transparent about your tracking intentions and use one of the several premade solutions. 3, design a dark pattern UI that hides the important switches in technical named lists and count on the laziness and confusion of users to use them. That is probably the most expensive way for a 3 person company, as you need devs and UX designers and lawyers to judge if you bended the regulation requirements just enough without breaking them.
The banner isn't required. They could just not do the things the banner would ask consent for.
People don't know whether they are or are not doing things that require consent under the law. That's because, if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs. Notably missing from that list is "lawyers who can be bothered to research the question".
People put the banners up because they see other people doing it and it seems safest. That all of this would be so should have been perfectly obviously to whoever contemplated bringing the regulation into existence. Therefore they are either imperceptive or malign.
> if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs.
Those are the people who should know best what is meant by "ask visitors for consent before you track them.".
Lawyers and more work is needed if you want to track anyway and look for ways to make people accidentally consent. "Let's ask the question, but hide the unwanted answer as deeply as possibly without breaking the law."
You may blame EU bureaucrats, I blame the unwillingness of the companies to fulfill the spirit of the law and putting all the work into pretending.
> People don't know whether they are or are not doing things that require consent under the law.
This knowledge is taught in school and we also had one lecture in university and I am not even studying CS or anything computer adjacent. You can very much rely on CS graduates to know this, and even if they don't, the company could organize a training day, like they do for all the other stuff. This is really a dumb excuse for a company.
Is that what really happens though? EU countries usually don't immediately punish violations unless they're particularly egregious. You're more likely to get a warning and a grace period to meet the requirements. So the rational approach would be to not bother with consent banners, GDPR and whatnot until you attract the attention of the regulators, at which point you should definitely hire a legal team that can tell you what exactly you need to do to comply.
"Just sign the contract, we'll never use that clause!"
Any company that can hire teams of software developers can afford to hire a lawyer to tell them whether they need to irritate all their customers. And frankly, they'd be dumb not to hire a lawyer if they think they need some legal cover to determine whether that cover is sufficient.
Good god. I certainly wasn't suggesting this situation would be improved by software teams hiring lawyers to advise on their software! You appear to have completely lost perspective.
You think a company worried that they have a legal issue should just ask the programmers and ui designers to sort it out? Or that programmers who think the company has a legal issue should take it upon themselves to come up with a feature that they think addresses it without consulting legal?
> I get that too many regulations is a bad thing
Well yeah, cause your sentence relies on itself.
_Too many_ regulations is a bad thing.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
Nothing is ever black and white.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
What kind of a discussion can there be? It's very simple. I don't want any business or individual or whatever to collect any of my personal data if I don't agree to it. Right now companies do everything they can to do the opposite. And there's nothing here that can prove them right.
What a funny comment. “You see, you just don’t understand trade-offs, here let me explain to you…”
And when they use our data to profit, we don't get a royalty cut.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
And that's probably the same for 99% of websites.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
> It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
Advertisements, among other things, for political views, influencing voter behavior. Which lots of interest groups care about
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
Selling drugs causes harm.
Targeting political ads? Debatable - whether AI is somehow involved or not.
I would consider making people to vote for a criminal dictator to be more harmful than selling drugs, the former is destroying way more lives than the latter. And I am someone who would vote for more enforcement and regulation of bans on drugs.
No matter your political opinions, the ability to target political advertisements hardly seems like the nightmare you all act like it was.
Multiple people keep talking about selling hard drugs in the comments. Seems a tad dramatic.
that just shallow and one sided argument that never respect another side of coin
It's also true.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
what do you mean illegal???
tell that to Ads advertising business that bringing billions every year, and its legal btw
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Nobody like it in the same way that nobody likes paying for groceries or gas. Wouldn't it be great if they were free??
Of course it'd be awesome if the world had no ads, but most people prefer free with ads to paid without ads.
Uh, no, not in the same way. You have absolutely zero proof that you NEED to fuck users up the ass to make the service work.
Many services worked without the ass fucking. We did it for a very long time.
> but most people prefer free with ads to paid without ads.
No, you can't actually say this, because part of the deal is that nobody actually knows HOW or WHAT they are giving up for this free service.
Things like GPDR or consent, again, do not outlaw the actual thing. Ads are still legal, personalized ads are still legal, tracking is still legal. It just forces you to ask consumers. If what you're saying is true, then GPDR is fantastic!! All the users should click 'accept all cookies', because that's what they actually want right?
Unless, wait, you think... maybe that's not what they want? And they're only agreeing to the current situation because they don't know what they're agreeing to? Hmm... what a conundrum!
Okay. So would you prefer to pay a subscription for every site you use or pay with your eyeballs by looking at ads?
this is a false dichotomy. You don't need to track your users to show ads.
Contextual advertising works fine for many sites, especially those with a specific targeted audience (for example a gaming website can show ads for gaming related products).
Imagine if grocery stores had someone standing at the front asking if you'd like to pay for your groceries or opt-out. Of course most people would opt-out, because that's what's best for them individually. But they probably won't love it when the grocery store closes...
so you want people cant earn livelihood by your saying?????
for some people and I mean some people in this are entire industry that working with directly and indirectly. this is the only way to earn a living for them and you saying this people cant do that????
"If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for."
well. you are free to choose not to?????? what we even doing here? life its about choice and you are free to not sign up service that scummy
it literally totally difference case that worth another article/post for that
> this is the only way to earn a living for them
Who are those people who literally can't earn a living in any way other than working on personalized ads?
So, so many glaring problems here:
1. Consumers can't just 'not use something' because of network effects, and you know that. Don't play stupid with me.
2. The service is scummy because they lie. That's the scummy part. Sit back and read what I wrote. I'm not saying services CAN'T commit crimes against humanity. They can! I'm saying they must DO IT HONESTLY.
If this is about choice, and you want users to choose what they want, then you have to be on my side. It's not optional. IF what you're saying is true, and consumers have the choice "not sign up service that scummy", THEN they must know if the service is scummy. Necessarily!
You are literally agreeing with me!
You are making it like they are doing human crime level hitler or some shit
No, the competing solution/alternative its not better
if there are better ways to do this, it would be born already
Which is why shrinkflation always fails right?
In a free market, consumers will pick the better option right? The one where they don't pay more for less?
Right?
> if there are better ways to do this, it would be born already
That's not how it works in capitalism. If there are more profitable ways to do this, then it would have been adopted. But better is subjective - better for whom? For the users? The businesses don't give a fuck about the users, only about their money.
They should feel ashamed for collecting your personal data in the first place.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
This is why I just bought a Pixel and put GrapheneOS on it. And one with a SIM card that I can take out whenever I want. No AI, limited tracking, and no big tech. This is my personal boycott.
Perhaps if you had some engineers write the laws they’d work better
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
no.
even including a font from a different host is not allowed under the gdpr because you are leaking the users IP to that host.
you are poorly informed on this topic.
But the different host IS tracking because that's how they make money from serving "free" fonts. So if what you're saying is true, that's exactly how it should be. When I go to a website I don't want others involved.
We used to use Subway's proprietary font. We never needed to call a server for that.
Maybe don't build stuff in such a dumb and lazy way?
Everything that happens under Ursula Von der Leyen leaves a bitter taste.
There are lots of uses for cookies that have absolutely nothing to do with collecting data about you.
And you don't need user consent for most of those cookies.
That's true. But it's just a small part of overall tracking. And nobody would care if the cookies were used only for auth or purely functional reasons.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
> a place that follows a different approach than "break it to make it" mad dash
You don't have to convince me of the foolishness of mad dashes. Or the emptiness of consumerist culture. But is the EU not consumerist? Does it even have any viable or good ideas about alternatives? Without consumerism, the modern world doesn't know what to do with itself. It has no other modus vivendi. Consumption is all it knows.
> a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in.
Sounds great, and I do not contest these as aspirations. And economies are supposed to serve the objective good of human beings. But is the EU on the path of greater cultural richness, or one of cultural decadence?
> If there is a good set of regulations in place. And that is where EU is not consistent
Bingo. What is good regulation, not as just an expression of principle and aspiration, but as a matter of practicality and prudence in the given circumstances?
It also takes more than good regulation as well. You have to ask: what does it take - and that's possible within morally licit limits - to encourage a richer culture, a culture that is also more conducive to health, and a tech industry that serves the human good? Is the EU succeeding, or merely stagnating and reacting defensively (for better or worse) to the changing conditions of the world?
Some things are only possible in vibrant economies, and where tech is concerned, the EU is not exactly vibrant.
I don't think GDPR is the problem that makes science and technology succeed more elsewhere or fail more in the EU. There are far, far bigger problems, that are at play here. For starters we have a war still ongoing in the east. Economic power houses have had utterly corrupt governments for decades. Standardization of many things is difficult with so many separate nations. Education systems are questionable. All of these will play a larger role than GDPR.
Indeed, and I'm not blaming GDPR for all of the EU's problems, or even blaming it for anything specifically. I was entertaining a plausible rationale for a particular case and using this as an occasion to pose a more general question about the EU's effectiveness in balancing various concerns when regulating.
I wish we standardized on Do Not Track headers. Cookie banners are a plague. Thanks Europe.
There is nothing stopping the industry from standardising on an alternative form of expressing consent, for example on browser installation. GDPR is agnostic to the form the consent takes, as long as it's informed and freely given.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Thanks Google.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I very much doubt, that the practice of putting hundreds or thousands of partners into the legitimate interest category is legal. I wish this was more challenged and brought in front of the courts. And not just wristslaps dished out. Such practices need to have business threatening punishments attached to them.
I'm sure that happens in some cases. But the EU is building a reputation for handling out fines that actually hurt, and I'm sure that actively lying to consumers about this would warrant a big one, if ever discovered. And in any case, tracking will be a lot less robust without those 388 cookies.
[deleted]
I think I should be able to collect whatever publicly available data I can find.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Chat control is stupid.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
The "hacker spirit" is dying.
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
>The "hacker spirit" is dying
This is the number one issue in computing today. Everybodys running around trying to get rich building shitty extensions and frameworks without looking at the bigger picture. We need collective action. Imagine a movement where everybody becomes millitant about adblockers. Like install them on every computer and deflate the advertising industry. Smarter people than me can probably think of better ideas
Right now its death by 1000 cuts. There needs to be a big change or we could lose everything in just 20-30 years in my opinion
I might get worried when mainstream computers won't be able to run Linux. Until then.. I'm not worried.
Seems there are efforts to bring openness to platforms that inherently have an interest to resist it and while the progress is slow.. there is progress
> we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick".
Doesn't that describe SV in general, and big tech in particular?
> Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
[deleted]
This sounds too much like a 'good old days' argument, which is actually in the HN guidelines (something like, 'don't say HN is becoming Reddit').
No. It's reflecting on an overall culture that embraces taking chances. Even if 50% of those chances lead to failure it still beats the paralyzing fear of moving forward.
As a hacker, I don't care about cookies or what the EU thinks about them. Disable them if you really care. Or at least use a browser that blocks 3P cookies (not Chrome).
people still insist on using a browser built by a company that makes money off of ads and act surprised when said company purposefully compromises their privacy and data on said browser.
> As a hacker, I don't care about cookies
Well I care about privacy. And so should anybody with an ounce of common sense.
What about when the lack of cookies makes everything break and you cannot work around it because it's too much JS to reverse-engineer, and/or it's a copyright-felony in your country to develop workarounds?
"I'll use my l33t hacker skillz to avoid it on my own" is a losing strategy in the long run.
A similar thing happens with the proliferation of cameras and license-plate readers.
You can keep them enabled and clear at end of session. I'm not saying this makes you untrackable; that is a losing strategy due to all the non-cookie tracking, but also the cookie popup isn't helping there.
As this is the message board of a VC fund it's not that surprising that it doesn't only attract hackers in the original sense?
Hackers should know the government is never on your side.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
In addition, hackers should know government is inevitable. Even in anarchy, governments spontaneously begin to form.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
That may be one of them, but there isn't a singular anarchist school of thought.
> there isn't a singular anarchist school of thought
Would be oxymoronic if there were one.
Isn’t that like saying there must be as many universes as theoretical physicists can think up? Slight maybe but it could also just be one.
> Isn’t that like saying there must be as many universes as theoretical physicists can think up?
Schools of thought are theories. It’s saying there can be as many theoretical universes as theoretical physicists can think up.
This is true for any social construct, of course. But anarchy’s nature means you get less alignment.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
The thing that anarchists have a problem with is hierarchy, of which states are a manifestation. Most anarchists aren't just "okay" with some kind of government, but believe it to be necessary.
i guess I can see how it might work in a single person's life or small group, but on a large scale doomed to failure because the neighboring country/cit-state/etc will be organized, with and organized army. That group will eventually desire something the anarchist community has and will destroy it.
That is indeed the sticky question, but, again, anarchists aren't opposed to organizing either, even at scale - only that such organizing should be fundamentally egalitarian, not forced.
You can argue that hierarchical organization is fundamentally more efficient, but by the same logic authoritarian governments ought to always outcompete democracies militarily, yet it's clearly not as simple as that.
One could also argue that in a world where anarchist modes of organization are the norm, an attempt by some group to organize for the purpose of conquering neighbors would be treated as a fundamental threat by basically all other groups and treated as an imminent threat that warrants legitimate community self-defense. Of course, then the question is how you get to that state of affairs from the world of nation-states.
I don't have answers to these questions, but it should also be noted that it's not a binary. Look at Rojava for an example of a society that, while not anarchist, is much closer to that, yet has shown itself quite capable of organizing specifically for the purpose of war (they were largely responsible for crushing ISIS, and are still holding against Turkey).
An entity, that invents rules, that are not enforced by anybody is a useless waste of energy.
Nozick's libertarianism is not really an anarchist school of thought.
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
oh no, the dreaded "it's complicated" counter-argument!
making it complex helps nobody - everyone has to have a default
and default of "do not trust the glowies. EVER" is the better one
No, the naive position is to assume that the state is on your side because you occasionally gain something from it.
The reasonable position is that the state exists to propagate and protect itself, which is made up of it's citizens, you included. This is just like any organism or organization works.
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
> But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
Not really. The goal is to prevent people from being unhappy enough that they revolt. But so long as that is not a real possibility, the company - or the state - is quite willing to make the population less happy if that means more productivity that can be extracted.
The example you gave - free education - is precisely about that. The point of schools is not to make the people happy, it's to make the people productive. But, also, ideally to brainwash them into being "good citizens" (meaning compliant and not causing problems). It can even mean "happy", but that is not necessarily the desirable state of affairs from the citizens' perspective, either - e.g. in USSR under Stalin, the cult of personality was strong enough that many people were genuinely happy to participate in it, and genuinely sad when the guy finally died; but it wasn't actually good for them!
No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
The reasonable position then is to demand governance that is actually in the interests of those governed. And one can reasonably argue that the resulting entity is not a state.
> No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
Beliefs like that are self-fulfilling prophecies. People who believe in that often give up trying to influence the state and exclude themselves from its interests. If too many people do that, the state will not care about them.
There is a trade-off based on the size of the state. Small states are easier to influence and more likely care about their citizens. Politicians stay more in touch with other citizens, and the average citizen is more likely to know some politicians in their everyday life. But small states often make amateurish mistakes, because they are governed by amateurs without access to sufficient expertise on various topics.
Large states have an easier time finding the expertise they need. But they tend to develop a political class out of touch with ordinary citizens. Political leaders become powerful and important people who mostly associate with other elites.
I believe the ideal size of a state is in single-digit millions, or maybe up to 10 or 20 million. Like most European countries and US states.
If you were to put a name on your ideological position, what would it be?
It can't be liberalism, since that tradition considers the state separate from society, and the state's purpose to provide liberty to the latter.
Communists of the 'tankie' variety (i.e. 'authoritarian' rather than 'libertarian' or anarchist) believe the state is or ought to be made up of its citizens, but they are aiming for scientific industrial administration and would never describe the state as an organism.
The tendency that does describe the state in that way, is fascism.
If the state inherently wanted all that for its citizens, why have people formed unions and militant organisations and struggled to achieve things like common education and so on?
"Hackers should understand governments are complex, dynamic and occasionally chaotic systems"
No. Hackers should understand that government is force. This is the definition of government.
And force is the antithesis of the hacker ethos.
Growth hackers aim for regulatory capture.
In a democracy, the government is its citizen. It sucks when you disagree with the majority of the voters, of course. But it's wrong to say that the government is against the majority of the voters: it was elected by them.
A government or president can definitely be against its voters interests.
Then that president should not be re-elected. Or it's the voters' fault.
So the people should talk to their representative. A government becomes authoritarian not only because of an authoritarian leader, but also because of the enablers, people like the spineless Mike Johnson.
The people who voted for him are very happy with what he does and that's why they vote for him again. They voted 75% for trump.
They don't want what you or I want.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
That's the 1%. It's the hair on the back of the elephant.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
[deleted]
That is an absolute nonsense.
At minimum, government will be useful as defence against worse government.
I know that some anarchist had dream of a stateless world, but it is not viable.
And while I am not going to say that any government is ideal, many are better than USSR, Third Reich or Cambodia under Pol Pot.
Government != state.
And the enemy of your enemy is not your friend. It can be a temporary ally, but you always have to be wary of it becoming strong enough because you can become its enemy tomorrow.
Couldn’t agree more.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
It made me feel kinda sad for a few days.
Some of that is attributable to raw inflow/outflow differences, where newer cohorts are bigger and therefore the blend would shifts even if no oldsters ever left.
It always had a lot of that, I would say 2-3% of articles were about SEO in the early days of HN. It was never slashdot.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
> A future where everyone has a personal computer was exciting and seemed strictly beneficial
I like to frame it in terms of capital goods, even if I didn't think of it at that time: The personal computer's promise was that everyone would own their own digital foundry and factory, creating value for them, controlled by them, and operating according to their own best interests.
Nowadays, you're just renting whatever-it-is from BigCorp, with massive lock-in. A tool for enacting other people's decisions at you.
I find it really hard to classify myself. I've always called myself a "libertarian" - I believe the best strategy to Civilization is to maximise freedom for anyone. As freedom enables enlightenment an enlightenment drives progress. To actually achieve that, in the real world, means that you have to distribute and limit power. That means limiting not only government power but also corporate power. That means regulation, strong regulators (breaking monopolies), policies to keep prices down (including rent/housing!) and to enable free market competition and innovation. And provide an economic system where risks can be taken, enabled by a social let (and social healthcare).
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
This isn't actually unusual in the grand scheme of things, just at the moment. "Libertarian" was originally a word that anarchists came up with to describe themselves for a good reason. Lysander Spooner is famous in right-wing libertarian circles, but the guy also promoted mutualism and was the member of the First International. Today, what you describe goes under the label of "libertarian free-market socialism".
Regarding regulation, I do have to note that in many cases when you try to root-cause corporate power, it turns out that it hinges on active government regulation in practice. For example, consider the fundamentals of capitalism, namely, accumulation of capital. Why do we get those huge monopolies in the first place? Well, because more capital means more way to generate wealth (or, more precisely, to appropriate wealth generated by your workers), which can be invested into more capital etc - there is a natural positive feedback loop here. So at a first glance it feels like you need government to actively do something to prevent companies from becoming too large. But consider: what does it mean for a company to own something? It's not a person, so it can't really have physical possession of things. It's all abstract property rights, and the only reason why that works is because the society as a whole acknowledges those rights and legitimate, and, crucially, because there is a state providing infrastructure (police, courts etc) to enforce them. Now imagine what would happen if, for example, the state simply refused to acknowledge property rights past a certain limit and simply wouldn't enforce them on behalf of the property owners.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
[dead]
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
My rule for a sane HN experience: avoid and flag any articles related to Trump, Elon, <current culture war topic>, American politics, and anything tangential that summons them.
That's getting pretty hard these days. I did a query on Clickhouse and this year a full 1% of all comments on this site mention Trump.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
precisely this. cool detachment or disinterested curiosity around political events is the privilege of those comfortable enough to believe current politics won't affect them. These same people are also usually ultimately responsible for the apathy/failure to act and stop meaningful regime change before it's too late.
I'd love to live in a world where one can neatly compartmentalize reality and view life-altering political shifts with "a lens of curiosity", but that isn't how the world works.
[deleted]
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
You might have convinced 2 people to install Signal, but the real test is whether they will still be using it a year from now. My own experience from going Signal-first for a while was that it doesn't stick for most.
Social connections can be a large sacrifice.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
Facebook is still running strong on Marketplace and Groups. They have almost no competition on those.
....and I don't care because I don't use either of those. All the network effects in the world mean nothing if that network has no value to me.
Yes, but then it's about you.
A significant portion of society is using Facebook marketplace and group so it won't die with "grandma"
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
I think you might have a different definition of "merit" than OP. "Merit" to me means how much value the company brings to society. If I'm reading correctly about your point of it being legal, to you it seems like "merit" means how much value they bring to their investors.
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
Where can I read more about this? Quick search turns up nothing for me
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
Wasn't the case here really weak to begin with? I remember reading the FTC's initial filings and they just sounded absurd. The very premise that Meta didn't face meaningful competition from TikTok was a farce.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
> The very premise that Meta didn't face meaningful competition from TikTok was a farce.
The original claim was centered around the timeline of purchasing Instagram and Whatsapp. TikTok came much, much later.
If this is true, the case then becomes "Meta was a monopoly from start_date-tiktok_date" which isn't a very meaningful claim since they are not arguing it is a monopoly to be broken up.
Anyways, I disagree - this is not the case. If you read the filings and their slides, the FTC argues Meta is a monopoly in the personal networking space.
They essentially carve a market out of thin air to selectively exclude Snapchat, TikTok, and Shorts. The judge has understandably called this for what it is.
It was a phenomenally poorly litigated case, most experts at the time doubted it would succeed, but it did wonders for Lina Khan's popularity. Seems to have served her well with NYC and all.
Just to be clear, when you Khan "killed our remaining low cost airline carrier", are you referring to when the DOJ blocked the JetBlue-Spirit Airlines merger? Not arguing, I just want to understand.
This is a proposal from the EC. Whether the EU accept it is not clear.
Yeah I really hope they don't. It's ridiculous to throw out all the great work they've been doing.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
It is good to stress this, most people don't know how the EU works, Europeans included.
> What I really want to see is Meta getting irrelevant ON MERIT.
Me too. But losing on merit requires an (at least somewhat) fair marketplace.
> What I really want to see is Meta getting irrelevant ON MERIT.
Why? Is META relevant only on merit?
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
The loudmouths do not necessarily represent a majority of HN users. They're just loud. Some of us find the social-media-bashing threads boring and just go back to our social media.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
I would strongly encourage everyone to read HN with `showdead` enabled (it's in your profile page). There aren't actually all that many downvoted comments, and while mosts are low-level trolling, even with `showdead` you see them at the end of the parent thread and they are greyed out, so it's not all that distracting. But being able to see some of the things that get downvoted / killed unjustly (and then vouch & upvote them) is how you get a better HN.
You can upvote dead comments? I can't maybe you need to have some amount of karma.
You can "vouch" for them, which makes them non-dead (and upvotable again). But, yes, it does have some karma limit - I'm not sure if the specifics are documented anywhere, the FAQ just says "small karma threshold".
Yeah, you can sense how strong libertarianism is in the US.
Europeans here steer more in the "we can, but should we?" category, while Americans are in the "move fast and break things" category.
I literally see upvotes during the day (Europe) and then downvotes during the night. Mostly. But the trend is there.
I think there is plenty of diversity of comments, substantially less diversity in voting and flagging.
You can say lots of things, many that go against the hive mind will just get you more or less instantly grayed or even flagged
> substantially less diversity in voting and flagging
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
[dead]
> What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
To many (especially younger) people, giving up Meta products would make them a social outcast.
Some industries naturally tend torwards monopolies. In social networks, this effect is very strong.
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
Look at what happened to iRobot vs. Roborock though.
can someone explain what happened? how is it relevant to EU laws?
I live in EU. I am totally in support to force Meta down through government's big stick.
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
If you support them (I do, they do great work), please set up a yearly subscription. Predictable revenue is very valuable for organizations.
Do we have anything like this in the U.S.?
Yeah, seconded, and I also live in the EU.
I'm a hacker type and generally extremely (left) libertarian. But when it comes to megacorps, I have basically zero sympathy. When they are big enough to rival nation-states in economic and political power, they can't complain when said nation-states start to notice.
(I would still prefer the world without either, though.)
Yeah, I think states need to release that entities as large as them become their competitors. Now we have entities way larger than them.
I wonder what kind of people downvote you. They must have interesting priorities.
The thing is that it didn't work for that objective. It didn't seem to have any meaningful impact on all on the Metas and Googles out there. They control the user base and people depend on their products, it was trivial for them to get full consent like they've always done with their Terms & Conditions.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
so what it like working at meta?
Can contract killers become irrelevant on merit, or does it take government intervention?
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
Meta's only merit is having a lot of users and keeping them hooked at any cost.
It might surprise you, but success is not always rooted in having done great things for the world
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> ...more about protecting European ad firms, many of which are even shadier than big tech.
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways
to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
That wasn't even the GPDR and it did even less for user privacy.
what was it then? why it did less for user privacy?
What the law wanted: putting regulatory friction on tracking cookies by requiring collecting consent will make sites do less tracking.
What the law did: endless cookie banners.
What the law wanted: ending the torrent of people's inboxes filling with ads.
What the law did: nothing because they caved to the industry and let people send ads anyway. actual spammers never followed the law anyway and real companies who ship ads weren't at all burdened by an existing customer relationship requirement.
What the law wanted: companies will stop keeping your personal information on their servers forever.
What the law did: nothing because they again caved to the industry and it just got added to the cookie banner consent screen or the company just said they kept the data for "value add" services like personalization.
The 180 does not surprise me at all. GDPR and associated laws are a perfect example of the old 'Good intentions, unintended consequences'-pattern we see in laws all the time.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
can you please explain the driving licenses part?
I'm not as miffled about that as others, but in Germany, licenses used to be forever (unless you yourself gave it back OR there was a court order, e.g. for a traffic-related crime). Enter the EU, and now licenses come with a renewal date, which is considered mostly a cash grab as you now have to buy a new copy every few years.
A few weeks ago, there even was an attempt to have air-traffic-style medicals beginning at 60, which, in a society that becomes both older AND worse at public transit, was highly unpopular.
You may think that's a little thing. The issue is: these little compound. And every time they come around the corner with a new regulatory clown act, people remember ... when lighting bulbs were a few cents instead of the energy-saving 10-euro new bulbs mandated by brussles ... when we were forbidden to have powerful vacuum cleaners or showerheads (yes, the new ones are not really worse, but they sound worse), ... and a hundred other little annoyances.
Not to mention that national governments like to blame Brussles for stuff they wanted, but which were highly unpopular. "Unfortunately, we cannot do anything, it was an EU decision (which we openly supported)".
And eventually, people become eurocritic. Which is one of the reasons why people start to vote for right-wing, eurocritic to anti-EU parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
?? He bought instagram in 2012 when it was tiny. They all moved in 2016.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
What about hp, dell, ibm, compaq, sun? Companies are temporary.
> sers dropped from Facebook like flies and moved to Instagram.
Even worse, bought Whattsapp.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
I like what Kagi does which is just using the nuclear option of "Look - if you fill your website with crap we're not going to index you"
That said, Google stripped away +must +include +terms from their searches so I do blame them some and not just SEO
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
So “smart rules” only means “more rules”?
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Right, but it's obviously not overreaching, because user's data is taken:
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
The answer is to force them to adhere to rules. Not to loosen the rules.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.
But uncertainty in compliance and time spent navigating compliance is nearly pure waste.
To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
I'm not sure.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation."
Easy to not play the card game, by only collecting the data needed for your service.
And the answer should be self-served, ideally, with an automated authoritative self-served approval. It could have a lag time of a few days or even a week for a person to approve.
Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.
These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.
I keep hearing that, but do we actually have stories about small European companies being ruined?
I bet we don't, unless they ruined themselves due to being very negligent or unwilling to implement even after being reported and found out.
The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.
I totally agree with this view!
I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.
But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?
I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.
IP addresses are PII. This has long been determined.
This is a perfect example of uncertainty causing compliance overhead.
You say IP addresses are PII and this has long been determined.
Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:
> > logging an IP address....
> Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement.
> Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so.
> More on that: https://missinfogeek.net/gdpr-consent/
So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.
They are of course, like everything else context-dependent legitimate interest, or even needed to provide a service to the visitor or user, but that doesn't make them non-PII. There is a reason for things like Google captchas and Google Tags manager to have a flag to not even send an IP address to the backend.
> They are of course, like everything else context-dependent legitimate interest,
Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)
I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?
In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
> I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?
Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.
(not a lawyer, but this is my understanding)
> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.
> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
That I cannot answer, or have not thought about in sufficient depth.
> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.
[deleted]
You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.
Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
I agree in theory but in practise, this just results in even more regulations. There are very few or no real world examples of stricter regulations being written in clearer terms. The reasons are numerous, but a big one is that people often have a financial incentive to circumvent these regulations. They attack the edge cases and the ambiguity between each word. If the regulations are not written sufficiently prescriptively, courts are swamped with cases and eventually a precedent is set which nullifies much or most of the intended purpose of the regulations. So regulators go to painstaking lengths to write clear and verbose regulations, but ensuring compliance with tens of thousands of pages of regulations are expensive, and this results in an economies of scale barrier for small businesses.
There are workarounds like exemptions for small businesses, but this creates all kinds of new issues like a regulatory ceiling, which results in enormous new costs on some arbitrary day for a business once it crosses some kind of user or revenue threshold. Ramp-ups are difficult or impossible to legislate in this context. Further, two or multi-tiered regulatory systems are highly inefficient and arguably unfair. They're very difficult for everyone to navigate. Generally speaking, from countless examples around the world, rules should apply to everyone.
Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
> Ultimately this means fewer regulations generally are good for startups - and larger businesses.
Yeah, forcing companies to write food ingredients on the package is bad for business. And I don't care about business more than about the well-being of society and myself. Same with tracking.
I think that when I wrote that fewer regulations help small businesses, but that there are costs for this, you read, "all regulations are bad and I think they should all be removed." Since you didn't read my whole comment, I'm going to paste the important sentence again now:
> Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
The real issue with regulation isn’t the rules themselves; it’s who ends up writing them. And it’s almost always one of two groups:
Politicians, who usually aren’t experts in the field.
Industry leaders, who have every incentive to make the rules tougher for everyone.
Small company and business should be treated differently than big corp. And the fine and punishment should be adjusted accordingly.
While I generally agree, just differentiating the fines is not sufficient.
Small businesses in particular do not have staff or the capacity to to deal with a large amount of compliance overhead. The biggest help for small businesses (and large businesses alike) would probably be if the GDPR would be less vague on the rules surrounding typically collected data
At this point I think it's utopic. Meta has an army of lawyers, they will optimize and adapt.
But it's really hard to tinker as a single hacker when a German legal troll firm can come for you for linking Google fonts on your web page (i.e. transferring IPs so breaching privacy)
European startups will not profit if this deregulation goes through. US and Chinese corporations will.
While everyone talks about souvereign data processing in the EU, both the commission as well as the governments of its member states completely failed in pampering a domestic cloud industry during the last 15 years. Mercy killing.
A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered.
Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle.
They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I've worked for startups and established industry giants and being compliant with GDPR did not stifle us in any way at all. It's really not that hard unless the business model depends on profiting off of user data. No good will come from this for the EU.
[deleted]
There is no certification to pass or anything. You just have to keep it in mind when creating your business. It's too easy to just abuse data and then claim that it's too late to fix.
I've been through several startups after GDPR went into effect, it's really not a problem.
I keep hearing this argument that it stifles small businesses, but how is that exactly? I've worked for a variety of small startups in NL and GDPR has never, not once, been a real issue or blocker.
Yes, it forced these small businesses to think about how they're handling personal data, but that should be the fucking point, I don't care if a company is Facebook or if it's a 2 person startup, neither should be collecting and redistributing personal data and tracking people.
Browser level consent primitives would be a significant improvement on the status quo.
I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners").
While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
Do Not Track was a spectacular failure.
You can still turn cookies off in your user agent though.
It was a spectacular failure because the people who thought of it didn't stick to it.
I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.
In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.
Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.
> Advertisers said they would ignore it for this reason
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
But they weren't prepped to take action yet.
Microsoft made the user expressed intent and the user expressed no opinion look the same.
That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same.
Microsoft made the default be, well, the default preference - what most users would set this setting to if they had to look. That's a good and sensible default.
The only reason why the advertisers were so unhappy about it is because what they do is neither good nor sensible by most people's standards.
I'm sorry but the word is "consent" not "intent" and that's literally how consent works.
If I (a complete stranger to you) walk up to you and kiss you on the lips, it doesn't make a difference whether you're wearing a t-shirt informing everyone you don't want strangers to kiss you on the lips or not - I don't have any basis on which I can presume to have obtained your consent so I'd still be violating your rights.
This is very much a "tech bros don't understand consent" case: if you do something without consent, you better have a damn good reason other than "but it's good for meeee" (or "good for my bottom line"). "My business model depends on it" also isn't a good justification - there are plenty of business models that depend on things that are unquestionably illegal, we just refer to them as "criminal enterprises" rather than "disruptive startups".
DNT headers are equivalent to those email signatures that pretend to be a legal document. You're just spamming the server with extra crap that does nothing and means nothing.
Actually it's worse, DNT headers are like posting a wall of text on facebook saying you do not consent to them using your images or posts for some purpose.
Track doesn't have a consistent definition across contexts, to regulate this you would have to fix it to something - what are your suggestions? DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
If you have a better write on regulation lets hear it.
DNT headers are not by themselves legally binding. However they can rightfully be considered an indication of a user's preferences (kind like how the OS language settings can be an indication of what language a user wants a website to use).
What most people miss about the GDPR is that most of it (as well as the ePrivacy Directive covering more technical aspects like cookies) really only exists because of the one big thing at its core most people are either not aware of or intentionally omitting:
The GDPR establishes a user's right to ownership and control of their personally identifiable information as an inalienable and irrevocable fundamental human right. This is what makes all the rest of it necessary: it's not about "cookie banners", it's about requiring others to obtain consent for what they want to do with that information; it's not about writing "privacy policies", it's about explaining what you do with that information and how you guarantee their rights are respected by you and disclosing who you're passing it on to and how you're ensuring they too respect those rights.
The alternative to consent dialogs (whether as "pop-ups" or via confirmations when prompting for relevant information) would be requiring every website to have a written contract with each user. Consent is only valid if it is demonstrably informed (and non-coerced but that's a different story) and it must be specific and revocable. You can't have users blanket opt-in to everything you'd like - they wouldn't even know what consent they'd need to withdraw later if they reconsider.
By the way, courts recently seem to have started ruling that the way many AIs work the companies training them are in violation of copyright laws by using intellectual property as training data without permission and in order for contracts to be legally binding, anything given by one party has to be given consideration by the other (i.e. anything of value given by one party has to be balanced out with something of value given by the other party) - so I wouldn't be too quick to ridicule the idea that using Facebook means Facebook can do with your data whatever its terms of service say they can do, even if posting on Facebook can probably not be considered an effective way of informing Meta about your disagreement.
And, they could have been made legally binding. The EU established a precedent of requiring consent for tracking afterwards after the ship had sailed on this technology.
The only thing required to make a signal like that legally binding is the power of law. It just wasn't there for DNT.
> DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
Or it will take one clear message from the regulators saying they're equivalent.
What actual innovation is stifled by data protection laws? What small business is unable to operate because of the GDPR?
Compliance costs almost nothing. If you collect data, explain why and what for. If people ask you to delete it, do that. If you want to share data with others, ask first (or just, you know, don't).
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
> The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
So either you're lying or your lawyers are lying to you.
In 9 years you could've finally read and understood the rather small law yourself.
I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
> What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
It's not a lawyer's job to answer that question because the answer is necessarily "yes" unless you intentionally did the illegal thing (i.e. intentionally did what the law explicitly tells you not to do) - and even then you might be able to defend it somehow.
The question is whether you have a good enough case for a ruling in your favor. And again, lawyers can't answer that because the question is always "it depends" - they're not in the business of fortune telling.
If you ask a lawyer for legal advice, it's their job to give you sufficiently good and accurate enough advice that if you tried to sue them over giving you bad or inaccurate advice they'd have a good enough chance of winning that lawsuit. How much they're willing to speculate about things like what's good enough for you and how high they'll set the bar depends on a variety of factors again.
There's literally no guarantee you can successfully defend something in front of a judge. The law is the law and the facts are the facts. If you end up in court, it helps if you have solid paperwork and a solid papertrail you can use to demonstrate you did everything correctly and in good faith - this is about creating facts that can be used to your advantage.
But the amount of expense required to do literally everything perfectly to the letter of the law and reliably document that you did so would make running a profitable operation impossible regardless of what laws we're talking about, so you necessarily have to strike a balance. And where you strike that balance is a business decision because it's about managing the risk of doing business. And that's not something your lawyer can decide for you - that's something you have to decide for yourself if you run the business. Because at the end of the day it's about your personal liability - whether through financial risk if your business is held liable or direct liability if you get personally held liable for your actions.
But this is not legal advice, I'm not a lawyer. I just know enough about (EU privacy and general German) law to be dangerous and accidentally trick actual lawyers into thinking I have a law degree.
By the way, that's also where that line comes from: it's saying "you can't hold me liable for decisions you make based on what I told you" - even when what a lawyer says is perfectly reasonable and sound to them they'll likely tell you it's "not legal advice" unless you are willing to pay the price tag of being able to hold them liable for what they said.
Before you get to a judge you will get plenty of warnings and anple time to fix whatever it is you're doing wrong.
For the absolute vast majority of companies GDPR compliance is trivial.
For the absolute vast majority of remaining companies GDPR compliance is simple.
There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).
I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy
No wonder you have "trouble complying with GDPR".
I never said we were having trouble complying. I said it cost time and money.
It costs money not earned by illegal selling of people's personal data, indeed.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Schrems? - if you think that this legislation is easy to comply with why did all of that happen? The EU can't even agree with itself on how to interpret its own law or what it does.
How the hell do you expect everyone else to?
Ughhh here we go again.
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
As with many laws people think its what is sold as.
There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.
Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:
Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.
I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?
Imagine you're asked with building, say, a train network within your country. Domestic regulations demand that, because other countries are not certified up to your country's safety standards, you're not allowed to import any foreign technology from outside your country.
So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.
You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.
So you start by asking me to assume the EU can't create IT technology and then give no further argument, much wow! That's was even less persuasive than I expected. BRB, gonna go tell tell Open Office and KDE they don't exist because Europe can't create software.
> I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
I've implemented it like a half-dozen times. Why do you think I'm so confident? It's truly not very difficult, particularly if you don't have to retrofit some hell-app that uses a billion cookies. For the most part, collecting PII is already a liability and you don't want to do this anyway outside of critical information (e.g., email).
> but will continue to go back and forth if GDPR remains as-is.
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.
I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Etc. Etc.
You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
Literally everything.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Yes, using USA based services with user data is against GDPR.
But sorry, saying "literally everything" is a gross exaggeration. Debugging a program with the help of ChatGPT is not using user data. Editing a logo is not using user data. Storing code on a web platform is not using user data. And others...
And even then, for some of the services (like mail, communication, erp, etc.) there are alternatives companies in Europe that work just fine.
I think GDPR is not perfect, but I do welcome measures to prevent over-collection of data by whomever.
> If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation
There are only two possible interpretations of this sentence:
1. You have just confessed to a crime. Do your engineers store user data in Notion?
2. You have just confessed to not having even a single clue about GDPR and what it entails. Your engineers using Notion will not make your company liable for GDPR unless bullet point 1.
> This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Ah yes. Your shitty company selling user data left and right to "our privacy-preserving partners" is the same as "access to US intelligence in the context of Russia-Ukraine"
Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them. Doesn’t help to undermine my point that this has become a topic of religious dogma here.
No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion (and is against HN guidelines).
So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
> Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them
You think yourself more important than you really are. I've replied to many comments in this discussion, and three of them, I think, happened to be yours. Two of them happened in the same thread. This one.
> No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion
Ah yes. Where good faith is "GDPR is bad because wellfare state and US intelligence"?
> So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
So, good faith and non-circular arguments are assigning words to opponents and trying to make them argue something they never said, apparently.
Imagine if anti-GDPR crowd actually argued in good faith. I can't. Because of behaviour like this.
> However, this generation is beginning to learn
"This generation" lol. I'm 45.
What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".
None of this is really true, though (except the paper straw thing which... obviously)
> Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Governments have deficit spending because we subsidize private inefficiency at a social level and refuse to run them efficiently. It's insisting on letting private entities run things that is clearly not working.
> clearer safe harbors for small actors
Different rules for different people huh?
Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.
Not different rules for different people.
You would be subject to one rule for your small company and another rule as it grows.
This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.
This is different for different people said differently. Why would small companies have access to things not allowed to big companies?
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
Corporations are not people. This is not different rules for different people.
In the traditionally implied sense of different rules for different social classes.
Because quantity is a quality of its own.
Because their conditions and abilities are different.
But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
>Different rules for different people huh?
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
[deleted]
Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair.
In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I wish you were right though.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
> home owner
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation.
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
> Different rules for different people huh?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
Why did you use an LLM to write a comment?
In my case it is rarely that I use LLM to write comments but rather I frequently use an LLM on my finished comment to fix things I miss as a non native speaker.
The content of the comment is my unique opinion and my unique writing and I mostly also make sure to remove stupid things like directional quotation marks.
But yes, it is possible to be very much human but also trigger certain peoples AI detectors.
What makes you think it's LLM generated?
colons and directional quotation marks scare folks who don't know how to use them properly
Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y"
The structure of what it wrote, and the banality of the point.
The double quotes perhaps?
AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.
HAHAHAHA good joke. Oh wait. You're serious. Oh god please no.
We're already at the point where lawyers are submitting AI-generated videos as court evidence, so...
We really should be at the point where those are former lawyers.
But 60% of the time, it works every time.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Finally!
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
Those “cookie banners” are nonsense aimed at getting this outcome.
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services.
[...] we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.
When I open this link I'm greeted with the cookies banner
"We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services listed above will be used. You may change your selection on which cookies to accept by clicking "Manage Cookies" at the bottom of the page to change your selection. This selection is maintained for 180 days. Please review your selections regularly. "
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
The EU's own government websites are polluted with cookie banners. They couldn't even figure out how to comply with their own laws except to just spam the user with cookie consent forms.
The eu's maybe but for my government i have no banners.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
> billion trackers ... dark patterns
Straw man argument.
The rule equally applies to sites with just one tracker and no dark patterns.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
[deleted]
> Besides, you seem to be confusing something.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> Within the context of the discussion of if its malicious compliance or a natural consequence of the law.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
you CAN use analytics! Just need to use first party analytics... it is not so hard to set up, there are many opensource self-hosted options.
I hate how everyone and their mother ships all my data to google and others just because they can.
The regulation is only concerned with cookies that are not required to provide the service. It makes no differentiation between first party and third party - if you use cookies for anything optional (like analytics) you need consent. So you can have third party non-cookie analytics for example without a banner.
Let's not deceive ourselves -- first-party analytics are much, much harder to set up, and a lot less people are trained on other analytics platforms.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Can you actually do meaningful analytics without the banner at all? You need to identify the endpoint to deduplicate web page interactions and this isn't covered under essential use afaik. I think this means you need consent though I don't know if this covered under GDPR or ePrivacy or one of the other myriad of regulations on this.
So take the IP, browser agent, your domain name and some other browser identifiers, stick them together and run them through SHA3-256, now you have a hash you can use for deduplication. You can even send this hash to a 3rd party service.
Or assign the user an anonymous session cookie that lasts an hour but contains nothing but a random GUID.
Or simply pipe your log output through a service that computes stats of accessed endpoints.
None of this requires a cookie banner.
> You need to identify the endpoint to deduplicate web page
You can deduplicate but you cannot store or transmit this identity information. The derived stats are fine as long as it’s aggregated in such a way that preserves anonymity
How would you deduplicate without a unique identifier or fingerprint of some sort (which would not preserve anonymity)?
No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not. The goal of analytics is to see how people in general use your website, not how an individual person use your website.
So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie. Hash it together. Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes). And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
Not rocket science.
> No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not.
Sure you do if for example you want to know how many unique users browse your site per day or month. Which is one of the most commonly requested and used metrics.
> So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie.
That looks a lot like a unique identifier which does require a user's consent and a cookie banner.
> Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes)
The EU Court of Justice has ruled in the past that hashed personal data is still personal data.
> And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
It will also happen after 30 minutes have passed which will happen all the time.
> Not rocket science.
And yet your solution is illegal according to the GDPR and does still not fulfil the basic requirement of returning the number of unique users per day or month.
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
> And now proponents of GDPR are blaming companies for following GDPR.
Not really, proponents of GDPR are aware that GDPR explicitly blocking trackers would be extremely hard as there is a significant gray area where cookies can be useful but non-essential, so you'd have to define very specifically what constitutes a tracker or do a blanket ban and hurt legitimate use-cases. Both are bad.
For some reason though people think that the body that institutes laws that try to make the world a better place, when loopholes are found and abused for profit, this is somehow the standard body making a mistake, rather than each individual profit-seeking loophole-abusing entity being the problematic and blame-worthy actor.
I never understand why, I guess you work somewhere that makes money off of this.
No, those companies do not follow GDPR. They are testing how far they can go without triggering mass complaints etc.
By not setting a cookie until the user does something active when I then tell them (say on “log in” or “add to basket”.
You don't need a cookie banner for authentication/shopping basket cookies, since these are essential.
However, you are still required to provide a list of essential cookies and their usage somewhere on the website.
This. I don't know why there's a heavy overlap between the "GDPR didn't go far enough" people and not actually reading the GRPR. I'd think they would overlap a lot with people who actually read it.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> But I'm making the point that its not malicious compliance.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
Don’t track your site visitors.
No tracking, no banner.
Or respect the now deprecated DNT flag, no banner necessary.
Now we get DNT 2.0 and the website owner will once again maliciously comply.
OK sounds great.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
Again, great. Didn't happen and isn't required by GDPR though.
Malicious compliance are those dark patterns where it takes on click to accept all but multiple clicks to reject all.
I remember the early day cookie banners of Tumbler accept all or deselect 200 tracking cookies by clicking each checkbox.
I could just as easily say don't send data you don't want tracked.
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
Or a new, opt-in "Do-Track" that means consent to tracking, and anything else means tracking is not allowed. Why should it opt-out?
As long as there is Do-Not-Track as well, and companies must follow BOTH, this would be ok by me.
But this one alone opens the door to behavior similar to tracking cookies, where accepting all was easy and not accepting was hard af.
Instead of what? Instead of the central browser controls?
>Instead of what?
Instead of a different cookie pop-up on every single site you visit
>Instead of the central browser controls?
This is the central browser control. The header is how the browser communicates it to the websites.
This very article is about how we're getting a central browser control, and your comment was "can we finally get a central browser control instead?".
Well, it's a minor details hidden in the middle of the article, I also missed it.
But the person weberer replied to was quoting the exact place.
whoops, didn't read the entire quote ...
So they finally admit that it was a mistake.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
50 is not even close.
Those banners often list up to 3000 ”partners”.
The cookie law made this worse.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
uBlock blocks most of those for me lately.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
I use the first of those extensions, its the cookie whitelist one that no longer works for me.
There could be an extension to block the banners, too. I think uBO has a feature to block certain CSS classes?
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
You can just set your browser not to send whichever cookies you don't want to.
Cookies are a client-side technology.
Why does the government need to be involved?
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
You could try and read the law yourself. After all, it's only been 9 years.
It covers all data processing whether automatic or manual.
The law literally doesn't talk about cookies. Or any other ways of tracking. (well, it does. In the preamble. The regulation itself is tech agnostic)
It doesn't have to contain the word "cookies" to describe the way they operate.
Again. You could literally try and read the law. After all, it's only been around for 9 years.
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32)
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
--- end quote ---
etc.
Not really, it disallows tracking even if you aren't storing anything (eg via fingerprinting):
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
> Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
> Why would you store the language preference client site anyhow?
You're not storing the language preference in the cookie, you're storing a cookie that identifies the user so that the server can remember their language preference.
Consider the two possible ways that this can work: 1) if the cookie identifies the user then using it for anything outside of the "strictly necessary" category requires the cookie banner, or 2) if the cookie is used for any strictly necessary purpose then you can set the cookie even if you're also using it for other purposes, in which case anyone can set a strictly necessary cookie and then also use the same cookie to do as much tracking as they want without your consent.
Both of these are asinine because if it's the first one they're putting things like remembering your language preference outside of the strictly necessary category and requiring the dumb cookie banner for that, but if it's the second one the law is totally pointless.
> The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
But one row before it mentions "such as accessing secure areas of the site.". If the secure cookie has 12 months validity, this is basically a different way to implement "remember username/password".
Besides, all my browsers (Firefox, Chrome) remember the users and passwords for all the site I access, so are we even talking about this? Is Safari that bad that it doesn't remember your user/password (no experience with that one)?
> You're not storing the language preference in the cookie, you're storing a cookie that identifies the user
Ok, I agree that for sites without username / password that will not work. On the other hand, personally I rarely end up on any site that is not in a language that I can read and on top the browser has a language preference : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/l... . So, in practice, I think there are extremely few cases for sites require a language cookie for a not authenticated user.
> But one row before it mentions "such as accessing secure areas of the site."
Which could be read as allowing session cookies but not ones that allow you to save your login if you come back later. But it's also kind of confusing/ambiguous, which is another problem -- if people don't know what to do then what are they going to do? Cookie banners everywhere, because it's safer.
> Ok, I agree that for sites without username / password that will not work.
How would it work differently for sites with a username and password? The login cookie would still identify the user and would still be used to remember the language preference.
> allow you to save your login if you come back later.
Again, is there any browser nowadays that doesn't save the login? I don't know any, personally but I do not know all of them. And if they are, how much market share they have? (If I myself build tomorrow a browser without the functionality, that can't be an argument that the legislation is wrong...)
> How would it work differently for sites with a username and password?
Generally for sites where you use a username, the site will load from the server several information to display (ex: your full name to write "Hello Mister X", etc.). In the same request you can have the user preferences (theme/language/etc.), and the local javascript uses them to do whatever it needs to do. Even with a cookie, there needs to be some javascript to do some actions, so no difference.
Or you could just redirect via a URL that has the user preferences once he logged in (ex: after site knows you are the correct user it will redirect you to https://mysite.com?lang=en&theme=dark)
There are many technical solutions, not sure why everybody is so crazy about cookie (oh, maybe they think of the food! Yummy)
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Which is presumably the reason nobody uses Midori
I liked it. The reason I don't use it is because it doesn't support modern JS heavy websites.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
Cookies that keep you logged in or maintain a session don’t need consent
Blocking cookies client side will block all cookies regardless of value. Hence the usefullness of law to disambiguate.
Of course, let ME decide if I want to keep fdfhfiudva=dsaafndsafndsoai and remove cindijcasndiuv=fwíáqfewjfoi. I know best what those cookies do!
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
> Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at.
Server logs can provide this information.
Only in very simple ways.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
This isn't even about ads. It's just about basic business metrics.
And no, you can't just "wait 2 weeks and check for the actual sales volume difference". The example I gave requires individual anonymized tracking. Pretty much anything that has to do with correlations in customer behavior requires individual tracking. And that's how businesses improve.
Also, it's not just giving up "some percentage points". There are a huge number of small businesses that can only exist because Facebook ads work so well in targeting very precise customer segments who would never know about their product otherwise. Targeting advertising does actually work, and you'd be putting tons of small business owners out of work if you got rid of it.
Maybe what you say is correct, but without a reference can also be an opinion influenced by your domain of activity.
What I see though is many shops closing, because more and more people buying online. What I hear is people buying crap from Amazon and throwing it very fast, or using fast fashion from the like of Shein. Neither seem to me a great outcome.
I did a cursory look and I found this https://www.pewresearch.org/short-reads/2024/04/22/a-look-at... , will quote "The number of high-propensity business applications – those that are highly likely to turn into businesses with payrolls – remained relatively stable between 2009 and 2019,". This for me does not support the idea that of "huge number" that only exist due to Facebook (business exits have also grown over the period, more data at https://data-explorer.oecd.org/), but of course this is an interpretation.
Not for the amount of stuff on the web now that is client-side rendered.
Client side rendering means in practice clicking a product retrieves JSON and images instead of HTML and images. This can be logged.
Okay, and why do you need to share whatever info you collect with thousands of random data "partners" if it's just for you to keep track of whatever made up thing you say you need to track? Because in reality that's what GDPR exposed, that random ecomm website selling socks or whatever is sharing everything they know about you with a billion random companies for some unknowable reason.
Cookie banners are made obtrusive by the people running CMPs as they want to make it as hard as possible to stop collecting the data
Funny thing is that I often will go out of my way to find the least permissive settings if the banner is obnoxious or has a dark pattern.
every accusation is a confession you see...
> if you don't do anything "bad" then you don't need the banners.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
worst implementation ever. I bet it is the reason that most people are now taking anti depressants.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
Why do European government websites do the same thing then? They’re also spreading propaganda?
The cookie thing sounds good at first but then it shows that they rant to reduce cookiewalls by making more things ok without asking :(
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
No it doesn't. A website's own preferences fall under the 'necessary for site functionality" exception.
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
[deleted]
the issue was never the law.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
The issue is the lack of enforcement of the law. And instead of strengthening the enforcement, they are diluting the law now.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
A cookie is something that is sent to the server, by design - that's their whole point! So if the only part of your code that needs them lives on the client, cookies are the wrong mechanism for that - use localStorage instead.
> lets you set font size and dark/bright theme,
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
[deleted]
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
That's not true. You can use those cookies, you just need to explain them somewhere on the site. No opt in required.
I talked with our then national information law official (funny fact, same person is currently president of our country), rule of thumb is if you're not using your users' personal data to pay for other people's services (e.g Google analytics) or putting actual personal data in them, you're generally fine without the banner.
Further, if you're a small shop or individual acting in good faith and somehow still violated the law, they will issue a warning first so you can fix the issue. Only the blatant violations by people who should've known better will get a fine instantly (that is the practice here, anyway, I assumed that was the agreement between EU information officers)
I'm not sure why this is being downvoted?
The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.
That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
That is unfortunate, EU could well present itself as an example of how things can be done right. Unfortunately incompetence and/or indifference, plus lack of IT talent willing to work for the public sector is also a thing in politics. It's an opportunity lost for sure.
> law wasn't poorly written, most websites just don't follow the law
I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.
Most websites in the EU also aren't following the law.
people intentionally made the banners annoying or tried to make the reject button smaller / more awkward so that they could keep tracking.
Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either
I'd settle for companies obeying the letter of the law. They don't do that either.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
A lot of people at HN work in industries that track, or are the ones choosing to use the banners in the first place.
> Most websites do. not. need. cookies.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
Functional cookies are fine. Even analytics is fine if you're using your own (though said own analytics must also company with GDPR personal data retention rules).
What is not fine is giving away your users' personal data to pay for your analytics bill.
Non-risk cookies never required a banner.
jokes on them i never followed the law anyway
I'm convinced there's a psyop on this site when it comes to GDPR, and I'm only half-joking. If people would bother to read those intrusive banners, they'd notice that their info is being harvested and shared with hundreds, even thousands of "partners". In what universe is this something we should be okay with? Why exactly does some random ecommerce site need to harvest my data and share it with a bajillion "partners" of theirs? Why are we okay with that?
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
That's the real news. There's no U turn, no weakening of GDPR. This article is propaganda.
I will believe this when I see it.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
Sure, ideally we can decouple the provider implementation and use a yubikey-type device if we want, or let the OS Secure Enclave handle it for the 99% of users that don’t care.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
I don't want an internet designed by lawyers and politicians. And I'm afraid that's what this level of regulation and enforcement would create.
Right, because an internet designed by profit motive is going great
I kind of like it. I mean here we all are on it. And sites like HN can just be written by one person and put up by one person with no permissions. The alternative if the government controlled it would be something like the Apple app store where you have to pay a fee to maybe be allowed to do something.
No it would not. We're already in some alternative where the government says that you can't make a website to sell CSAM, for instance. And we all agree that this is a good thing.
The goal of regulations is to prevent undesirable behaviours by making it "too costly" to do. The goal is not to take 30% on every app sale.
The post I replied to was on an internet designed with a "profit motive". What you describe is still basically profit motive with laws to stop bad things. I'm not quite sure what you get if you removed the profit motive. Maybe the app store wasn't a good example. Maybe something like the BBC?
My point was that the post you replied to was not saying that the alternative would be that the government would run it for profit. It was just saying that maybe it's better to have rules set by the government than to have the whole thing driven by profit-maximising machines.
If it wasn't, you would see illegal adds all over the place. I mean you already do, but the "soft" ones.
Complaining about regulations as a concept is usually about forgetting those that work and seeing exclusively those that annoy you.
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I don't want an internet designed by businessmen and advertisers, yet here we are.
"I don't want a society regulated by rules"
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
Yes, that's what I meant.
Also businesses are not people. People may not do illegal things "just because they are illegal" or because they want to be "good" (e.g. I agree that we should not litter, I wouldn't even need a regulation for that).
Businesses are profit-maximising machines. If it it profitable to litter, a business will do it. The framework in which businesses maximise is set by regulations, which represent what society wants. That's how capitalism works.
The limit of capitalism is when businesses are more powerful than the entities in charge of enforcing the regulations. If "enforcing a regulation" means having lawyers work on it, but the businesses themselves have orders of magnitudes more lawyers trying to prevent those entities from doing their jobs, then we have a problem. That's a limit of capitalism, IMO.
The EU's own government websites are littered with cookie consent banners. They want the data too.
Again, because those entities ("EU", "governments") are made of many people. It's not one guy who says "this should be illegal, but I will put it on my website too".
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
What were they doing with user data?
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
How do I stop you from tracking this information about me?
Do not consent when asked or, better yet, do not use websites that implement these techniques.
So can’t abuse people’s data without their consent is being strangled?
Is that like I’m strangled with my start up of “cheapdvds.com” because I can’t sell someone else’s data?
You have a funny definition of the word “abuse,” and “sell.”
“25% of our users that arrived from the newest ad came from Facebook and 85% of those were mobile users.”
So abusive. So much selling.
And when someone visits your website, you don't tell anyone about their visit, right?
RIGHT?!
That's an egregiously poor faith interpretation of what they said.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
> What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
Why do things that are important to the advertiser trump what's important to the user? I don't care how hard it is for you to track the performance of your ad sources, I just want you to stop tracking me.
Because without ads we're not profitable so there would be no service?
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
It does work, I have seen enormous and well designed tests to show it.
> GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
Good! I don't want ads to be a thing in the first place. It's a good thing that industry is being strangled by regulation.
Essentially all modern advertising is evil.
They are strangled by rules in using personal data on algorithmic advertismenet?
GOOD!
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
This is pretty much untrue. Look at India, Africa, South America, Japan, Singapore, UK, Israel, the Arab world, Turkey, Russia, Ukraine, Norway, Switzerland, or Australia and compared to them the EU is doing just fine
You’re comparing the tech sector of the EU to that of Africa?
No
Nice edit
Bad troll!
Sure but since the EU has destroyed it's own innovation so much soon you'll get no choice in the matter.
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
European cars from almost every brand, already have emergency braking, adaptive cruise control, lane keeping, lane switching, etc., which get us 70% of the way there in terms of road safety.
I don't want to be experimented on by companies like Tesla:
Let them kill US citizens and keep lying and hiding things:
> Understanding exactly whose fault these crashes are is tricky because of how Tesla fills out its forms. Automakers must send reports to the National Highway Traffic Safety Administration (NHTSA). Most companies explain the crash in a written section called the narrative. This narrative tells the public whether another driver ran a red light or if the computer made a mistake.
> Tesla chooses to block out this information and redacts the narrative section entirely. This prevents the public from knowing the truth, but it is entirely legal, even if it frustrates data analysts. Without the story, nobody knows if the Robotaxi caused the crash or if it was a victim. Fans of the brand often argue that other drivers cause these wrecks. That might be true. But since the company hides the proof, nobody can say for sure. Other autonomous companies like Waymo share these details openly.
I love how you can think about any of these ideas in a really basic way like a 5 year old and you'll know intuitively that it'll all fail, particularly if you invert it:
for example:
- bureaucracy creates less bureaucracy
- price controls create more supply
- adding more rules creates more freedom
- government is good at understanding technology
- the more people you have the better your decisions will be
- the further someone is from a problem, the better they can solve it
I quite like not having my personal data stolen by foreign megacorps for nefarious purposes. In that, I am freer than Americans thanks to Europeans regulations.
Generally agree, except for point three.
- adding more rules creates more freedom. Imagine the US without a constitution. It’d be madness. In a lawless country, people would be less free to do things they actually want to do because they’re so occupied with just surviving.
Rules are necessary, but ideally you'd strive for the minimum set that produces the desired outcome w/ the least side-effects.
Europe should make business registration a single one page one step operation first.
There are dozens of stories how registering a business alone can take several months and tons of paperwork.
Well, yes, Europe is after all a collection of 44 countries, with 27 of them being in the EU, and three EFTA countries. So you're dealing with that many different sets of laws.
Some countries are extremely strict, others are more lax. Where I live (Norway), starting a business is pretty easy and straightforward. Other countries, like Germany, are notoriously difficult from what I've read.
And again, some countries have very strict laws and guidelines you need to follow, once you've started a certain type of business. Where I live it is relatively easy to start a LLC, but you'll need to put some money into it, and you can easily get fined - or even face jail - if you don't follow the laws for accounting/auditing. It becomes problematic, quite fast, if there's no unified codes for these things, if everyone's going to be able to operate cross borders.
Not to mention all the other laws (consumer laws, etc.)
How is Europe, much less the EU, supposed to do that?
Registering a business in Estonia is famously relatively straightforward, while it is an absolute pain here in Germany. But business registration is the responsibility of the countries themselves and it should remain that way
how realistic is it that it will be implemented? Sounds more like wishful thinking at the moment.
In Sweden and Netherlands it is quite easy and straightforward to register a business, speaking from personal experience. Tax filing is quite straightforward as well, especially for personal income tax.
Starting a company in Sweden requires (uploaded PDF from Bolagsverket to ChatGPT who summarized):
1. Prepare the foundation deed and the articles of association.
2. Identify the beneficial owner(s).
3. Pay the share capital and obtain the bank certificate or auditor’s statement.
4. Submit the registration application for the limited company to the Swedish Companies Registration Office (Bolagsverket) and wait for approval.
5. If applicable: submit a certified copy of your passport (non-Swedish citizens).
6. Apply for F-tax approval and VAT registration and wait for the decision.
7. Register as an employer if you will pay salaries.
8. Keep continuous bookkeeping and prepare the annual accounts each financial year.
9. Submit the annual report to Bolagsverket every year.
Optional:
1. Obtain business and personal insurance.
2. Register trademarks or protect other intellectual property.
3. Choose an auditor if you want one or when the company later reaches the required thresholds.
4. Register a cash register if you accept cash or card payments.
5. Meet requirements for import/export and obtain an EORI number.
6. Follow rules for buying/selling goods or services within or outside the EU.
7. Keep a staff ledger if required for your industry.
8. Follow reverse-charge VAT rules if you operate in construction.
9. Apply for permits if your specific business activity requires them.
This is not what I'd call a straightforward process, personally. Also speaking from personal experience. Sorry for the formatting.
Are you implying that there is a country somewhere you don't have to "keep bookkeeping and prepare annual accounts"? Sounds like bog standard things.
No, that's not what I'm implying. I'm saying that it's needlessly complicated.
> This is not what I'd call a straightforward process, personally.
It's a (check)list....what could be more straightforward?
I guess it depends what we mean with straightforward. If we mean something along the lines of "no ambiguity" then yes. If we mean something along the lines of "simple, easy to do" then no. Almost anything can be accomplished with a sufficiently long checklist. I just feel like the entire process could be streamlined and simplified.
> There are dozens of stories how registering a business alone can take several months and tons of paperwork.
What does this even mean? You have examples from ALL of Europe? Each country has its own process, and at least in "my" country it is very easy.
They had enough time to push browser vendors to implement an API which allows the user to specify the preferences, so that the page queries the API, instead of the user.
This is a step back. All these years of clicking those banners is now for nothing.
As someone who had to implement GDPR, it would be really frustrating if all people thought it was was the banners (which I’m not even sure was GDPR).
While our company was very good at handling customer data already, it forced us to up even our game.
Other companies, however, were absolutely miserable at it.
GDPR has improved user privacy for the billion+ Internet users across the board, whether they are EU citizens or not, and most won’t even know about it.
Maybe that's just media consumption and reporting bias, but I feel like data leaks have been a lot rarer and less impactful in Europe in recent years compared to the US and based on that the scam/identity theft activity also less intense.
Poor Europe - lobbyists make sure that Europe stays weak.
That statement includes Ursula by the way.
Lobbyists make sure that ~~Europe~~ the world stays weak.
They need more strict financial regulation than politicians do!
The current situation of having enough rules and regulations that all the AI companies set up in other countries is going great eh?
[deleted]
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
The GDPR is about protecting personal data, what personal data could you possibly need to train an AI model?
Let's turn that around. What personal data wouldn't help train an AI model?
I know the HN rules say the title should not be changed, so its the article's fault, but the EU is NOT Europe.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
They seem to be reporting on two drafts that were leaked by Netzpolitik.
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
> The proposal now heads to the European Parliament and the EU’s 27 member states — where it will need a qualified majority — for approval...
Not a done deal.
AI seems like the real deal. I have never seen a technology so quickly and aggressively adopted in corporate america -- every ceo is horny to adopt ai, thinking it will cut costs (read that to mean: "replace you").
They did not have the same fervor for SaaS or cloud, if you recall. You needed sales people for that tech and they were compensated well bc its hard closing a multi year, potentially multi million dollar deal.
But AI needs no sales people to sell its value prop. CEOs have fully bought in. And now, even European bureaucrats, the most bureaucratic of bureaucrats, are loosing regulations. And these are the same group of people who thought cookie banners would help with privacy. Strange times.
Wait for the bubble to burst, shouldn't be long now. Bureaucrats are like C-suites, they're very susceptible to hype and trends.
I have been waiting for a bubble to burst since the dow hit 20,000.
Europe has no chance to compete with the USA and China.
I'm European and I can only see ineptitude and corruption everywhere.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
> All consuming vague regulations like GDPR increase the cost of a startup by 500%.
Source?
I would say it's a lot more than 500%. If your business is based on doing things that are illegal under GDPR then the cost of doing that startup is close to infinite. But that's kinda the point of GDPR.
This. Sure, it's X% more difficult to do Y in Europe, because Europe doesn't want you to do Y, either at all, or unless you clean up after yourself so the costs aren't just eaten up by the environment or whatever, or unless you do it without causing harm. That's not a problem. That's the system working as intended.
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
Europe does have Microsoft. Actually, it has Microsoft in almost every single respect except the primary beneficial ones: taxes, employment and oversight.
Yes, and I wish we'd give them the boot for not following the relevant regulations.
Europe having its own Microsoft might be better than Europe having to use the US one and sending it like $100/user/yr in whatever subscription they've tricked them into.
Europe doesn't have to use the US one. It's been the easier choice historically, but there's little beyond inertia forcing Europe to stick to Microsoft. Not that that inertia isn't nothing though.
> That's not a problem. That's the system working as intended.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
> You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
Draghi's recommendations to roll back regulations had nothing to do with purported special interests, but with his view that regulation was stifling European development. And he's as old guard Euro-establishment as they come.
I mean Europe doesn't really get to make the choices when it comes to the USA because of their hilarious practice of hamstringing themselves. If that was the goal it definitely worked.
I think what they mean is that what EU in general kinda knows that for various they won't be able to make their version of money machine big tech. So why not to try different path? The individual laws will always be flawed because there is huge pressure to make them flawed by corps and lobby that want's to exploit them.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
It's gonna take a decade to roll down all those cookie banners.
Is this one of the initiatives to start syncing with the new 28th regime?
> Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
For 'central browser control', what is technically mechanism behind this? Is it something like an entirely new request header sent by the browser? Or re-using some existing RFC? Also curious if the regulation will compel browsers to implement this or something.
Managing cookie permissions at the browser level always made the most sense, but implementing it with regulation is what seems hard.
Of all the things to yield on, the GDPR really isn't it. The cookie banner problem is one caused by site owners consistently preferring using dark patterns over just not doing the stuff that makes you need a banner. If anything, the EU should have put the hammer down and enforced its regulations on those cookie banners consistently having 'accept all' being the default option and the alternative be more difficult to access.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.
I'd love for them to be made illegal, but I imagine certain groups of people wouldn't take kindly to that, so we need to do the dance and have people be tracked under nominal consent.
They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.
Here's a story about how the mere perception of "regulations exist and are strict" is dragging down my european AI start-up:
Our product makes it easy to capture and share knowledge on the factory floor, which is very important when many of your workers about to retire. Interest is enormous. It is a simple SaaS. You'd think selling would be easy. And it is: In the USA. In Europe the mere existence of the regulations (not what's in them) delays us by 6 months at least per deal.
No european executive really understands what is in the GDPR, and eventhough we are 100% compliant, there is nothing we can do to take away this fear. This means that when we talk to European companies, IT and Legal departments always have to be closely involved, leading to all sorts of political games; each department conjures up non-existing risk by talking vaguely about data privacy, just so they appear important. Half a year later when the dust has settled, the executive buys the product, or their mind has moved to other things.
My point is this: What is in the laws is not important to me. What is important is that current perception of laws turn companies into slugs. I want us to mentally move back to 2018 where we could "just buy SaaS" without worrying endlessly about data privacy. I understand hesitency when it comes to cyber security, but that is not what is slowing us down.
One of our workarounds currently is simply never to mention we use AI.
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
What exactly did you see about cucumbers?
They scrapped it actually but this law used to be the main example for overbearing EU bureaucracy
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
I have mixed feelings about this one. While I was never too excited about some of the unintended consequences of GDPR. That said, I do see benefit of the EU being the world's regulator on these types of things. I don't have confidence that anyone else would do it if the EU didn't. Even for those of us that don't live in the EU (I am in the US myself), I do feel like the EU plays the role of keeping things in check for the rest of us even if we are directly impacted by their regulations.
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
I don't see how training an LLM has anything to do with privacy laws.
It is perfectly possible to not train them on personal information, to remove or rewrite names, to remove IP addresses, etc.
Names and IP addresses are like 1% of what meets the gdpr definition of personal data.
> Training a large language model and privacy law as it's written today cannot coexist
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
Good luck getting rid of LLMs
I wish there was a link to the source of this information in the article! I'd like to read the updated version of these laws (if they're public).
So they've missed the innovation train due to regulation, and now they are likely to axe the side-effect benefit of said regulation.
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
What constitutes data about people?
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
You're being deceptively dense.
PII has a very clear definition. Posts on a public forum are not part of it.
> PII has a very clear definition.
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
We're in post-growth-times, please understand that we need to get all your names and data, so that the Elysium-Cloud can reach, and help you all, the full 8-Billion surrogates ...
What data are cookies providing that browser fingerprinting can't?
From what I can tell, we have to click all these pop ups for no reason at all.
The llm answer to this was clarifying. Thanks for bringing up the q.
Europe is also introducing Chat Control so that might be why they are moving back.
Wasn't that put on hold?
Now we are fucked too as EU citizens. I hate AI more and more! MY DATA IS MINE. I hate the future. I just hope this gets sacked by the parliament or the judges. If not I need to find ways to keep as much personal data to myself as possible. The internet has become a very hostile environment for real humans and we need to learn to tread very carefully and avoid giving anything to the data poachers. My life is not a resource like crude oil ffs!
You don’t need politicians to help you keep your personal data to yourself.
I wonder if Apple holding back features helped the EU realize that hey, maybe the regulations are getting too onerous. I like to think so.
Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
You should probably look into pseudononymization in your case, not actual anonymization. Look into C‑413/23 P in more detail to see if it's applicable in your situation, it's essentially the first case law around it. You probably do need some extra controls (like contract that the data is not shared) just in case to avoid the data coming in hands of someone else who could identify the people depending on how detailed the data is.
So no more cookie banners taking up half the screen of every website I load?! Great!
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
> The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant
It absolutely isn't. I set up a blog for a friend where she shows her art and publishes an appearances itinerary/schedule. It doesn't collect ANY info from visitors, therefore requires no cookie banner at all. Simple as that.
HTTP logs are retained for 7 days for security analysis and then wiped. No analytics available, although my understanding is that a self-hosted Matomo instance set to anonymize the last 2 IP bytes of every logline it ingests would still be considered exempt from a banner.
> HTTP logs are retained for 7 days
There you go. The moment you save any information that can help identify someone for any period, you are within the scope of the law. God forbid you keep the IPS for any reason.
> for security analysis
The law doesnt give a zit about what you do it for. If you retain any personal info or set any cookie, you have to tell the user about it and give options.
> Matomo instance
Hahaha - matomo itself is non-compliant with the law. Its developers think that anonymizing info or collecting bits and pieces for functional info and setting a cookie for that purpose allows you not to show a banner. That's wrong. It doesnt matter for what you collect info or set a cookie - the moment you set a cookie, you have to show a cookie banner and tell exactly what you are collecting and what you are using it for. Even for functional cookies.
The only way you can be compliant with this law is by setting an apache header or something to delete all cookies the moment they are set so that you wont leave any cookie. Even in that case, you may be responsible for you are holding that information even for a few miliseconds. (yeah, you as a techie think that its not important, but law doesnt work that way). Best chance is to have a server that does not set any cookie or collect any info in any way. Good job preventing spam, fraud, ddos with such a setup.
Related:
Europe's cookie nightmare is crumbling. EC wants preference at browser level
> European Commission wants browsers to manage cookie preferences instead of pop-ups on every website.
Better late than never, but it's insane it took them almost a decade to figure this out.
People here act as if GDPR was some kind of big reason why all the digital tech is from US. But come on it's not like the game hasn't been rigged forever. To be more specific it's been part of the deal with europe being close US ally. None of the european digital tech is ever supposed to be relevant. And in case some european digital tech is relevant it has to be absorbed by US or at least made to look irrelevant so nobody sees or cares about it.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
Is this related to the upcoming EU-Inc initiatives next year?
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
Big players don't want this either, we rely on open source software and frequently contribute back
This is just another dumb EU reg that hurts everyone
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
This is what infuriates me with people that knock GDPR. They simply don't understand it's prime purpose: creation of a legally enforceable audit chain of data ownership. This is a prerequisite if you want to enforce how people's data is used and shared amongst private entities.
Far less than 1% of people would care about either.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
But far more than 1% are harmed by it.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Most people don't care about these things. Who are you to say that the harm is severe to people who don't care?
Many of the people who "don't care" don't know. Once you inform people about how much data meta has on them, for example, many of them do in fact care and they are in fact disturbed by it.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
It is a government who says that…
They are quite unwise to do so.
But that extra click to read any webpage was keeping me safe
The cookie banner is the superficial part. The meat of it is how user data is collected or not and stored or not. Rolling this back would be a catastrophic defeat. Perhaps if there were an automatic cookie preference browser API that could automate the user experience it would be better for users.
Does this mean fewer less-annoying cookie pop ups?
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
Can you point to any of these guides?
In our case we were working on a Dutch project so we used this; AVG is the GDPR implementation for the Netherlands:
Are cookie banners going away anytime soon? There is no law more ‘European’ than this one.
[deleted]
The GDPR somehow had the power to make (almost) everyone comply with it, even outside of the EU. If only they had specified that instead of banners, companies had to actually respect the Do Not Track header, even if set by default on a browser, and everything that could be rejected would be rejected if that were sent.
Remember that at its core GDPR was to harmonize privacy laws around the EU to ease the transfer of data between those countries.
Previously:
European Commission plans “digital omnibus” package to simplify its tech laws
EU introduces Chat Control, then scales back GDPR, what's left? Digital ID and digital currency (with no possibility of paying by cash)?
Yes. This is their public roadmap.
The CBDC, the “Digital Euro”, will be nail in the coffin.
In Italy they’re pretty advanced with the Digital ID, for example.
Let me steelman the new proposal a little bit:
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
> The new proposal which suggests that pseudonymized data is not always PII is a different thing.
This actually is already the case, see the recent CJEU C‑413/23 P. Currently the main question is if the recipient has a way to unmask the user. In case of IP address the answer is almost always yes since the recipient could ask competent authority to unmask the IP address if there is crime involved. That was the exact reasoning provided in the Breyer case.
In C‑413/23 P the recipient didn't have any reasonable way to map the opinion to real person so it was determined that it's not PII from recipient's POV but it was from the data controller's.
One of the issues in the new proposal is that it lowers the standard quite a bit compared to C‑413/23 P.
Imagine the useful, user friendly, well designed features when business had a big incentive to push privacy
The issue isn’t too much regulation. It’s that an organization such as eu cannot adapt
[deleted]
There are lots of principled arguments about privacy versus growth versus monopoly here. But the reality is: for 95% of people in the EU (or the UK), their only direct experience of GDPR is the cookie banner. They aren't going to understand your subtle arguments about whose fault it is; they know that GDPR came along and they had to click on cookie banners. And they (and I) absolutely hate it.
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything
'Cause the corridors of power, they're an ocean away"
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
Is that why most of the EU governmental websites have the same cookie pop up banners?
Lack of product ownership and cargo cult developers.
Legislation can’t change culture.
Goalposts moved.
The original claim was that the compliance was done for malicious reasons to change the law. Another possibility is that lawyers are a cautious bunch and advise their clients to take a less risky option when implementing a legal requirement. From personal experience, I would saw that latter is much more likely and would also explain why government agencies interpret these rules the same way when developing their websites.
Big mistake
...the companies will be very pleased.
I work right at the junction of marketing tech -- eCommerce, marketing sites, account management systems. Theoretically I should be living in compliance hell, but here's the dirty secret:
To "follow" every rule, all you really need is another layer of UX friction. Another modal. Another "consent wizard." A few toggles buried under Manage Settings → Advanced → Optional → Something You'll Never Click → Opt Me Out.
If you want to be sneaky, add a dark pattern. Make "yes" mean "no." Delay the buttons loading behind some animation, while showing other buttons from the start. (Users will always mash the first one that looks vaguely like "close" without reading anything.)
Or just bribe them, "Get 200 extra points for opting in! Only 45,000 more to redeem a free small drink!" Congratulations -- you're now "compliant.
In practice, GDPR mostly results in one more click. That's the whole impact. A seemingly smart privacy law reduced to just an annoyance tax.
(This is a big reason I run Firefox with uBlock Origin, and NextDNS on my router and phone, with Steven Black's block list. Ha. I do value my privacy, and the more ads and trackers you can block the better shot you'll have at keeping some of it. At least until you go and do something stupid like join a social network or messenger app, or start clicking accept to get 200 extra points.)
* StevenBlack/hosts: Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories. // https://github.com/StevenBlack/hosts
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
EU's citizens are ripe for the taking. GAFAM, Palantir & co are going for the kill (we hope not like in Gaza)
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
What about GDPR is "scaling back"?
This sounds interesting and all but I'd like a more technically informed source than The Verge to judge whether the headline is accurate:
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
That's nonsensical. The GDPR doesn't require "cookie banners and pop-ups". Obtaining consent for things you can't do without consent does - if you insist on handling it that way. And "'non-risk' cookies", i.e. technical cookies required to fulfil the functionality requested by the user (e.g. maintain a login session) definitionally don't require consent and thus no "pop-up" or "banner". So what is the actual change here?
I'm sure capitulation will teach the surveillance racket a strong lesson.
Hold the line. Don't make the same mistake we did in the US. Your data is your data.
That is too bad, I had hope in this case regular people would win and get privacy we deserve. But as always big money wins, it just takes time.
> if the development of the GDPR and AI Act are anything to go by, a political and lobbying firestorm is on its way.
No doubt that now the flood gates are open, powerful interests will do everything they can to water down the protections even more. This is already bad enough as it is.
The changes to the GDPR are completely irrelevant compared to what the EU is planning with chat control.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
Is EU suffering from FOMO?
As an EU citizen, this is shameful and even kind of pathetic to read.
Will we start outsourcing all our IT needs to USA again?
Start?
I stand corrected. :D
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
> We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy.
That's an odd way to say EU regulations....
The AI bubble is so big at this point that this just feels like coercion/bribery induced.
Shameful decision, caving to foreign capital interests.
Do better, EU.
The EU should pass a Foreign Lobbying Ban Act.
For example, if you are a french company with american shareholders, you can't lobby the EU.
They can't pass an act like that. USA would retaliate economically.
Why can't we counter-retaliate? Where are our cojones?
the consequences of their laws is pushing their hands
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
That was already the case for the majority of domains.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
I for one like it to be able to post stuff on my website without the risk of someone sending me pizza or swat teams to my home address...
I see the tech bros finally figured out who they needed to bribe.
Come on, AI needs data, relaxing GDPR brings more data.
The question is what AI will do with these data and whether giving away privacy is good.
There is no transparency or trust and for this reason I want to keep my privacy.
But now, I am robbed out of this based on majority votes and not common sense.
Yet again, European countries are showing who their leaders are: US Big Tech
No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens
Well, that's a bummer.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
Given that they were largely ignored anyways, who cares? Laws have become almost meaningless, in a world where power lies within companies and not governments or the public, which anyways has been trained to either act against their own interest or disillusioned enough to largely don't care.
The only space where there's still laws from people is in the social media world, where the outcome are laws that don't change the life of anything but make you feel good. Eg. minorities, women, etc. still have low income, bad life outlook, etc., but hey now you need to clearly state that the programmer job is also for women and trans people. Assholes can be assholes as long as they use the right pronoun, whole industries thriving on lowering the baseline (delivery, etc.) of what humane treatment at a workplace is celebrate and pinkwashing. Everyone is "happy".
Also on the ecological side. Laws that that would change something fail, but everything that can be exploited in terms of taxation passes - seriously look at summaries on voting on directives. It's completely split at this line, and all the "liberals" celebrate how great they are for driving essentially tax funded electric cars.
It's no surprise that companies reacted by making the most obnoxious cookie banners instead of removing the need to having those in first place (fun fact: you do NOT need those for cookies at all). Whenever you read a "We care about your privacy" that is an outright lie. If they even remotely did there would be no need to have such banners. Even for much of the more shady stuff you don't need to. And still most companies don't even adhere to the GDPR. They just have a meeting do pick some pieces and forget about it.
Democracies sadly have become a real farce. I think the world has over-optimized for it, companies have "min-maxed" for the current set of laws and now well intended laws are effectively meaningless, cause smart people came up with nice hacks to not really have to care about it. It's just like a video game, where people realize that your skill set is nice, but you can just max out DPS and bring along a tank, where you realize and realize that the debuff on your armor doesn't matter if it doesn't hit you and where the penalty on item costs is meaningless because you don't know where to put your money anyways.
And honestly, finding such strategies to optimize for "just not breaking the law" or getting around it entirely is extremely fun, compared to all the boring work at a job.
What people used to call "honest work" just doesn't work outside of very localized and small scale setting, and even there it's hard. To compare with video games again, it's like all the "soloing is possible" and yeah sure, sometimes it works, but if the big guys decide to crush you they will. So best to join up with them which is exactly what is happening.
We also see that in other laws. Monopolies are forbidden? Well either keep at least one competitor alive (iOS vs Android, AMD and Intel, etc.) or make a cartel, even a completely passive one where you just do "market analysis" to have a similar price. If your competitor raises prices, it is your job to adapt your prices to increase profits. If your competitors use cheaper materials, etc. it's the same. You never ever need to interact with your competitors.
Working together in one way or another is what made humans really productive, it works well for companies, yet somehow there is that believe that magically this won't happen and instead it's all fierce competition, which is ridiculous when the biggest threat to large successful companies is literally the market changing. So they just take safe bets and buy all the smaller largely already working products and call it innovation on their side.
It's a good, smart, reasonable strategy. But it's also very obviously not as intended.
The thing is that big surprise, it's the same for privacy protection laws. Companies don't care about your privacy at all and most people are in fact ordered to store data just to have it. They make sure it's annoying so both to make you accept them and to complain about the law. It's a real farce to think that somehow people, governments, etc. think that companies (at large) are nice and just want you, the world and everyone to be good and happy. It is baffling that people really believe that and somehow always think their favorite brand is magically different, because they met a nice lad working there in marketing.
A mostly philosophical comment:
I would say something like "the issue is that 'people' are underestimating how many ugly characters there are, in the private as well in the corporate spheres" but that doesn't mean much anymore because people adapt against their interest just to display
competence. "Ugly business practices" have become the norm.
It even trickled down into culture via funny little behavioral nudges like "nett is das neue Scheisse" (German for something like “Being ‘nice’ is the new way to be awful.” or "Nice is the new toxic." but mostly meant to say "Politeness is the new bullshit."). I'm quite certain it was a clever mid-term Machiavellian marketing play which paved the high speed Autobahn for the Right Wing and faux-cause refugee aid and further downstream also the acceptance of misinformation about the escalated and long ignored civil conflict in Ukraine. But that's a long stretch and beside the point.
Regulations serve to keep the balance. Rules can be broken. Linguistics and just being a horny fucking human create more loopholes and blind spots than anyone can count and this dynamic evolves and becomes more complex.
When it seems like you have to choose between a police state and a state which allows "AI companies to legally use personal data to train AI models", meaning unrestricted, unhinged economical practices that will have it even easier to get into teen heads and all the minds who just don't have the time and energy to evolve after a 9-5 day to raise their kids with abilities to defend against all the ugly bullshit that ugly business practices use to advance their proprietary propaganda(s) while the civil weight that is supposed to balance and positively offset the resulting negatives--the counter-movement, the counter force--is reduced to a motherfucking s k e l e t o n that our current civil society is, which can barely hold it's own few pounds, because too many people are busy being more productive and efficient or are numbing their brains with some drugs or meds and doom-scrolling or something with the content-creator economy or something else "with media", meaning when they are literally working for the other side against their own interest because it's cooler, then we all will get both, a police state with a subscription model for tickets out of jail, court as well as an economy that doesn't have to nudge and prime and co-evolve with customers, workers, employees, citizens, people anymore, because the law permits reverse lobotomies, marketing campaigns that create new needs and new desires via straight injection into your brains, including all the good PR that turns the bad PR into nothing but showmastership.
Our intelligence agencies, police and judicial representatives of the people are constantly looking away because citizens don't point the spear at what the tip already
knows. Our law and the maintainers of justice should have evolved to investigate way more than they have done and they continue to disappoint.
The people have been misinformed, deceived, nudged, primed, exhausted for decades and with inter-generational effects, where the old don't defend and protect the minds of the young and the young then hijack the minds of the old or tire them out additionally and vice versa. Everybody just thinks or feels and perceives that "this the world", "this is the way" when it's the opposite, the absence of critical thought in your own interest. "They" (whatever that means to you), are selfish against all your interests while selling you their interests and how they want you to be.
Dramatic emphasis: THERE MUST BE BALANCE. And shoving the people back on the right side, not by moving them directly, which would be "fiddling with them" as much as ugly corporate and smaller business people do, but by offsetting and countering, HACKING corporate "dark patterns", ugly business practices (and I don't mean shiny buttons and countdowns), for HACKINGS sake.
If I hadn't been fucking poisoned and spiked god fucking how many times and had my brain been capable of recovering from that shit a bit fucking quicker, I'd be on the fucking frontlines of all that obvious, ridiculous fucking shit. I don't believe so many of you just roll with this shit because you are ok with it. How is all that not exactly the hacking challenge, the systems design challenge you are looking for? So many are doing so much on small scales and with tiny projects. Where is the hell is the weight. It has nothing to do with behavioral locks. You can remain in that lock, the world has chosen. BUT THAT IS NOT IT.
There are a lot of you who know and see and who were not poisoned and whose feet were not fucking poured into concrete bullshit and walled in by a jealous wannabe-fathist-coping-with-inferiority-instead-of-actively-evolving-others-to-evolve-their-offspring pthycho-thothial environment ...
"I don't care, I'm just doing my thing, you know ..." (which is not his thing but it got him that marshmallow and there's this thing previous generations, who believe that "history repeats" while the people writing it advance their interests, can't teach you
because it's covered in new language, memetics, symbols, which are hidden behind misinformation enough other, slightly younger people are perfectly aware of but keep lying to themselves want their abilities enable them to do, but they are just doing their thing, which is not their thing but it gets them that marshmallow ...) only leads to the propagation of proprietary agendas, the results of which, if not offset properly, will be disliked adequately, way way way too late. I don't know what means exactly, but I know that enough of you have those conversations all the time and a lot of it was spelled out in various books; in fiction, science-fiction and more than enough of it in historical and current non-fiction.
I'm just wondering.
I could have said something about constraints, self-organizing systems and organic emergence of cultural phenomena via the non-linear propagation of imperative regulations between co-evolving colonies that are reaching for a state that maximizes the architectural potential of all areas of civilization for the sake of the minimum amount of conflict necessary to ensure survival and thriving in a changing world, which requires just enough friction and oil to keep the temperature down, but you all know that.
Someone smart, published, internationally recognized, and with humble origins in a current or former war zone, I believe, once noted that the middle class/ middle working class needs be heard so that their perspective can be accounted for when dealing with and for a world--and future, full of uncertainty, colorful swans, emerging and re-emerging constraints, calculated probabilities of instability in the various areas affected by climate change (the fact, not the debate), and so on ... well, above are some bits to start with.
The sentences "What the fuck are you serious? Give my kind time and the peace of mind to raise my children in a way that offsets some of the bullshit systematically taught in schools off-curriculum and they will help you. You need help. This is wrong, pathetic, only funny if you are drunk or drugged and in a particularly sassy mood that makes even the help- and hopeless feel cool and powerful. If we did our jobs like you do yours, everything would burn." kind of sum up some more bits ...
GDPR was never about privacy, but to legitimise data trade. It was two step process - first train people to Agree to anything by introducing "harmless" Cookie Law, then once people just click Agree to anything, create legal basis for data trade, where it is no longer a grey area as most users give consent.
With Chat Controls coming back, never assume EU is doing anything for the benefit of general public.
What is particularly bad, is that they are not honest about it, just keep gaslighting.
This is kind of my take.
I can't believe the outcome where most people just click "agree" to explicitly opt in to tracking was some kind of unforseen mistake.
GDPR doesn't really work as you describe. Under GDPR data is a liability.
[deleted]
[flagged]
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
The EU is a great example of a spineless paper tiger to Big Tech and is the reason why AI startups run to the US.
Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.
> The EU folds under Big Tech’s pressure.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
> due in part to burdensome privacy regulations.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
I think this is a very rosy framing.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
If I sign up your company I can opt into that personalisation at signup time.
You have no business stealing my personal data until we enter an equal agreement.
> If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting
I feel like, there's nothing in my statement you can actually disagree with, so you're just expressing general frustration with the state of the world.
That's fine. You can set up aggressive PII laws, you're a big boy sovereign nation. But then you will not get domestic tech giants. That's not like, my opinion, that is the reality we are in.
I am describing that reality, and that the EU is unhappy with it, and your response is "Here's why we set up laws!". OK. I'm not sure what you are looking for here. We all know how you got here.
This notion that tech companies or even internet companies somehow fundamentally rely on PII is false and just an indicator of how normalized we've let unbounded and needless data collection become.
There are tons of business that can run without collecting any or extremely minimal PII. We already let the big companies take this data unnecessarily, let's not also let them brainwash us all into thinking unfettered surveillance is somehow essential to building a software business.
>acutely feeling the pain of having no big tech companies
That's good, there should be no big tech companies like FAANG at all. These monstrosities wield to much power and need to be brought in line.
The EU is not folding. The article is two facts surrounded by a huge ball of propaganda.
europe got stuck in the old world, they will never have tech companies.
We have plenty of tech companies. The reason you've not heard about them is because most of them cater to their domestic market first. Neighbors second. Rest of the world third or never.
This is criminal.
How so? Like, figuratively, as-in outrageous?
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I assume you mean the AI related stuff?
It was never required to show a pop-up for essential cookies.
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
I used to live and work in EU, get out of EU before it is too late.
like UK, you mean?
boy that did really work out well for them!
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
The UK was known for bureaucracy even before they joined the EU. The idea that the red tape would vanish was always silly.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
Watch out for French government bonds (10yr), France will be the next before 2030.
I did the opposite, I moved to the EU before it is too late.
It's the only power left that stands for rule of law.
Wow. Powerful statement. I suppose other places are probably scaling back GDPR and relaxing AI laws, unlike the glorious EU?
I disagree with this move. However, I disagree with moves made in other places even more. Especially the US has been moving away from rule of law at a rapid pace.
Europe learn the hard way that you cant have a cake and eat it too
EU citizens: WE DEMAND XYZ PROTECTIONS
EU: WE SHALL BUILD XYZ FOR EVERYONE
(years pass)
EU citizens: WE HATE XYZ PROTECTIONS
Who demanded cookie banners?
Cookie banners are an AI solved problem ... just train on "minimize eyes spying on me"... a business model?
The companies trying to persuade you to click "Accept All".
The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy. It is a moralising and irresponsible attitude that older people can afford to adopt, but like so many other things, it hits younger generations mercilessly hard.
Ehmmm... If we learnt something in the past century, it is that companies don't have morals because they are not real persons. And even the real persons running them may be legally liable to the shareholders if they act based on their personal morality.
So, yes, the default should be that companies are inherently ill-intentioned to society, because that gets them an unfair advantage and gets more "value to the shareholders".
> The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy.
History tells us they are. Well technically, they are not ill intentioned. They just don't care if they do harm on their search for profit
[deleted]
This is a general approach applied also to the population.
In Europe there is a particular concept of freedom.
Like the old adage goes. In the USA you have freedom for things. In Europe you have freedom from things.
I'm not understanding, as an European who's been part of multiple startups how's that supposed to boost growth.
There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
In fact the actors that most opposed those laws have always been non Europeans.
Sure, there is an attached cost in having your terms reviewed by a proper lawyer and documenting the entire list of cookie providers, but that's basically where it ends. It's really minimal effort and cost, we talking in the low single digits for the review, and few hours of engineering time.
The biggest issues in European growth are others:
- focus on being an export economy while neglecting the internal market.
- bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
- very conservative and risk-adverse mentality. Young people in college can't wait to graduate and find the best paying lowest effort stable job. That's not a problem if it involves a majority of graduates, I imagine all world is like that, but you do have an immense problem if you have 1% or 3% or 10% of wannabe entrepreneurs.
I would go farther. Privacy laws seem like an excellent way to tighten the internal European market and develop homegrown competitors, which (one might argue) Europe really needs. If Europe is loosening up those laws, does that help Europe? Or does it help Meta and Google and Microsoft?
Europe has a shitload of homegrown competitors. The problem is that users here in Europe either goes for a national service or for an US service. They don't look up what their EU neighbor has to offer. In fact, most don't bother translating their services to appeal to the entire EU market.
If you live in country X, you will only ever learn about services from country X or from the US. No one here knows what goes on in neighboring countries.
It's easy to think the EU is like the USA, but it's not, it is still separate sovereign countries with their own language and culture.
I never really looked at it that way, but I think you're right. Although, non-European-owned companies aren't necessarily incentivized to look towards European companies. Looking towards your European neighbors mostly comes down to logistical situations. In those sectors, multilingual services are more common.
This argument in favor of protectionist industrial policy is almost universally opposed by most modern economists, for a good reason.
Nations don’t outsource critical national security industries even though economists might say that’s more efficient. The question is whether they should outsource critical tech infrastructure to huge quasi-monopolistic US firms that can turn it off or abuse European data at will. I don’t have the answer to that question, but I have to imagine it’s a worthwhile debate. The data we have cuts both ways: China applied protectionist policies to its own Internet companies, and it’s hard to argue that this has been economically devastating for them.
>China applied protectionist policies to its own Internet companies, and it’s hard to argue that this has been economically devastating for them.
China has 1.4 billion people in one country while the combined population of Europe is around half of that, so that's one difference.
But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism. To the Chinese state, protecting Chinese citizens from harmful things (like knowing full details about atrocities perpetrated by their government, or organizing to criticize the government) outweighs other concerns.
Define "better off". Companies like Meta and Google are enormous behemoths that make their money through advertising. One advantage of their size is that they have lower costs, but a greater advantage is that they have much larger market power: they can purchase competitors and demand higher rents for advertising space. Is society genuinely better off from this kind of concentrated market advantage? One might argue that there are different kinds of 'efficiency' at play here, and not all of them are in society's interest.
> But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism.
I really don't see how Chinese tech companies would have benefited from receiving the diapers.com treatment.
Disagree. China has had incredible benefits from its own social media and commerce platform growth.
Yeah, the US is missing out.
But the US could have benefitted from China's social media and commerce platforms and China could have benefitted from the US's. That's my point.
I am no economist or even that economics-knowledgeable and maybe I'm wrong and maybe China's protectionism is better somehow, but from everything I know or at least from every trope and meme I've ingested, free global commerce eventually leads to better outcomes for all parties.
What would have happened is the US platforms would have moved into China and stifled the competition.
As we can see everywhere else.
This wouldn’t even be good for the US, just good for the shareholders of these companies.
Maybe, maybe not.
China is a decade ahead of the rest of the world in different kind of use cases (think their super apps or payments).
TikTok is the most popular social media app out there, and it's chinese.
They are also tremendously competitive in AI despite all the limitations they encounter.
Honestly I think that the last century should be a clear statement that protectionism, sanctions and closeness is a failure whose bills are paid by tax payers.
We've been bailing out and protecting non competitive industries (which have further incentives *not* to invest due to protectionism they benefit from) for decades.
When Trump 1 put high taxes on dishwashers and house appliances it hasn't really pushed US companies to do better, it just allowed them to raise the prices and do very little.
But the fact that some countries play dirty (see China and their industrial espionage and lack of respect of patents and intellectual property), while others are obsessed with being #1 even if it means pursuing that via bullying methods have pushed us in this very negative scenario I don't see how can we leave us behind unless we get a new generation of brighter leaders.
Sadly, that's not how you win consensus and elections today.
> But, yes, both US and Chinese technology companies would likely be better off than they are now without China's protectionism and authoritarianism.
How would china be better off? All their tech companies would have been bought out by larger foreign tech companies. Kinda like what happened to many european tech companies.
> To the Chinese state, protecting Chinese citizens from harmful things (like knowing full details about atrocities perpetrated by their government, or organizing to criticize the government) outweighs other concerns.
Yeah that's what the chinese state is worried about /s. Not the neverending misinformation, disinformation and propaganda directed against it.. When china does it, it's "authoritarianism". When "the west" does it, it's fighting against misinformation.
While I agree with you 100%, I think most modern economists fail to account for bad actors.
If a situation was "China is producing X and having its taxpayers subsidize cars, steel, etc" then it would be their loss and our advantage. We get great products they get pieces of paper. I couldn't care less.
But considering that the real goal of those bad actors is to annihilate the competition and then pull the rug this is ultimately a bad idea.
Especially when those bad actors, at the same time, do their best at playing dirty and ignoring intellectual property.
I couldn't care less if Europe didn't have a shipping industry, in fact protectionism of it has failed miserably in Europe, and made our yards less, not more competitive. So yes, in that world I agree.
But in a world where an elected (or unelected) government, can suddenly blackmail you or create such an immense strain on your economy (as Russia did with Europe) this is not really like that. And suddenly you realize you should've paid way more, but invested way earlier in diversifying energy-wise.
In an ideal market I'd be 100% with you, in the real world, it's really neither black nor white.
Yes, and the reasons why they do so has little to do with why this law exists.
A law whose purpose is protectionism is bad. It invites stagnation, pointless inefficiency, and retaliation.
A law whose side effect is a bit of protectionism has none of these problems.
Something that is good for a country as a whole isn't necessarily good for the economy. On the flip side, being good for the economy isn't necessarily good for the population of a country.
Which would make sense when everyone is part of open markets.
People are opting for the less efficient options, on purpose now. We live in an era where America is imposing tariffs.
We wouldn't be banning any law abiding company from operating.
Sure but the laws are probably relevant for the startups you _haven’t_ been a part of. The ones that never got started.
It’s funny you mention a lack of entrepreneurial spirit but then dismiss something that’s clearly a factor (not saying it’s the main factor but obviously it has some effect).
I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
Of course it's easier to do a bad job of something or to give up and not do it. That has no bearing on whether or not doing it the right way is actually onerous.
Can you share the projects? In most cases it is very, very easy to comply with the *"random laws" (not that GDPR is much different from California's CPRA. Are you blocking Californian users too?)
Sorry, that's nonsense. cpra has a carveout for small businesses. gdpr has your one person company obey the same rules as meta.
This brings up the point that for some reason we're all terrified of the government. Maybe because we see the daily abuse from the USA? But if you accidentally violated the GDPR while in good faith trying to follow it, the most likely outcome is being ordered to fix it.
> I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
GDPR fines scale based on annual turnover so blocking EU users on a non-commercial product is utterly pointless and just being mean.
> bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
I guess you have been part of software startups and you severely underestimate the bureaucracy that is involved in physical companies nowadays. Farmers, fishermen, factory-owners, and other small to medium size companies all have severe difficulties with ever increasing regulations. By itself the regulations are not always bad, but usually it takes way too long to get through the system which makes it hard to compete with, for example, China.
> it hard to compete with, for example, China.
What exactly is europe competing against china on? Isn't europe's competition the US?
How am I underestimating it when it's literally in the quote you provided?
Here's my take, as a Romanian developer (since 2004ish).
One day I got a letter from the national authority regarding personal data where I was asked to reply to 15 questions regarding a personal project of mine, invoking the GDPR. The sanctions for not complying within 5 days was an incremental fine of 600 euros PER DAY, until I complied. This letter was directed to me as a natural person (not even my company).
Another story: I had a publishing website with some ads on it. The moment full GDPR went into effect, some years ago, revenue instantly dropped by 30% because the cookie banner I was using wasn't part of the approved european framework for cookie banners (they created an entire organization for this, called IAB). Most of the "approved" cookie banners are insanely overengineered nonsense and almost all of them cost a lot of money. And they kill your performance metrics. And when I finally gave in and implemented one of those, revenues dropped even more because I was losing readers who just quit without consenting at all.
Third and final anecdote: at one point I was contracted by a Romanian DTH television company who mostly operated with prepaid customers. According to GDPR, they were supposed to anonymize data they no longer needed, but because their clients were seasonal or less predictable, that turned out to be ridiculously hard. Their legal department, together with external contractors such as us ended up spending months to adjust their systems to conform to GDPR, and the result was their losing business and time, while being unable to properly serve older customers because they could no longer identify them.
So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit. On the contrary, the large companies could afford the legal counseling that they needed, but the smaller ones were hit hardest.
Did you consider running non-tracking ads? Of course not because even after the 30% drop, the spyware still pays more, right? But destroying websites with spyware is literally what the law is for - the people have voted to nuke your website from orbit.
IMO the biggest barrier is internal mobility. The European silicon valley never happened, because people don't want to move around. The biggest single barrier is language. I'm Irish, and young Irish people often emigrate (way more than in other countries). When I look at where my college classmates ended up, it's mostly America or the UK. We also emigrate a lot to Australia and New Zealand. In other words, we only really emigrate to English speaking countries.
Almost nobody goes to France, Germany, Spain, Italy, etc. The mainstays of the European economy. Let alone central or eastern Europe. But if you're a young talented engineer in the middle of nowhere usa, you can just easily move to the bay area without any issue. That cultural unity IMO is America's biggest strength, and the lack of it is Europe's biggest weakness.
Note: I've lived in Ireland, the Czech Republic, and France, so I know first hand how hard it is to move inside Europe, and I understand why people don't do it.
I think (I'm an American so take with a grain of salt) even the "proper lawyer reviewing terms" part can be deferred quite a while by being conservative with PII (which you should be doing anyway) and using a service like iubenda to deal with terms and cookie warnings when you first start out.
> In fact the actors that most opposed those laws have always been non Europeans.
This decision is in response to lobbying from these actors (and their new friend in the white house). It is not supposed to benefit you.
> an European
European starts with a vowel in spelling, but actually phonerically begins with a consonant, /j/, so it doesn't trigger the "an" thing.
Similarly some spellings start with a consonant but have vowels (like acronyms, "an SSRI", the name of the letter S, "ess", begins with a vowel)
More to the point I agree with what you're saying. This seems like lazy attribution of cause that is so common in American business and politics. "Of course deregulation will boost growth!" Why? Because of religious beliefs about deregulation boosting growth.
> European starts with a vowel in spelling, but actually phonerically begins with a consonant
Ah makes sense.
In my head it's never "you"ropean, but "ew" uropean as I'm not a native english speaker and phonetically it's a consonant in english only. In greek, slavic languages, german or latin-derived it's always "ew".
That's pretty cool. I'm from the Southeast US (redneck), and it sounds like "Yur-uh-pee-in"
Really depends on where you're from.
OP already mentioned in his area it's phonetically mostly "ew".
I'd say a lot of germanic areas also do something I'd describe as "oi". That'd also make one inclined to use an "an" when speaking.
I speak other languages where it starts with an E sound. But I'm not aware of any native English speaking place where it doesn't have /j/ in English.
Maybe they say it as an "ew" diphthong instead? As an ESL, that makes sense to me.
The biggest hurdle Europe has to face is the cultural shift away from the post-soviet era of "Don't take work too seriously, enjoy life".
There is now a full generation of Europeans who grew up in with this mentality, looking down on Americans for their ridiculous work ethic and comparatively meager benefits.
But it's not sustainable, and the strain is already becoming obvious. Young Europeans will have to work longer and harder for less if they want to move Europe away from being totally dependent on American tech, American defense, and Chinese wares.
The data [0] begs to differ: in richer countries workers and fewer hours. The gap not shown here is working hours per capita (instead of worker), but I couldn’t find that data quickly.
Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
[0] https://ourworldindata.org/rich-poor-working-hours
I think your data agrees with OP, you're just misunderstanding it. Yes, richer countries work few hours and richer countries also see modest GDP growth.
Cambodia's GDP growth is over +5% YoY, whereas Switzerland (and the rest of Europe) has more modest GDP growth.
There is some "Work smart, not hard." facet to this, which requires an educated population.
The other fascet is developing countries exist in climates heavily impacted by global warming (look at flooding in VN or TH this year). They make 2 steps forward, and then 3 steps back when a monsoon takes out an entire town.
> Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
Personally, employment makes my life interesting and rewarding. I love the puzzles (and compensation) that my employer provides. The rewards compound, but in career development and via investing the profits.
Unfortunately, I think the one area that isn't accounted for is child care. Societies (rich and poor) continue to extract time away from parenting, via cost of housing near job centers and dual-income families. Offering an extra month of vacation or 4-day work week isn't the same as 1 income household or the parents living 15 minutes from their job.
> richer countries also see modest GDP growth.
This is a natural consequence of being an industrially advanced country though.
A lot of GDP growth can come from establishing basic services like a functioning healthcare system, insurance apparatus and financial system. Of course, we can't building out infrastructure like roads, power, etc.
Especially construction can lead to substantial GDP growth, but once you have a basic set of infrastructure and housing in place, growth is much slower and consistent for very obvious reasons.
Once you have that stuff in place, getting consistent growth requires more advanced stuff.
The US is very much an outlier and attributing that soley to a difference in work ethic is ignorant at best.
>The US is very much an outlier and attributing that soley to a difference in work ethic is ignorant at best.
Right, Europe also has a suffocating business environment which is the primary driver.
> This is a natural consequence of being an industrially advanced country though.
Ok, but then compare the GDP of the USA vs Europe as millennials enter the workforce. Entering the 2008 crisis, USA and Europe were neck in neck. Now, the USA has left Europe in the dust.
Declaring the US an outlier seems like an odd choice... What country should you compare Europe to?
Why do we use GDP though? On average quality of life, Europe left the USA in the dust. GDP just measures how expensive everything is. More expensive things is bad.
GDP is a measure of productivity, which is (normally) corrected for inflation.
The point you are making is exactly the reason why this problem is so existential for Europe. QoL is good, so nobody wants to change anything, or feels the need to.
But structurally, Europe is not sound and European leaders know it (Just look at the surge in rhetoric about Euro independence). Do you know the story of the ant and the grasshopper?[1] Europe is in a 50 year long post soviet era summer. Most young (and now even middle aged!) Europeans only know summer, so it's going to be incredible difficult to get them to collect food for this mythical thing called "winter".
[1]https://en.wikipedia.org/wiki/The_Ant_and_the_Grasshopper
Can you provide convincing evidence that this is the case? What is the winter that is coming? And that your proposal will prevent it? And what exactly is your proposal anyway?
North Koreans think the outside world is going to collapse because they aren't doing what North Koreans are doing, but it's all just propaganda. You need to distinguish what you say from this.
The surge in anti-EU rhetoric seems to be mostly coming from US propaganda bleeding over, and is still a minority.
People have been predicting the immediate collapse of Europe and the immediate collapse of the USA for decades.
Nobody on the ground, who actually buys groceries, trusts official inflation numbers. How much apparent GDP growth is actually just unreported inflation? I saw some food getting 50-100% more expensive over the last 5 years, which is 10% per year. What was GDP growth? Less than 10%...
Many topics condensed into a single comment to conserve rate limit.
> This is a natural consequence of being an industrially advanced country though.
E.g. emerging markets tend to outperform advanced ones, because they have more room to grow.
If you think the US stock market has done well in the last few decades, wait till you see India or Peru.
Joining the rat race isn't worth it, in the near-term, which is why the threat is existential. Europe has been sleeping on it's laurels for 30 years now, and the signs are clear; borderline stagnating economies, low working hours, generous benefits, and most importantly still relying on the exact same industries as 30 years ago. Europe totally missed out on the tech boom, and is now also missing out on the AI boom. And Europeans response has largely been "Whats the issue, we can just buy it from the Americans/Chinese?".
Russsia invading Ukraine, and the US providing the majority of the weapons and cash to stave off Putin should have been a gut-punch wake up call that Europe is in an extremely vulnerable position, and needs to get to work building their own modern tech, their own defense, and their own industry.
Failure to do those things will lead to Europe balkanizing as the economic situation gets worse under the weight of an aging population and shrinking economic output. Young Europeans think they cracked the code of comfortable living, but really they are just in a post-cold war golden period. Very similar to the post-WII era American baby boomers enjoyed (except they had lots of children).
https://en.wikipedia.org/wiki/List_of_countries_by_average_a...
Look at the bottom of the list and then go look at their growth.
> Look at the bottom
Also look at the top ;)
> Russsia invading Ukraine, and the US providing the majority of the weapons and cash
That's beyond false, US provided little non-military help, the money mostly stayed in US and went to US contractors.
I don't need to tell you that those figures are also insanely inflated by crazy costs.
Zelenski himself has stated that he proposed multiple times to, e.g., send its navy to US ports to take the weapons so US taxpayers wouldn't have to bear the costs, but instead tens of billions went into that expense. Why? Because US support to Ukraine is a welfare machine for US contractors.
In total EU has provided around 3 times more between military and non-military.
https://www.kielinstitut.de/publications/ukraine-support-tra...
IMHO, the US and China’s hurry to expand into every possible corner is unsustainable. Unless we are actually trying to get ready to face an extraterrestrial threat, our endless effort to maximize our tech and become more and more efficient and profitable is unneeded and puts too much stress on earthlings, which is definitely not sustainable. Do you really believe that when we are able to pass production of almost anything to AI and robots and give generous UBI to each and every person, they will be happy and satisfied? It is a dead end, a loss of meaning that we are racing to reach ASAP.
Population collapse cannot be a good enough reason, either. Older people won't be happier if their servants are robots instead of climate migrants.
The standard of living in China is bad for most people. IMHO, they need to expand in order to provide the same lifestyle as offered in the USA.
This has the energy of "Why are we building rockets to the moon, when there are homeless people in San Francisco"-vibes?"
> give generous UBI to each and every person
Have you seen the movie Wall-e? I don't think society should strive to outsource all labor to AI and robots, nor is that the final end-state of building robots and AI.
Maybe so. In the meantime, Europe will continue to fall behind economically.
We could just, like, not give billionaires so much money, and there will be more left for everyone else.
Yeah, if we want to be the world superpower we have to work really hard. But we definitely won't get any of the benefits of being the world superpower - just like Americans don't already - all of it accrues to billionaires. And it'll make the rent really high. So why should we want that? Of course, we don't want anyone else to be a world superpower either, because kings/dictators/emperors are bad.
I know a friend who was building his first website, he asked in our startup group how to handle the GDPR cookie banner, it likely wasted 1 day on that, when he had invested maybe a whole othery day on the project. At that moment in time the GDPR cookie banner amounted of 50% of the effort. It killed momentum, it killed willpower with beuracracy. It should have asked himself how to get users, not how to comply with GDPR for a website that in that moment had 0 users.
It's pure ideology that "cutting red tape" will lead to growth. Unfortunately I don't think there's much to understand, perhaps beyond the US giving the EU some kind of kickback for complying.
The Elysium-Cloud needs your data
I agree with you partially.
My hot take is that this is a signal for Trump. We play nice with you, you play nice with us.
Big tech is well connected to the current US administration so if the EU were to make theses changes, then they will appease big tech (a little bit) and therefore by extension Trump.
I (like you) don't think that these regulations are the reason the EU doesn't have home grown hyper-scalers a la AWS or GCP or Azure.
I think the EU just fell asleep at the wheel for too long. It basically outsourced its defense to NATO, its tech needs to the US and its manufacturing to China and for a while it worked perfectly.
However the world is changing and the EU is simply in my opinion not up to the task. It's too slow, bureaucratic and messy to be able to adapt rapidly and it lacks the vision necessary to remedy to its weaknesses.
Few things.
1. We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
2. Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
3. I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters:
https://transparency-register.europa.eu/search-register-or-u...
I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
4. EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
5. There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
Are you sure you meant to respond to me? I agreed with you on most of what you said regarding the regulations but just in case let me respond to your points:
> We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
Is that a counterpoint to my NATO comment? If so I agree, I think that the EU countries should exit NATO and form their own military alliance. However it is very clear that investing in military capabilities is not the priority of the EU countries as only a few of them managed to spend the required amount each year as per the NATO treaties. Most likely such alliance will be dead in the water.
> Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
Again I agree with you. I think that the US has caused much suffering by invading Irak and Afghanistan and then Libya (with the help of other countries), thereby causing the refuge crisis and then leaving the EU countries alone to deal with this problem.
> I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters: https://transparency-register.europa.eu/search-register-or-u... I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
She was not elected to be a good politician.
She was a terrible politician in here home country. There was nothing to expect from her at any level and so far she has not disappointed. Her secret deal with Pfizer and her missing text messages are just the tip of the Iceberg.
> EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
That is never going to be the case because all EU countries want different things and for very good reasons. They have different needs and different economies.
So the German government will keep selling out its EU "partners" as long as they can keep selling cars in the US. France or Italy would have done the same.
> There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
I disagree with you on Macron. Macron has no vision besides a "more" federal Europe. The details are not very clear and his policies are constantly changing depending on his approval level in the polls. His promise when he was elected was that to put the far right out of business by the end of his presidency, the reality however is that the far right is now the biggest party in France and is in very strong position to win the 2027 election.
> That is never going to be the case because all EU countries want different things and for very good reasons. They have different needs and different economies.
That's quite of a weak argument, every state or county in the US has conflicting interests too. But there has to be defined boundaries in what is the business of EU and what is the business of single states.
I would say that matters like digital data privacy should have one common policy, not 20+ agencies.
[flagged]
> Btw, this is why the US alone has a larger economy than your entire geographic region combined.
And all of it is due to massively overvalued companies in california.
But where would you rather be an average Joe ?
Your health outcomes alone are better in the EU.
I think we all agree that looking at GDP figures needs to be supplemented with wealth distribution data.
>But where would you rather be an average Joe?
In the US. By far!
And migration data backs it up.
[flagged]
>There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
Thats kind of the point...
I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
I strongly agree with this position. This is basically the foundation of Control Theory!
https://en.wikipedia.org/wiki/Control_theory
This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
> This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
I think the problem here is more that _some_ people want the heater to be on and _other_ people want the heater to be off.
And when it comes to privacy, consumer advocate types and privacy wonks (I include myself in this group) want the heater to be on, and technology companies and advertising companies and all of their hangers-on want the heater to be off.
One group has a lot more money, power, and influence than the other.
[dead]
And, at least in your example, sometimes you need both at the same time!
Reminds me of the book Thinking in Systems.
Thanks for the link.
It is the perfect and correct antidote to any slippery slope argument. If the consequences of the law turns out to be as bad as you say they will be then we adjust the law.
Nothing is more permanent in politics than temporary solution. As a Norwegian, for example, I am still paying a temporary 25% on all spending that was enacted as a "temporary" measure over 100 years ago.
Control Theory does not work (in the general) for politics for the simple reason that incentives are misaligned. That is to say that control theory itself obviosuly works, but for it to be a good solution in some political context you must additionally prove the existance of some Nash equilibrium where it is being correctly applied.
Edit: See https://www.youtube.com/watch?v=rStL7niR7gs (CGP Grey - Why Do All Governments Work the Same Way?)
As a counterpoint to the selectorate theory, see Thorsen's PhD dissertation, "Only In It for Power and Wealth?", https://politica.dk/fileadmin/politica/Dokumenter/Afhandling...
The thesis argues that dictators regularly both harm groups clearly inside the winning coalition, and please groups clearly outside of it. A common, but not the only reason, is ideology.
One has to be careful when using game-theory models on messy human entities. Sometimes it works, sometimes it doesn't, and it's hard to determine just at what point the model breaks down. At least without empirical research.
(Another example is that actual negotiation outcomes rarely end up at the minimax or Nash product equilibria that game theory sequential negotiation concepts would suggest.)
> they will be then we adjust the law.
Bizarrely horrible approach. A lot of damage would already be done, most importantly changing the status quo is inherently much harder than doing nothing. So going back won’t necessarily be straightforward.
Claiming that “slippery slope” is always a fallacy is a gross misconception and misinterpretation. It varies case by case, very often it can be a perfectly rational argument.
“Let’s restrict democracy and individual freedoms just a bit, maybe an authoritarian strongman is just what we need to get us out of this mess, we can always go back later..”
“Let’s try scanning all personal communication in a non intrusive way, if it doesn’t solve CSAM problems we can always adjust the law”, right.. as if that was ever going to happen.
Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
> Bizarrely horrible approach
I very heavily disagree here, we aren't doing as much of this as we should be.
Society is too complex of a system to predict what consequences a law will have. Badly written laws slip through. Loopholes are discovered after the fact. Incentives do what incentives do, and people eventually figure out how to game them to their own benefit. First order effects cause second order effects, which cause third order effects. Technology changes. We can't predict all of that in advance.
Trying to write a perfect law is like trying to write a perfect program on your first try, with no testing and verification, just reasoning about it in a notebook. If the code or law is of any complexity, it just can't be done. Programmers have figured this out and came up with ways to mitigate the problem, from unit testing and formal verification to canaries, feature flags, blue-green deployments and slow rollouts. Lawmakers could learn those same lessons (and use very similar strategies), but that is very rarely done.
In the same post you are arguing for and against "slippery slope".
Either it is possible to easy change law to make it worse ("slippery slope" is valid objection) or changing law is "much harder than doing nothing"("slippery slope" is a fallacy).
>Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
Too late. We already let the government cross the lines during Covid with freedom of movement and freedom of speech restrictions, and they got away with it because it was "for your protection". Now a lot of EU countries are crossing them even more also "for your protection" due to "Russian misinformation" and "far right/hate speech" scaremongering, which at this point is a label applied loosely to anyone speaking against unpopular government policies or exposing their corruption.
And the snowball effect continues. Governments are only increasing their grip on power(looking enviously at what China has achieved), not loosening it back. And worse, not only are they more authoritarian, but they're also practicing selective enforcement of said strict rules with the justification that it's OK because we're doing it to the "bad guys". I'm afraid we aren't gonna go back to the levels of freedom we had in 2014- 2019, that ship has long sailed.
The libertarian approach to COVID would be that infecting someone is assault and you are justified in shooting someone who is trying to do that.
> If the consequences of the law turns out to be as bad
This is the usual "the market will regulate itself" argument. It works when the imbalance arises organically, not so much when it's intentional on the side with more power and part of their larger roadmap.
The conflict of interest needs to be accounted for. Consequences for whom? Think of initiatives like any generic backdooring of encrypted communication but legislators are exempt. If legislators aren't truly dogfooding the results of that law then there's no real "market pressure" to fix anything. There's only "deployment strategy", roll out the changes slowly enough that the people have time to acclimate.
Control theory doesn't apply all that well to dynamical systems made entirely of human beings. You need psychohistory for that.
So, you do think “useCase.regulation” being a single dial. It’s a pretty reductive framework. I have an easier framework where in 90% of cases current law was already good enough and we don’t need to tweak that dial
The road to hell is paved with “good enough”.
Is the road to nowhere paved with "perfect"?
Perhaps not when it comes to matters like these.
It's a funny thing to say because the popular saying you're modifying says the exact opposite.
In practice, “good enough” is rarely actually good enough.
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
Not only in the executive/enforcement, but in the actual impact of the regulation in practice as applied by millions in a distributed system. Regulations influence decision paths as opposed to encoding deterministic code paths.
The worst possibility is selective enforcement.
There's a reason we call them judges. Selective enforcement is there for a reason. Lawmakers can't anticipated everything. Just look at how bad of an idea zero tolerance policies in schools have been with thinks like getting expelled for biting a sandwich into the shape of a gun.
The world isn't black and white. Flexibility, including selective enforcement, is necessary in a just system.
The reason that selective enforcement exists is that it is very hard to avoid having rules selectively enforced.
But the history of selective enforcement strongly suggests that it does not usually lead to just results. It is often instead something that unaccountable officials find themselves easily able to exploit for questionable purposes.
For a notable example, witness how selective enforcement during the War on Drugs was used to justify mass incarceration of blacks, even though actual rates of drug usage were similar in black and white communities.
You’re arguing that the mass incarceration of more people would have been better?
Yes, I would argue that it would be better for more to have been incarcerated, for that would bring greater focus to injustice and the law would be changed. Selective enforcement interferes with the feedback mechanism that would otherwise make the law work better.
If a law were to mass incarcerate people from affluent white neighborhoods it would be quickly repealed
Actually it would have never been passed. Nixon started it as a way to put blacks in their place.
Any instance of selective enforcement being necessary is ipso facto evidence of a bad law. This is completely orthogonal to the matter of the world not being black and white - you're right, it's not, but a good law recognizes that fact, and laws can also be amended as needed.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
By that measure every law is a bad law.
Legislation is much worse than organically derived common law, for the common law comprises decisions that apply to particular conditions with all their details while the former are mere idealizations.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
Yep, and while we fix that bad law we need judges to be able to say "I won't apply that" or "I won't sentence you to jail for this". That's kinda the point.
If the law is code, then law enforcement is a JITter
(joke)
Optimised compiler makes sense though.
Unenforceable laws go unenforced, undefined behaviour is undefined and varies based on compiler (law enforcement agency or officer).
A jitter is like a lawyer on retainer. Law enforcement is more like the OS that segfaults you when you fail to follow the lawyers advice.
Law enforcement is more like a toddler holding a glass of water over your CPU and saying "stop transistoring!"
The problem with laws that both the enforcer and the subject (enforcee?) agree are bad, is that enforcement is variable. And that leads to corruption. Every damn time.
The fix for corruption is vote the bums out of office. It is not to go whole hog into blind application of the law.
Think about how hard it is to write code that has no bugs. Now imagine you're using English and working with a system with so many parameters and side effects that you can't possibly anticipate all eventualities.
And now you want to rigidly apply your operators to this parameter space?
Selective enforcement is necessary for justice, because no law is perfectly just, and selective enforcement helps move toward justice.
It unfortunately also means there is the eventuality of corruption. So you just have to keep vigilant. Because a rigid system with no selective enforcement has no fix for injustice other than "live with it."
> The fix for corruption is vote the bums out of office.
That doesn’t seem to be working.
I argue there’s an acceptable level of corruption, only the particular flavours change from time to time.
Come out of government better off than when you when in. Fine, good on ya. No need to tells us about how you’re going about it while you’re going about it.
Learn to be at least a little bit discreet, and at least do something occasionally that comes across as good for the average person.
Bad law enforced perfectly is also undesirable.
I'm not convinced. Perfect enforcement would be a great signal exposing bad law much more clearly, so it can be rewritten/scrapped.
Until a bad law takes your friends and family out of the gene pool.
Sure, but what about those who got hit by that bad law in the meantime?
Usually laws are created because of the people being harmed because the law doesn't exist. So it could go either way.
And lines of code is like the mass of an airplane.
Just put all code on one line then. Statements (or tokens) is what matters.
In general you want as few as possible of both.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
this is wrong for the same reason using single letter variable names to keep things concise is usually wrong.
i’d rather something a bit more verbose and clear than cryptic and confusing. there are many actors in the world with different brains.
that's right. This is the reason all my code looks like an entry to PerlGolf. /s
The world's complicated. "Every complex problem has a solution which is simple, direct, and wrong"
Simplicity is a laudable goal, but it's not always the one thing to optimize for.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
As soon as you start developing web sites/applications, you are entering distributed systems.
> code and computer systems are inseparable and the most straightforward and simple code is code that leverages and makes sense for it's hardware
You're missing the point. Code is separable from hardware per se, even if practically they typically co-occur and practical concerns about the latter leak into the former. The hardware is in the service of our code, not our code in service of the hardware. Targeting hardware is not, in fact, the most straightforward option, because you're destroying portability and obscuring the code's meaning with tangential architectural minutiae and concerns that are distracting.
> you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware
You're mischaracterizing my claim. I didn't say hardware doesn't matter. Tools matter - and their particular limitations are sometimes felt by devs acutely - but they're not the primary focus.
My claim was that code is PRIMARILY for human consumption, and it is. It is written to be read by a person first and foremost. Unreadable, but functioning code is worthless. Otherwise, why have programming languages at all? Even C is preposterously high-level if code isn't for human consumption. Heck, even assembly semantics is full of concepts that have no objective reality in the hardware, or concepts with no direct counterpart in hardware. Hardware concerns only enter the picture secondarily, because the code must be run on it. Hardware concerns are a practical concession to the instrument.
So, in practice, you may need to be concerned with the performance/memory characteristics of your compiled code on a particular architecture (which is actually knowledge of the compiler and how well it targets the hardware in question with respect to your implementation). Compilers generally outperform human optimizations, of course, and at best, you will only be using a general knowledge of your architecture when deciding how to structure your implementation. And you will be doing this indirectly via the operational semantics of the language you're using, as that is as much control as you will have over how the hardware is used in that language.
> Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
In principle, you can write your code as a monolith, and your language's compiler can handle the details of distributing computation. This is up to the language's semantics. Think of Erlang for inspiration.
> People keep building distributed systems because they don't understand, and don't want to understand, hardware.
Unless you're talking about people who misuse "Big Data" tech when all they need is a reasonably fast bash script, that's not why good developers build distributed systems. Even then, it's not some special ignorance of hardware that leads to use of distributed systems when they're not necessary, but some kind of ignorance of their complexity and an ignorance of the domain the dev is operating in and whether it benefits from a distributed design.
> But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
This is neither here nor there. Not only are "network calls" and "caching" and so on abstractions, they're not hardware concerns. Hardware allows us to simulate these abstractions, but whatever limits the hardware imposes are - you guessed it - reflected in the abstractions of your language and your libraries. And more importantly, none of this has any relevance to my claim.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
`inline` in C has very little to do with inlining these days. You most certainly don't need to actually use it to have functions in the same translation units inlined, and LTO will inline across units as well. The heuristics for either generally don't care if the function is marked as `inline` or not, only how complex it is. If you actually want to reliably control inlining, you use stuff like `__forceinline` or `[[gnu:always_inline]]`.
Regarding code size, it's not just that binary becomes larger, it's that overly aggressive inlining can actually have a detrimental effect on performance for a number of reasons.
Modern cpus are optimized for calling functions. Spaghetti code with gotos is actually slower.
One of the problems with regulation is that politicians "understand" complex systems like computers or software or "the platforms" almost entirely by way of analogy. Yet at the point of actually introducing rules about (for example) tracking or what happens to your data, you need to throw away analogy entirely and start talking and thinking (and implementing) not an analogy but what the thing _actually_ is. Rarely do they resolve down to this last stage where you move from analogy to how things really work, or might work. I see this everywhere I have touched government and regulation over many years.
But how do you actually do that?
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
I’m not saying the following regarding Draghi’s report or particular regulation in mind:
If an unethical business gets started due to underregulation and it generates revenue and contributes to GDP, is that a good thing?
That depends, are the people who are negatively impacted aware, and able to do anything about it?
There are some "mosquito" businesses that imho provide no net value and we'd be better off if they didn't exist (c.f. Bastiat's window breaker⁰). For example; payday loans, gadget insurance, MLMs, f2p games. The trouble is that there is an apparent need they're meeting, and nobody wants to "destroy jobs" or even worry too hard about exploiting the vulnerable.
Even if I were emperor and believed hese businesses were unjustifiably bad, I'd be worried about the authoritarian consequences of shutting down the less egregious ones. I'd also hope to have the humility to entertain the idea that I don't understand their full benefits.
In conclusion I think it's bad to have unethical businesses, and that even if they make the indicator go up, they are probably a net negative on the economy and society. However, I don't know what's to be done about it.
⁰ https://en.wikipedia.org/wiki/Parable_of_the_broken_window
Pay day loans are generally good _for the borrower_ - they aren't just window breaking. The consequences of missing an important payment can be way worse than the high interest on the pay day loan, e.g. if you don't pay for a course in time, they disenroll you and you no longer get to take the course; if you don't pay rent in time, you might get eviction proceedings filed against you; if you don't pay for your car repairs the garage will not return your car and you will lose time every day taking public transport.
I won't argue that the availability of payloans (or any other product) is a net positive for the rational consumer. I'd still be willing to bet that (ceteris paribus) a society like the ones we live in is better off without them than with.
(Coda: You might say that's impossible, and local loan sharks will spring up to meet the need. That's probably true, but at least those guys merely break your legs, rather than advertising incessantly on daytime tv.)
If the net social cost is less than the cost from overregulation, yes
Lmao you can’t be serious. This is something that can only be said if you can’t/won’t quantify social cost.
Deregulated gambling has had a horrible impact on individuals. Repealing Glass—Steagall led to a global financial crisis. Gig economy businesses are exploiting workers by the thousands through self employment loopholes. We have insane monopolistic pricing and practices in the US in eg the telecom industry. Worst of all is that we’ve likely doomed the entire planet based on what is effectively too little environmental regulation.
>Deregulated gambling has had a horrible impact on individuals.
Yes, but gambling and all vices for that matter, are a centuries old issue that's well studied and well understood by everyone, while AI(hate that term in this case) LLMs are only an issue since November 2022, while most influential politicians are dumbass boomers who don't understand how a PC or the internet works let alone how LLMs work but yet are expected to make critical decisions on these topics.
So then it's safe to assume that the politicians will either fudge up the regulations due to sheer cluelessness, or they will just make decisions based on what their most influential corporate lobbyists will tell them. Either way it's bad.
ML and other automated systems are not new, and we know enough about automated systems to come up with regulations like "no, you should not use these in a certain set of specific circumstances" or "if you're unleashing this onto the world, you have to show that you understand what you're doing" etc.
>ML and other automated systems are not new
Let's not be overly pedantic and overly Pius on petty semantics like that. It was clear from my original comment, the context of what I was talking about.
Even for LLMs the same thinking applies.
E.g. "if a decision cannot be explained by a human, it should bot be done by a machine" applies to them, too.
Basically, if you read the EU AI Act for example, it's hard to find anything you'd disagree with regardless of whether it's about ML, LLMs or three if statements in a trench coat.
Of course the industry is up in arms about it (just like GDPR)
> Gig economy businesses are exploiting workers
Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
> insane monopolistic pricing and practices in the US in eg the telecom industry
It's actually regulations deterring competition in telecom who are responsible to those practices.
It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
> too little environmental regulation
In China. You forgot "in China". That is where most of that planet dooming is happening. Good luck promoting environmental regulation there.
> Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
Over-regulation being what, minimum wages? Coverage for basic social safety nets? ‘Cause that’s what we lost.
> It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
Bell system was broken up into seven different companies, thanks to regulation. It’s _lack_ of regulation that let telecoms merge together into behemoths. There _are_ small ISPs and telecoms in the US, they just can’t compete due to the size differential.
> In China. You forgot "in China". … Good luck promoting environmental regulation there.
Right, let’s jump for a Tu Quoque. China is destroying the planet so who cares what we do ¯\_(ツ)_/¯
I’m not blind to the existence of plain bad regulation, regulatory barriers and capture — but the overwhelming majority of these arguments have just been used to make regular people’s lives’ worse.
“Cheap housing isn’t being built in the UK because regulation makes it more expensive!” -> remove regulations -> there’s still no cheap housing but anything from 1990s onwards is now also badly built.
As a construction developer I’m sure I’d say there’s still too much regulation though. Gotta bump those margins.
> Over-regulation being what
One easy example is regulation making it hard to fire people. Then, naturally, firms will hire just as hard. The tradeoff is thus between a healthy, fast, dynamic and competitive job market with plenty of opportunities but with job insecurity and - fewer jobs, smaller salaries but the lazy unproductive bum slowing everybody down is now impossible to get rid of.
Yes, minimum wage is another. In effect it makes people whose work is worth less than the minimum wage - legally unemployable.
> Bell system
Bell system was a monopoly thanks to government regulation in the first place. The government actually passed a law that made illegal to connect a 3rd party telephone to Bell's network!
Yes, you need more regulation when your regulation f'd up a market. In free markets competition keeps market participants honest and even breaks monopolies. This is why one of the first regulation incumbents lobby for is meant to deter competition.
> Cheap housing isn’t being built in the UK
I do not live in the UK, but I am willing to bet everything that there is still a ton of regulation stopping building there. Last summer I visited London during a heat wave. We were sweating in our AirBnB, complained to the owner but he answered that he couldn't install an A/C because he wasn't allowed to change the building facade...
It's not just China. It's everybody.
The logical extreme there is legalizing murder for hire, human trafficking, and a bunch of other crazy stuff.
Privacy is in a different category altogether, but there's more to think about than just how much things cost companies.
That's a straight up slippery slope logical fallacy.
That's technically true, but I was using it to prove my point that there's more to think about than company profits.
Maybe I should have used dumping waste in a river and paying workers below minimum wage as examples. Profits could go up, but most people would agree it should still be illegal.
We’ve had “legitimate” for-profit firms supplying authoritarian governments with phone malware that they allegedly used to spy on and sometimes murder their dissidents. The slippery slope isn’t a fallacy, we’ve seen what happens if it isn’t guarded.
>latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course.
Normally I'm against overrgulation, but when it comes to privacy more fine for big corp is need if ANY violation is found. Rather NOT have AI than compromise on privacy.
"I'm against overrgulation, but when it comes to privacy"
Our ancestors survived perfectly fine with telephone directories dropped at every house for free which contained everyone's name and address.
Are you sure someone knowing your address is that bad?
How about "we store your precise geolocation with all associated device ids, travel and purchasing habits across all areas of your life for a decade and sell it/share it with thousands of other entities"? https://x.com/dmitriid/status/1817122117093056541
It's bo longer just "your home address".
Interesting that you have privacy so high on your list of priorities. The general public usually considers other small thing like "cost" and "convenience" when thinking about privacy.
Most of us actually don't mind losing a little privacy to read a news article when faced with the alternative of paying money or that news website ceasing to exist at all.
But, hey, keep pushing your warped privacy sense onto all of us, I am sure you are right.
Define "small amount of privacy". Is this a small amount: https://news.ycombinator.com/item?id=45992452?
BTW, when presented with clear non-dark-pattern choice 96% of people opt-out of "losing a little privacy": https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-o...
> Define "small amount of privacy".
There is no universal measure for that, only each individual can answer the question for herself. GDPR is robbing people of that chance though.
> Is this a small amount
For me, yes. I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
> 96% of people opt-out
I bet they would chose very differently when the alternative is to pay or stop using the product. Just look how many people use privacy-destroying fidelity cards in supermarkets for some measly discounts.
> GDPR is robbing people of that chance though
How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
> I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
There's a difference between "one company" and "thousands of companies". And yes, there's an expectation that the company doesn't sell that location data which even in the US results in lawsuits: https://www.reuters.com/legal/litigation/us-court-upholds-ve...
> I bet they would chose very differently when the alternative is to pay or stop using the product.
False dichotomy. You don't need 24/7 suveilance to show ads or monetise products.
> How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
Patently untrue. Under GDPR you are not allowed to withhold your services from users refusing to give you "their" data. Their opt-out costs them nothing.
Nope.
This is what you pretend to care about: "There is no universal measure for [what small amount of privacy constitutes], only each individual can answer the question for herself."
What you actually want (and what is actually happens): "users are not given no privacy whatsoever and every single scrap o user data has to siphoned off and sold to the highest bidder, and the false alternative should be for users to pay to preserve their privacy". That is basically what Facebook is arguing.
So. First you define what "small amount of privacy" is, and put a price on that. And then present users with a choice. Or skip the pretence.
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Source: https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-...
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
> Businesses have absolutely zero incentive to say that regulations are not bad.
Your overall point is solid, but I'd like to what I think is another reason that businesses could desire regulation. You're right that a dominant business can use its political power to "regulatory capture" its market and prevent new entrants, but I believe this isn't limited to uncompetitive markets.
Regulation can also prevent "arms races" by acting like explicit collusion. A straightforward example is competitive advertising in a saturated market, like cigarettes. Under the rough assumption that cigarettes are all equivalent and most potential smokers already smoke, then competitve advertising cuts into the profit margin, and companies have to participate or lose out. If you ban advertising then it's as if the bosses all got together and agreed not to compete like that. See e.g. https://pubmed.ncbi.nlm.nih.gov/31547234/
The number of regulations is not as important as the quality of those regulations.
Shame we can’t regulate the quality of regulations.
The US actually has done this very thing since Reagan: https://ballotpedia.org/Presidential_Executive_Order_12291_(...
That's an executive order (regulation) requiring proposed regulations undergo a cost-benefit analysis before being promulgated.
It's why we got mandated backup cameras in cars: the cost-benefit analysis revealed the cost to have these in every new car was dwarfed by the cost in human lives of all the kids who were being run over in driveways bc they weren't visible behind cars.
Right, but that's a follow on to regulations about increased rear and side still heights for occupant protection, and that's a follow on from increased vehicle sizes, and that's a follow on from commercial vehicles being sold to the general public instead of regular passenger vehicles due to tax breaks, etc.
That's actually pretty cool.
I was somewhat disappointed, however, to aee that this applies only to "major rules" from "executive agencies" and as such doesn't seem to apply to an executive order. There would have been some recursive satisfaction to see EO12291 itself tested by its own standard.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
> Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?
There's no reason to expect the warm clothes to be made in the north and the cool clothes to be made in the south.
At scale, no. But when very small there is a reason that people from Norway made rain jackets, and the brand cachet follows that too.
European people also still have a much stronger national identity than a European identity, especially compared to the US with state vs. country level.
Languages are the biggest trade barrier in the EU.
Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
The translation infrastructure is huge, and reasonable-quality machine translation⁰ has been freely available for years now.
I don't mean to refute your experience, but I am suprised by the claim, because it's really not what I've seen here. Could you give some more detail on what you mean.
⁰ EU procedure means there are some notable absences in the list, but it's pretty comprehensive once you include citizens' second languages. See https://european-union.europa.eu/principles-countries-histor...
> Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
All of this is correct, and that's why the single market for goods (except for booze and tobacco) has been such a massive success. However, lots of growth (particularly in the US) comes from services, and for this, languages matter a lot more.
Sure, lots of continental Europeans speak multiple languages, but the vast discrepancies in languages and regulations (insolvency, capital markets etc) means that there are dis-economies of scale in the EU. Like, there's a reason that companies start selling in their home market and then move directly to the US.
A common language can't be assumed across the EU, while other large blocs (China, US) can make this assumption which is important for services trades in particular, as well as bespoke goods trade.
Ah, you're absolutely right. Only when reading your comment did I realise that I'll often go to the UK for some human-mediated service I need in English.
(This despite Ireland and Malta having it as an official language, and the Nordics often having better English skills than natives.)
> go to the UK for some human-mediated service I need in English.
Come to Ireland, we have Guinness!
Murphy's is clearly superior
I mean, clearly Beamish is actually superior (mind you, I'm from Cork so I'm legally required to make this distinction ;) ).
Dowtcha biy!
Seems pretty real. E.g. CRA official impact assessment estimates one-time (in addition to ongoing costs) compliance cost at €500K per one product. That is enough for 10 man years per product.
And that is just one of many new regulations.
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
should you filter out the covid era from that?
coats have gotten higher, but across the board for different countries
Ok let’s take this at face value. Not being able to use child labor is a 40%+ tariff.
What have we gained by framing it as such other than an extremely biased take pro unregulated business?
Such unhinged takes are one of the reasons EU has fallen behind so much. Nobody is arguing for child labor. We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
> We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Oh no. How are you going to build your new ChatGPT wrapper without selling user data to thousands of "privacy-preserving partners"?
GDPR (and a very small number of other applicable regulations) are somewhere between place 1000 and 1500 of things that hinder startups. And unless you are a complete moron those regulations will maybe apply to you when you reach 10 million+ users.
> GDPR [...] somewhere between place 1000 and 1500 of things that hinder startups.
No. GDPR was presented as a company ending regulation. You make a mistake - you are doomed. The fines are in revenue percentages. User data was said to be "toxic". You touch it, you better know what you are doing or else.
This kind of regulation has a strong chilling effect on the budding founder. Countless web-startups were never created because the most common monetization model (ads) became basically illegal (for European startups only, US/Chinese competitors kept enjoying full freedom).
> and a very small number of other applicable regulations
But it's not a small number. And regulations have a cumulative effect. See, startups are like distance running. You know it's a hard thing, but you believe you can try to do it. But then regulations are like potholes. You run around a few, but the more potholes to avoid the harder the run, until your main job turns from running to avoiding potholes. Then you simply say "why bother" and give up.
The more regulations you have, the more obstacles you put in front of startups, the fewer young people choose the entrepreneur path and decide to just get some bureaucratic job instead.
This is the tragedy we are living in the EU right now, in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
> No. GDPR was presented as a company ending regulation.
Bullshit
> You make a mistake - you are doomed. The fines are in revenue percentages.
Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations without telling me
> This kind of regulation has a strong chilling effect on the budding founder.
A moron who gets their advice from ads industry, sensationalist headlines and HN? Perhaps.
> But it's not a small number.
It is.
> The more regulations you have, the more obstacles you put in front of startups
GDPR is not an obstacle. It quite literally is "do not scrape user data and sell it to third parties without user consent".
> in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
Yeah, "entrepreneurs" complain about a lot, and then make a surprised pikachu face when they are told in no uncertain terms that no, sending precise geolocation data to third parties to store for 12 years is not okay: https://x.com/dmitriid/status/1817122117093056541
> Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations
As a matter of fact, I am the founder&owner of a small ISV (nothing ad, privacy, crypto or AI-related) in the Eastern EU. Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
How about you?
(long time no reply due to hitting HN's rate limit)
> Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
Strange that you then spew absolute bullshit about GDPR.
> How about you?
I've worked in large multinational corporations (banking, streaming) that were "hit" with GDPR and spent several years making sure they are compliant. Not because GDPR is bad, but because no one really cared about the data collected, and where it ended up. [1]
Startups had it and have it easy since they can just not siphon all the data. Especially now, when you have all the tools to handle data properly. Hell, a decade ago you couldn't even get privacy-preserving analytics. Now you're drowning in them.
We're also preparing to launch a few (admittedly small scale) projects with friends, and what do you know? GDPR is the absolute last thing that even bothers us. You know why? We know what data to collect and for how long to store it, and we're not sending that data to thousands of "privacy-preserving partners".
"Company-destroying fines" boogeyman or whatever other "chilling effect" bullshit belongs in the mind of children and morons. Hell, I've seen banking regulators come, list issues, and give a deadline to fix them. Much less GDPR.
[1] That's not entirely true. Payment and payment-adjacent regulations are significantly more stringent than GDPR, so everything related to that was and is extremely serious. As anything related to things like "data of persons under state protection". It's never black and white.
However, in big companies, especially at the time, you would eventually end up with a lot of data duplicated across many systems, often barely connected. 10 years ago cleaning up that mess required companies to reverse engineer and document 10-15 years of bad/hasty/adhoc decisions and assumptions. Surprisingly often that resulted in just retiring certain internal microservices wholesale (they just were no longer needed) and/or significantly reducing bandwidth and storage requirements in certain cases (because you no longer cary and store heavy duplicate objects around).
So the main opposition to GDPR came not from "poor chilled startups", but from companies like Facebook and Google who rely on 24/7 surveillance exclusively, ad industry, and large corporations who didn't want to deal with cleaning up internal messes.
When we let the market bubble-up protective conditions through buyer behavior, we advantage innovation at the cost of accepting more harms, because the market response is always reactive instead of proactive, and the reaction can sometimes take decades or more (like GHG emissions and global warming).
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
Based take. It is rarely back and white when it comes to social-technical challenges like this.
The challenge with regulation is that its the result of those in charge of a power imbalance being able to decide what is "good" PR "bad."
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
I agree
People bemoan bureaucracy (which is a totally fair criticism) without understanding its deeper meaning:
Bureaucracy is how it works
That's it. Digital government is also bureaucracy. Applying to YC is also bureaucracy.
Of course the meaning drifted with the times, but it still means that
First definition here https://dictionary.cambridge.org/dictionary/english/bureaucr...
[flagged]
Stuff like e.g. ChatControl is also regulations, so no, it doesn't follow at all. If in practice the people doing the regulating don't have your interests in mind, more regulations is indeed bad.
I didn't say
"it's a regulation therefore it's good"
I said
"saying 'it's regulation therefore it's bad' is something bootlickers do"
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
>Unfortunately politics has become the religion of modernity.
religion was classically politics. Moses's tablets were Law. the circle of life.
Because both is trying to create a better society. One by internal, the other one by external motivation.
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
Hear hear.
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
Heres the full text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
> 87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
That's some serious speed reading! :-)
20 minutes to “read” 87 dense pages of legalese? Perhaps you meant to say “skim over.”
Perhaps they meant 200 minutes.
Or perhaps they also never read the law they are chiding others for not reading.
Try reading it, it's like 10 sentences per page and plain language.
What is the point of lying about this? Anyone can open up the PDF and see this is an untrue statement.
The text is 56k words, novella length but dry and tedious. This is hours of reading.
I’m not saying it’s unreasonable to read this document if your work involves GDPR compliance. But this is not a quick or easy read.
Maybe I have an advantage because I am natively english and learned to read at a young age, idk.
I’m not lying, why would I provide the source if I was?
It is an outright lie that there are “10 sentences per page”. You can open the PDF and see that this is not even a little bit correct. 10 sentences per page would maybe be appropriate for an Early Reader book. It’s certainly not we have here.
You also didn’t read 56k words in 20 minutes. This is nonsense, at 46 words per second.
Maybe “statements” is better than “sentences”, but I meant what I meant..
and yes it took 20 minutes, it’s not the dense legalese you’re implying.
it’s just not. unless the dense one here is not the text.
https://imgur.com/D19T8zD
I could suspend my disbelief for a moment and imagine that you are capable of reading 46 words per second. Sure. You happen to read about 10x faster than the average person at 250-300 words per minute. Congrats.
What I cannot believe is that you would in any way imagine that this is normal. Speed readers know that they read faster than other people and do not casually assume others could read The Hobbit in 34 minutes.
So no, I don’t actually believe you read this in 20 minutes, at >4 pages per minute, >46 words per second, and 10x faster than an average reader. Generously I would say you perhaps skimmed the doc in that time.
On the off chance that this is true, again congrats. You should know for the future that your experience reading does not map to the typical person who literally reads about 10x slower than you.
clearly, you haven’t tried reading it.
Jesus Christ, it’s like talking to a brick wall.
The amount of effort I’ve spent replying to you is more than was necessary to understand the entire fucking text.
Every statement is very clear what they’re saying, don’t record what you don’t need, how do you define what you need, make sure personal information can be deleted, what constitutes personal information.
It’s really really really fucking easy, like dude; you’re halfway through a sentence you know exactly what they’re getting at. You finish it anyway in case there’s an exception or something, and it’s never the case that there is.
Whatever… you believe whatever the fuck you wanna believe don’t call me a fucking liar though you cunt.
At no point did I say the law was very difficult to read. I said that your claim that it should take 20 minutes to read is absurd.
That the other replies to you said basically the same should clue you in that this is not realistic for others even if it were realistic for you.
> don’t call me a fucking liar though you cunt.
You could have easily just walked your claim back and said “Okay, 20 minutes is an exaggeration but it’s not a hard law to read”. Instead you repeatedly doubled down and backed yourself into a corner where the only possible options are that you are an ultra speed reader at 10x normal pace or you are a liar.
Not my problem if you don’t like those options.
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
I would call this the religious zeal response, it's been parroted so many times here that it's become fact, even though this is false.
The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/#:~:tex...
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
Big enterprises like regulation because it enables them to capture the market and slow startups down: that's why they invest so much in standardization, for instance.
It allows them to force startups to match their (slow) pace of development.
> Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
Have you missed all the large AI companies in US loudly demanding and otherwise lobbying for more regulation?
Regulations can be good for companies when you can make sure that they are written in a way that entrenches them against any new competitors.
> The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long
My feeling is that in 9 years you could read it.
However, I read most of the relevant bits in an afternoon. Most people on HN making preposterous claims about GDPR have never in their life read anything but industry's take on it.
> it's actually super easy to comply, you can read it yourself, it's one sentence!
It's trivial to comply with for the absolute vast majority of companies, you can very easily read it yourself, the bits that are relevant to most businesses shouldn't even take an hour to read.
You’ve addressed nothing in my comment and have simply repeated the religious chant: it’s easy to read so easy to comply!
Thank you for illustrating my original point about this being religious dogma here.
Every HN thread about GDPR devolves into this circular argument. It’s getting so tiring. There are many issues with the actual reality of its implementation which I’ve explained in my other comments. You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
> Every HN thread about GDPR devolves into this circular argument.
The only reason it devolves into a "circular argument" is that the vast majority of anti-GDPR comments on HN come from people who have never ever read even a single line from the regulation and just parrot the same old "GDPR requires these stupid banners".
> You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
Yup. And this is the other reason: bad faith word soup that doesn't even pretend to be coherent, mixes up everything together, and goes from non-sequitur to non-sequitur.
So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
> So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
this is exactly the attitude of these people
for most legitimate businesses the "pain" of the GDPR consisted of maybe removing Google Analytics from their website
the entire point is to stop the shitty companies (facebook) data harvesting everything they can get their dirty mits on
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Well, I see multiple in this thread, one of which is currently adjacent to your comment.
https://news.ycombinator.com/item?id=45986410
> displaying a positive opinion on GDPR
Ok. I hereby do. The only complaint I have is that it isn't enforced automatically and that we often don't have a way to force the worst offenders, because they have the military we rely on on their side.
Thanks for confirming my point with regard to acknowledging shortcomings. :-)
Then I don't get your point at all. You think when I like a law that much, that I say it should be used more, it is a drawback of the law?
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
The regulation good/bad dichotomy has been very effective reducing the thinking of the constituents of modern neolibs in the US.
On one end we have regulations as part of regulatory capture. Opposite effect of regulations that would help say a small business compete fairly.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
you didn't really say anything
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
Well he is saying something here, because as pointed out, many people approach this from an ideological place.
Your midbrow dismissal only makes sense if there is nobody who denies that regulation is nuanced. In fact, the entire political landscape is set up around a "regulation is GOOD" vs "regulation is BAD" worldview.
https://en.wikipedia.org/wiki/False_equivalence
false equivalence describes a false equivalence. the equivalence that I pointed out was true. he didn't say anything.
The thing you pointed out is barely even grammatical.
There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
> There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
try untangling the tracking code from the rest of the javascript code which is required for the sites to work - simply unrealistic.
It's not more effective and trustworthy, particularly as you can do both. The laws also cover dramatically more than tracking scripts and cookies.
> They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater.
Then large law abiding sites can still do enormous amounts of tracking, and can do lots with my data that they currently are not doing.
The problems are in the details: why are news organizations exempt from this rule in Europe? You can’t read news websites unless you accept all cookies or pay to read.
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
> You can’t read news websites unless you accept all cookies or pay to read.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
It seems there were lawsuits but "pay to reject" is apparently legal as long as the pay is reasonable. I despise it personally.
If you're under UK law the ICO guidance on "pay to reject" can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Are you sure they are exempt? I was always under the impression that their practice is pretty obviously illegal. I just did a quick google search and didn't find anything about exemption. So they are as exempt from the GDPR as much as Al Capone was exempt from taxes ;)
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
the edpb did not. that was explicitly -- in the very first paragraph -- under the DSA, not GDPR:
> The scope of this opinion is indeed limited to the implementation by large online platforms
Separately, in the first couple of paragraphs, they basically complain that they don't like the alternative that platforms can legally implement of paywalls for all. :shrug: Which they may not like, but is legal. So consent or pay is essentially a realpolitik deal to not implement paywalls.
> why are news organizations exempt from this rule in Europe?
In the main, because the GDPR is an attack on advertising-supported services. You cannot build a business on context-free ads given they pay somewhere between 1/100 and 1/10000 as much as ads that profile.
Thus news orgs basically told regulators that the options were no free news (or realistically, the mess America is in, where real news orgs charge and the free ones are propaganda arms) or being allowed to do consent or pay. Because a paywall complies with all laws but has negative societal effects.
> But when we talk privacy and personal data there should be no gray zone.
It took me to move to Germany to figure that privacy is a spectrum, and I, despite being a crazy on privacy and security, actually don't want that much.
I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
My colleagues had 3 bikes stolen in a week bc we have no CCTV cameras.
Privacy definitely has costs, and not only for business, but for regular people in daily life. It should, as anything, be balanced against costs of doing business, people security concerns.
Same goes for security: few private cctvs are ok, massive coordinated surveillance and chat control not ok. Everything is on spectrum and is a trade off.
I'm curious how the CCTV would have prevented the bike theft?
Yeah, I can tell you that the only thing CCTV does is making the thief wear hoodies. And you get some clips of them carrying expensive bikes around the corner out of CCTV range to their parked transporter.
Even without hoodie… who was it? Some dude.
True. I don't know from where people get the idea that the police would bother with an investigation for your (personally important) case if you had full-on surveilance.
You may have your laptop snatched, go to the police station and show them the exact location of the thieves using e.g. find my Mac. The will do nothing, even if it's in the building across the street.
Now, showing them some blurry (at best) faces in CCTV footage and ask them to investigate? Good luck.
> I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
It sounds interesting but I'm not sure what it means. Could you clarify this?
Related, recently in the UK news. British Transport Police won't even look at CCTV for bike theft at train stations (because of resource constraints, but the presence of CCTV doesn't automatically mean it will be used).
https://www.bbc.co.uk/news/articles/c8jm3wxvlkjo
Private CCTVs are legal, you just can’t have it film a public area. And I’m grateful for that.
That cookie banner needs to be standardized and offered by the browser. It should be like a certificate popup. Why is every website forced into doing a shoddy job ?
They aren't forced, they choose to. They're forced to get user permission before tracking them across websites and sharing info with 3rd parties, but how they do it is left up to the industry. And the industry chose dark patterns, hoping to annoy the users into complaining to the EU about them.
It is the fault of the EU. If you leave a steak on the floor you don't punish the dog for eating it. Site operators just chose to do what was most convenient for them within the boundaries of the law, as would you.
We had a do-not-track header that has been deprecated. Simply enforcing the header legally and having it on by default would suffice and it would be much easier to test, because it's not bespoke from the client side of things.
I assume it's because a business has different ideas about what to collect from their users and users are more or less willing to share some data with some specific businesses. Hence, every business needs their own consent rules. The fact that this is achieved with a cookie banner for 99,9% of all businesses is a side-effect. Could there be a better solution? Probably. But the law and the incentives aligned to cookie banner hell.
> Probably. But the law and the incentives aligned to cookie banner hell.
Most cookie banners are non-compliant, so I doubt that.
> That cookie banner needs to be standardized and offered by the browser.
That's actually part of these changes. It's mentioned in the linked article about halfway down.
Aren’t tracking cookies mostly irrelevant nowadays, because every browser can be uniquely fingerprinted anyway?
The law doesn't even mention cookies. This is a common misunderstanding and causes a lot of annoyance as I've seen websites ask for permission to store cookies even when they don't need explicit permission.
The law only concerns itself with tracking. If you don't use a mechanism to uniquely identify people over multiple visits and/or websites, you're fine. You can store simple preferences in a cookie without asking. No need to bother your users with a cookie wall for that.
No. The regulation is about processing your personal information, cookies are just an implementation detail.
Fingerprinting is actually covered by the regulations and needs to be "consented" to.
There are different regulations, but basically they are technology agnostic (a good thing). If you as a compnay want to use data that could theoretically be used as an identifyer for me, you need my consent. For any type of use. Except if it is absolutely necessary to provide the basic service. Or if we have a contractual relationship, but there are also protective rules in place to protect the customer.
Different regulations handle storing data (like cookies, but also local/session storage and similar things on the devices of your users. But those are separate from GDPR.
GDPR is - as said - only concerned with data that could be theoretically linked to me as an individual. Regardless what this data is. Could be an id in a cookie, could be a fingerprint, could be smoke signals. It could even be the combination of different data points, that taken together allow for an identification.
Theoretical example: Imagine I live in a village with 500 people. The company tracks the location and that I am male (so roughtly 50% of the population), that I am between 45 - 50 (say about 10% of the population), have multiple cats (say maybe only three people now in that village, use a Linux based machine - bingo: You found me. And now you have a set of data that falls under the GDPR. Welcome in having to ensure you only use this data in a way that I gave consent to.
See: The law doesn't even just look at marketing or tracking data. Or what happens in an app or a browser. It covers all data that is either pointing ti me as an "ID" - like a cookie ID, or at personal identifiable data - like bei combination in my example.
I mean, websites don't need to use non-functional cookies in the first place. If they use it, they have to declare it. It's a problem created by website owners themselves.
GitHub doesn't have a cookie banner: https://github.blog/news-insights/company-news/no-cookie-for...
That said, looks like what you asked is happening: https://www.macrumors.com/2025/11/19/europe-gdpr-cookie-chan...
How would that even work? The browser has no way to know what a cookie is for.
They are regulating websites anyway, surely they can just invent some standard format to say what function each cookie has. How about requiring that the name of every cookie has to start with one of "Strictly Necessary", "Functional", "Performance", and "Targeting/Advertising"?
It's not the tech that's hard. https://lists.w3.org/Archives/Public/ietf-http-wg/2024JulSep...
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
> Most of the harsher regulations only come into effect when the company hits a specific size.
That’s very market and country specific. Spain makes more than 1k tweaks to it’s food regulations each year, which would kill lots of restaurants if they were to be in compliance.
The result is that everyone tries to make as much money as they can and build a “inspection fund”, because you’re guaranteed to get a fine if inspected.
Why isn't #1 an import duty sales tax system instead and you need to declare the proper value as part of shipping, or the good is rejected / confiscated?
Actually, online shops that mail stuff to Australian customers who request them to do so don't have to collect or pay any sales tax. The Australian government might stomp their feet and declare otherwise, but they have no legal or jurisdictional authority to do so, nor any real means for enforcement.
This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas.
> This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas
I disagree.
Imagine I ban health potions in my realm. I am running a Darwininistic experiment to make my people the most resilient people of the world and I want them to succeed through survival of the fittest. I tolerate non magical medicine but anything else will pay 1000% duties or be confiscated. A merchant comes by with a delivery of health potions to "Johnathan Man". The guards point to the "Survival of the ssssttttrrroooong" banner, while the merchant throws a fit saying she has a very powerful uncle that just happens to be a known warlord. The guards laugh, close the gates and go back inside for another pushup context. Meanwhile Johnathan and the merchant complain things about jurisdiction to no one in particular.
I have no idea what you're even trying to say here. Australia is welcome to try and confiscate goods that are mailed without paying sales tax, but we both know they lack the ability to actually execute that. And their ability to do anything about digital sales is basically non-existent.
So if I'm understanding your analogy correctly, the guards can't really do anything, so the merchant and the buyer will be the ones going about their business.
75,000 is very small for a business.
In fact, "too many" is the exact point at which it becomes excessive. :P
I think this is an excellent point. More is almost always worse, but if there is a genuine need for regulation it should be absolute.
Most baffling thing is that sometimes you can't opt-out from "always active" stuff that still involve hundreds of "partners"; see: https://news.ycombinator.com/item?id=45844691
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
If you want to do business in the EU, just follow the law.
You are not allowed to sell Heroin to anyone in Germany. I don't see you making the argument, that we should - in the same fashion as with digital spyware using companies - not target drug dealers. Becase hey, people can just decide to not buy drugs.
[Edit]: Typo
That’s not how the GDPR and cookie laws work at all
That’s how most news websites work in Europe: accept the cookies, or pay.
Yes, but opt-out tracking data which is not necessary for the operation of the primary use case of the app is not allowed.
It must be opt-in, truly a free choice, and informed consent, and declining must be as easy as accepting.
My search told me that unless you are a gatekeeper, offering a reasonably priced ad-free tier allows to make the ad-monetized version personalized only.
I think it makes sense. Either pay, or consent to effective ads. There's no free lunch
I'm 100% on the same page as you. I just wanna point out that apparently, the enforcement of said regulation just failed. There are way too many businesses that don't give you a single "reject all" button and get away with their dark patterns. A regulation that can't be enforced consistently is not desirable and failed to some degree.
I recently registered a complaint with my local data protection authority. This then got routed to their colleagues in North Rhine-Westphalia that are responsible, as the company in question had their business location there.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
That cookie thing should a browser's default.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
GDPR allows for essential cookies with no popup.
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
No pop-ups on apple.com!
embedding youtube is enough to be non-cookiebanner-compliant??
Look at what YT loads in terms of tracking, when opening a page with an embedded YT video - even if you do not play that.
Or install something like pi-hole and watch how many analytics calls to Adobe Analytics the Adible app is sending out. Even if just idle in the background. Given the fact that you pay Adobe by the server call, Audible clearly must earn a shitload of money, if they can burn tracking calls like this.
If you are on a Mac, try Little Snitch and see where your data is going while surfing the net. No wonder in the US there are companies, that can sell you a clear image of all relevant data on nearly any person to enable algorithmic wage discrimination [1].
I know, that industry is trying to push EU further and further towards less consumer protections. But we have a great example of what that means for workers, consumers and all of us in the US.
[1]: https://pluralistic.net/2025/11/10/zero-sum-zero-hours/
We went the route inspired by gamingonlinux.com
So anywhere there is a YouTube embed we instead display a static thumbnail with 2 inline buttons underneath. 1 button to accept cookies and then load the embed and 1 button to view the video directly on YouTube in a new tab.
It works nicely and also pushed us to switch most of our videos to being first party hosted instead of YouTube.
That would be fine, if there was a law that forced every browser to have this setting and every company to respect the setting.
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
The browser setting already exists (DNT), so I don't know what you want to conlude.
My conclusion would be that under the current GDPR that if someone had the browser setting on, if a company did not respect that setting and kept private data, that they could be reported for GDPR violations and then the issue could be adjudicated, i.e that the courts would then decide if in fact GDPR violations occur by not following that browser setting.
Secondary conclusion - it might be more beneficial if one just contacted the EDPB and said since this browser setting exists and nobody is using it please issue a ruling if the browser setting must be followed, set it to go into effect by this date giving people time to implement it, and if they agreed the browser setting would be adequate to represent your GDPR wishes they might also conclude that it would be an onerous process to make you go through a GDPR acceptance if it were turned on, howe ver as this article is saying that they are "scaling back" the GDPR that would seem to be dead in the water, which is why I said under "the current GDPR".
In the absence of any explicit consent, no-consent is always assumed by the GDPR. The absence of a DNT header definitely doesn't count as consent, so that header is kind of useless, since the GDPR basically requires every request to be handled as if it has a DNT header.
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
> GDPR that would seem to be dead in the water
I agree, and I don't like that.
If there were any companies that provided value for tracking people would turn on a track me header, but there are none. so I agree.
I mean I run Debian, and voluntarily enabled popularity-contest, so is not like these examples don't exist.
Like Do Not Track?
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
Private browsing is equivalent to creating an ephemeral browser profile everytime. It might get rid of more browser storage, but for how tracking works now-a-days, it is useless. It is only for what you want to store on your disk, not for how you want to be seen to remotes.
I'll admit I may have fallen for "private" browser marketing. Is this representative to current methods?
https://coveryourtracks.eff.org
I assume a subset of these bits could be used, meaning the "unique" or not claim of this test probably doesn't reflect if you can be tracked. I also assume that a VPN would help tremendously.
For that test, as is, I get "unique" every refresh when using Brave Browser. With Safari and Chrome, I get a fail an subsequent sessions.
Are you sure cookies get scrapped after you close a tab? Does opening a single session-based web site in multiple tabs work (eg. logged into Amazon in a private browser)? What browser are you using?
In Chrome and Firefox, all the private windows share a session that gets scrapped when you close them all. Safari keeps them separate.
> You can do this trivially in modern browsers: private browsing.
The one that Google keeps tracking? https://www.tomsguide.com/news/going-incognito-in-chrome-doe...
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
--- end quote ---
I don't use browsers made by ad companies, because I fully expect that browser to stay out of the way of their revenue stream. There are many browsers out there that care about privacy.
Doesn't matter. Companies will keep tracking you in incognito mode.
Yeah idk why there's a law trying to poorly enforce this instead
Because the law isn't about cookies, but about tracking? You know, the kind that doesn't stop even if you open the "ignorant mode" in your browser: https://www.tomsguide.com/news/going-incognito-in-chrome-doe...
Every regulation has some unforeseen consequences. Most of the time it's impacts are worse than the effect we wanted to regulate from the start. Us humans discard the effects we can't predict as benign even over smaller inconveniences we can see.
> Every regulation has some unforeseen consequences.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
Realistically speaking, how much are people willing to pay for email, communications, cloud backups, social media? This is the hard question.
They already do as part of their internet subscription at home and data plans on mobile.
ISPs used to provide email addresses for people, and it was part of the cost.
Once they lobbied in "legitimate interest" as the exception to the opt-in requirement, the whole regulation de facto became a farce for the end user.
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
I'm guessing that in many cases, it's not one software developer who decides. Most people are told what to do, and for many websites I'm guessing that it's just some kind of Wordpress add-on.
Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".
Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".
That's why we need to realize, that decisions in the small constitute what happens in the large. If some person comes and tells me to implement dark patterns into the consent popup, I'll tell them that this is illegal. I'll also tell people, when their current consent is manufactured or when their cookie/consent popup does not conform with GDPR. Been there, done that. Only unfortunate, that it was not my role to deal with that. It was simply that most people didn't care (I must assume frontend developer knew better, otherwise they were utterly uninformed about their job), some people who should have known better didn't (everyone else in the engineering team), some people wanted dark patterns to be in there (project management and marketing/sales, as usual), and I was the only one pointing out the tiny problem with the law. Of course no one ever thanked me for that.
It's not that people who implement those things don't care, per se. It's that they care about getting their paycheck more (or, in the current climate, retaining their job). And they are also acutely aware that if they refuse to do it, a replacement that won't is easy to find.
Your moral integrity is tested, when your paycheck depends on it, not when it doesn't have repercussions to you.
I have been in that situation in a startup. The boss would come to me and ask for some dark pattern (not cookies, I don't remember exactly what it was). I said I wouldn't do it. They literally asked a guy in the adjacent room, and he took it as a new task and did it.
He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.
Both understandable and good that you stood up to it!
Sometimes though bosses need some contradiction, for the business to be successful. It is not the best approach to have no opinions or ethics.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
It might be hard in some places, with especially toxic higher ups. A good start is pointing out the law a few times. If that doesn't get them to stop, what you can do is ask them to give you a signed piece of paper, where it says, that against your objection and warning about this being illegal, they want you to still do that. Usually at that point they will find someone else, or stop trying to do it.
I agree with everything you say, except
> Usually at that point they will find someone else
is not really something a lot of people can afford to risk
This is why am glad to live in a country with comparatively good employee protections. In other countries, where people can be fired at will, this might be more problematic. But at least in this country, it would be a very clear cut case, if your employer asks you to do something illegal, that they will not be able to legally fire you. Of course you might have to go to court to get your right.
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
Lucky you. In my experience it ends up with talks to HR, where they will explain that "you are being difficult to work with" and "things are going to have to change" or "we are going to have to look for alternative avenues"
Maybe you could still program a website. But you might not be able to do it professionally.
But yes, more people should tell other people that they won't do that.
Should contributing code to open source software require professional licensure?
As far as I know most (all?) open source and free software licenses include terms, that explicitly states, that there is no warranty. So I think maybe a license there wouldn't be required. It is an interesting question though.
But many people are paid by their companies to work on OSS.
Most commercial software doesn’t have a warranty either.
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
But that's a great example of why we might not need to turn into professionally licensed experts: the risk of messing the implementation of GDPR up is nowhere near messing a bridge or even a single family home up.
Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
How much incompetence do we accept or tolerate, before we deem it negligence? If someone adds a consent popup or similar thing to a website, usually knowing, that there is a reason why this must be done, and that this reason is GDPR, it seems quite incompetent to not know the first bit about what is required, and not doing their due diligence to read up on it when not one doesn't know.
Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.
> Business never respects anything, but profits
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
We had our underground parking and storage units broken into in apartment building. And we couldn't see the CCTV camera, to be on a lookout for the thief and call cops. Only cops could see it. Thieves have higher protection than your property.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
Are cookies really tracking you? 3rd party cookies don’t work in any browser. Ads are passing session data on the URLs instead. You can alow easily change some settings to stop persistent cookies. You can install privacy extensions like ghostery to block beacons. You can use features like ICloud private relay to prevent IP tracking. Solutions are all there and they aren’t because of any law.
Everything you mentioned is advanced knowledge. An average person, who doesn't deal with all these technicalities simply doesn't know this. It's like Telegram saying that it's the most secure messenger while not offering encrypted chats by default and not allowing to have encrypted group chats. An average person in tis case ends up completely unprepared and unprotected.
Don't mix PII data and cookies (or any other similar tech). There are different regulations in place here.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
There are a bunch of sites that stop working if you tweak privacy related settings. Twitter straight up tells you that if you experience problems, you should disable Firefox's tracking protection.
And by that they are actually in violation of GDPR. But hey - since when was Musk interested in following regulations. And since when has a governmental or supra-governmental entity been able to curb that tendency of the super rich and biggest cooperations.
Like with meta: They know they mke 7 billion annualy from serving 15 billion scam ads daily. They calculated that they will have at most have to pay about a billion in governmental fines all over the world, if they should one day be regulated for that.
So it is a clear business decision to go on shoing 15 billion+ scam ads per day to their "users". Were some interesting journalistic pieces on that a few days ago.
And exactly those companies are the reason we need stronger protection. And these protections more heavily enforced.
> Ads are passing session data on the URLs instead
At which point it also counts as PII and is subject to the GDPR rules.
[dead]
Why not accept and let cookie autodelete delete it after closing the site?
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
https://adnauseam.io/
I think we better remove the problem itself that come up with more and more ways to mitigate it.
It's not just about cookies but any kind of tracking, including fingerprinting.
The problem is paternalism and assuming the user is too dumb to take control their privacy preferences.
The compliance of the cookie banner regulation has measurable negative externalities - one estimate suggests a EUR 14B/year productivity hit in the EU
Most modern browsers allow you to disable all cookies if you like. You can always use incognito mode if you want to be selective about it.
In an ideal world, the EU could have simply educated their constituents about privacy controls available in their browser.
GDPR is not a cookie regulation it is a tracking regulation.
It's broader, it's about users data. For example, you can store my address so you can send the item I ordered to me. You can't, without permission, use that to send me marketing stuff.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
Since you asked: I care. I leave sites which insist on tracking me and appreciate that it is now mandatory for said sites to inform me about their intentions. So this is a solution to a problem I actually have. There are sites which place a "reject all" button above all and make this easy for me. Others try it the sneaky way, by making me turn off every single tracking vendor and then a lot more hidden under legitimate interest. Those are the sites I leave and never come back. The hurdle in question has a lot of simple solutions. 1, don't use cookies. Github does that AFAIK. 2, be transparent about your tracking intentions and use one of the several premade solutions. 3, design a dark pattern UI that hides the important switches in technical named lists and count on the laziness and confusion of users to use them. That is probably the most expensive way for a 3 person company, as you need devs and UX designers and lawyers to judge if you bended the regulation requirements just enough without breaking them.
The banner isn't required. They could just not do the things the banner would ask consent for.
People don't know whether they are or are not doing things that require consent under the law. That's because, if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs. Notably missing from that list is "lawyers who can be bothered to research the question".
People put the banners up because they see other people doing it and it seems safest. That all of this would be so should have been perfectly obviously to whoever contemplated bringing the regulation into existence. Therefore they are either imperceptive or malign.
> if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs.
Those are the people who should know best what is meant by "ask visitors for consent before you track them.".
Lawyers and more work is needed if you want to track anyway and look for ways to make people accidentally consent. "Let's ask the question, but hide the unwanted answer as deeply as possibly without breaking the law."
You may blame EU bureaucrats, I blame the unwillingness of the companies to fulfill the spirit of the law and putting all the work into pretending.
> People don't know whether they are or are not doing things that require consent under the law.
This knowledge is taught in school and we also had one lecture in university and I am not even studying CS or anything computer adjacent. You can very much rely on CS graduates to know this, and even if they don't, the company could organize a training day, like they do for all the other stuff. This is really a dumb excuse for a company.
Is that what really happens though? EU countries usually don't immediately punish violations unless they're particularly egregious. You're more likely to get a warning and a grace period to meet the requirements. So the rational approach would be to not bother with consent banners, GDPR and whatnot until you attract the attention of the regulators, at which point you should definitely hire a legal team that can tell you what exactly you need to do to comply.
"Just sign the contract, we'll never use that clause!"
Any company that can hire teams of software developers can afford to hire a lawyer to tell them whether they need to irritate all their customers. And frankly, they'd be dumb not to hire a lawyer if they think they need some legal cover to determine whether that cover is sufficient.
Good god. I certainly wasn't suggesting this situation would be improved by software teams hiring lawyers to advise on their software! You appear to have completely lost perspective.
You think a company worried that they have a legal issue should just ask the programmers and ui designers to sort it out? Or that programmers who think the company has a legal issue should take it upon themselves to come up with a feature that they think addresses it without consulting legal?
> I get that too many regulations is a bad thing
Well yeah, cause your sentence relies on itself.
_Too many_ regulations is a bad thing.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
Nothing is ever black and white.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
What kind of a discussion can there be? It's very simple. I don't want any business or individual or whatever to collect any of my personal data if I don't agree to it. Right now companies do everything they can to do the opposite. And there's nothing here that can prove them right.
What a funny comment. “You see, you just don’t understand trade-offs, here let me explain to you…”
And when they use our data to profit, we don't get a royalty cut.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
And that's probably the same for 99% of websites.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
> It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
Advertisements, among other things, for political views, influencing voter behavior. Which lots of interest groups care about
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
Selling drugs causes harm.
Targeting political ads? Debatable - whether AI is somehow involved or not.
I would consider making people to vote for a criminal dictator to be more harmful than selling drugs, the former is destroying way more lives than the latter. And I am someone who would vote for more enforcement and regulation of bans on drugs.
No matter your political opinions, the ability to target political advertisements hardly seems like the nightmare you all act like it was.
Multiple people keep talking about selling hard drugs in the comments. Seems a tad dramatic.
that just shallow and one sided argument that never respect another side of coin
It's also true.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
what do you mean illegal???
tell that to Ads advertising business that bringing billions every year, and its legal btw
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Nobody like it in the same way that nobody likes paying for groceries or gas. Wouldn't it be great if they were free??
Of course it'd be awesome if the world had no ads, but most people prefer free with ads to paid without ads.
Uh, no, not in the same way. You have absolutely zero proof that you NEED to fuck users up the ass to make the service work.
Many services worked without the ass fucking. We did it for a very long time.
> but most people prefer free with ads to paid without ads.
No, you can't actually say this, because part of the deal is that nobody actually knows HOW or WHAT they are giving up for this free service.
Things like GPDR or consent, again, do not outlaw the actual thing. Ads are still legal, personalized ads are still legal, tracking is still legal. It just forces you to ask consumers. If what you're saying is true, then GPDR is fantastic!! All the users should click 'accept all cookies', because that's what they actually want right?
Unless, wait, you think... maybe that's not what they want? And they're only agreeing to the current situation because they don't know what they're agreeing to? Hmm... what a conundrum!
Okay. So would you prefer to pay a subscription for every site you use or pay with your eyeballs by looking at ads?
this is a false dichotomy. You don't need to track your users to show ads.
Contextual advertising works fine for many sites, especially those with a specific targeted audience (for example a gaming website can show ads for gaming related products).
Imagine if grocery stores had someone standing at the front asking if you'd like to pay for your groceries or opt-out. Of course most people would opt-out, because that's what's best for them individually. But they probably won't love it when the grocery store closes...
so you want people cant earn livelihood by your saying?????
for some people and I mean some people in this are entire industry that working with directly and indirectly. this is the only way to earn a living for them and you saying this people cant do that????
"If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for."
well. you are free to choose not to?????? what we even doing here? life its about choice and you are free to not sign up service that scummy
it literally totally difference case that worth another article/post for that
> this is the only way to earn a living for them
Who are those people who literally can't earn a living in any way other than working on personalized ads?
So, so many glaring problems here:
1. Consumers can't just 'not use something' because of network effects, and you know that. Don't play stupid with me.
2. The service is scummy because they lie. That's the scummy part. Sit back and read what I wrote. I'm not saying services CAN'T commit crimes against humanity. They can! I'm saying they must DO IT HONESTLY.
If this is about choice, and you want users to choose what they want, then you have to be on my side. It's not optional. IF what you're saying is true, and consumers have the choice "not sign up service that scummy", THEN they must know if the service is scummy. Necessarily!
You are literally agreeing with me!
You are making it like they are doing human crime level hitler or some shit
No, the competing solution/alternative its not better
if there are better ways to do this, it would be born already
Which is why shrinkflation always fails right?
In a free market, consumers will pick the better option right? The one where they don't pay more for less?
Right?
> if there are better ways to do this, it would be born already
That's not how it works in capitalism. If there are more profitable ways to do this, then it would have been adopted. But better is subjective - better for whom? For the users? The businesses don't give a fuck about the users, only about their money.
They should feel ashamed for collecting your personal data in the first place.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
This is why I just bought a Pixel and put GrapheneOS on it. And one with a SIM card that I can take out whenever I want. No AI, limited tracking, and no big tech. This is my personal boycott.
Perhaps if you had some engineers write the laws they’d work better
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
no. even including a font from a different host is not allowed under the gdpr because you are leaking the users IP to that host. you are poorly informed on this topic.
But the different host IS tracking because that's how they make money from serving "free" fonts. So if what you're saying is true, that's exactly how it should be. When I go to a website I don't want others involved.
We used to use Subway's proprietary font. We never needed to call a server for that.
Maybe don't build stuff in such a dumb and lazy way?
Everything that happens under Ursula Von der Leyen leaves a bitter taste.
There are lots of uses for cookies that have absolutely nothing to do with collecting data about you.
And you don't need user consent for most of those cookies.
That's true. But it's just a small part of overall tracking. And nobody would care if the cookies were used only for auth or purely functional reasons.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
> a place that follows a different approach than "break it to make it" mad dash
You don't have to convince me of the foolishness of mad dashes. Or the emptiness of consumerist culture. But is the EU not consumerist? Does it even have any viable or good ideas about alternatives? Without consumerism, the modern world doesn't know what to do with itself. It has no other modus vivendi. Consumption is all it knows.
> a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in.
Sounds great, and I do not contest these as aspirations. And economies are supposed to serve the objective good of human beings. But is the EU on the path of greater cultural richness, or one of cultural decadence?
> If there is a good set of regulations in place. And that is where EU is not consistent
Bingo. What is good regulation, not as just an expression of principle and aspiration, but as a matter of practicality and prudence in the given circumstances?
It also takes more than good regulation as well. You have to ask: what does it take - and that's possible within morally licit limits - to encourage a richer culture, a culture that is also more conducive to health, and a tech industry that serves the human good? Is the EU succeeding, or merely stagnating and reacting defensively (for better or worse) to the changing conditions of the world?
Some things are only possible in vibrant economies, and where tech is concerned, the EU is not exactly vibrant.
I don't think GDPR is the problem that makes science and technology succeed more elsewhere or fail more in the EU. There are far, far bigger problems, that are at play here. For starters we have a war still ongoing in the east. Economic power houses have had utterly corrupt governments for decades. Standardization of many things is difficult with so many separate nations. Education systems are questionable. All of these will play a larger role than GDPR.
Indeed, and I'm not blaming GDPR for all of the EU's problems, or even blaming it for anything specifically. I was entertaining a plausible rationale for a particular case and using this as an occasion to pose a more general question about the EU's effectiveness in balancing various concerns when regulating.
I wish we standardized on Do Not Track headers. Cookie banners are a plague. Thanks Europe.
There is nothing stopping the industry from standardising on an alternative form of expressing consent, for example on browser installation. GDPR is agnostic to the form the consent takes, as long as it's informed and freely given.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Thanks Google.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I very much doubt, that the practice of putting hundreds or thousands of partners into the legitimate interest category is legal. I wish this was more challenged and brought in front of the courts. And not just wristslaps dished out. Such practices need to have business threatening punishments attached to them.
I'm sure that happens in some cases. But the EU is building a reputation for handling out fines that actually hurt, and I'm sure that actively lying to consumers about this would warrant a big one, if ever discovered. And in any case, tracking will be a lot less robust without those 388 cookies.
I think I should be able to collect whatever publicly available data I can find.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Chat control is stupid.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
The "hacker spirit" is dying.
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
>The "hacker spirit" is dying
This is the number one issue in computing today. Everybodys running around trying to get rich building shitty extensions and frameworks without looking at the bigger picture. We need collective action. Imagine a movement where everybody becomes millitant about adblockers. Like install them on every computer and deflate the advertising industry. Smarter people than me can probably think of better ideas
Right now its death by 1000 cuts. There needs to be a big change or we could lose everything in just 20-30 years in my opinion
I might get worried when mainstream computers won't be able to run Linux. Until then.. I'm not worried.
Seems there are efforts to bring openness to platforms that inherently have an interest to resist it and while the progress is slow.. there is progress
> we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick".
Doesn't that describe SV in general, and big tech in particular?
> Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
This sounds too much like a 'good old days' argument, which is actually in the HN guidelines (something like, 'don't say HN is becoming Reddit').
No. It's reflecting on an overall culture that embraces taking chances. Even if 50% of those chances lead to failure it still beats the paralyzing fear of moving forward.
As a hacker, I don't care about cookies or what the EU thinks about them. Disable them if you really care. Or at least use a browser that blocks 3P cookies (not Chrome).
people still insist on using a browser built by a company that makes money off of ads and act surprised when said company purposefully compromises their privacy and data on said browser.
> As a hacker, I don't care about cookies
Well I care about privacy. And so should anybody with an ounce of common sense.
What about when the lack of cookies makes everything break and you cannot work around it because it's too much JS to reverse-engineer, and/or it's a copyright-felony in your country to develop workarounds?
"I'll use my l33t hacker skillz to avoid it on my own" is a losing strategy in the long run.
A similar thing happens with the proliferation of cameras and license-plate readers.
You can keep them enabled and clear at end of session. I'm not saying this makes you untrackable; that is a losing strategy due to all the non-cookie tracking, but also the cookie popup isn't helping there.
As this is the message board of a VC fund it's not that surprising that it doesn't only attract hackers in the original sense?
Hackers should know the government is never on your side.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
In addition, hackers should know government is inevitable. Even in anarchy, governments spontaneously begin to form.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
That may be one of them, but there isn't a singular anarchist school of thought.
> there isn't a singular anarchist school of thought
Would be oxymoronic if there were one.
Isn’t that like saying there must be as many universes as theoretical physicists can think up? Slight maybe but it could also just be one.
> Isn’t that like saying there must be as many universes as theoretical physicists can think up?
Schools of thought are theories. It’s saying there can be as many theoretical universes as theoretical physicists can think up.
This is true for any social construct, of course. But anarchy’s nature means you get less alignment.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
The thing that anarchists have a problem with is hierarchy, of which states are a manifestation. Most anarchists aren't just "okay" with some kind of government, but believe it to be necessary.
i guess I can see how it might work in a single person's life or small group, but on a large scale doomed to failure because the neighboring country/cit-state/etc will be organized, with and organized army. That group will eventually desire something the anarchist community has and will destroy it.
That is indeed the sticky question, but, again, anarchists aren't opposed to organizing either, even at scale - only that such organizing should be fundamentally egalitarian, not forced.
You can argue that hierarchical organization is fundamentally more efficient, but by the same logic authoritarian governments ought to always outcompete democracies militarily, yet it's clearly not as simple as that.
One could also argue that in a world where anarchist modes of organization are the norm, an attempt by some group to organize for the purpose of conquering neighbors would be treated as a fundamental threat by basically all other groups and treated as an imminent threat that warrants legitimate community self-defense. Of course, then the question is how you get to that state of affairs from the world of nation-states.
I don't have answers to these questions, but it should also be noted that it's not a binary. Look at Rojava for an example of a society that, while not anarchist, is much closer to that, yet has shown itself quite capable of organizing specifically for the purpose of war (they were largely responsible for crushing ISIS, and are still holding against Turkey).
An entity, that invents rules, that are not enforced by anybody is a useless waste of energy.
Nozick's libertarianism is not really an anarchist school of thought.
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
oh no, the dreaded "it's complicated" counter-argument!
making it complex helps nobody - everyone has to have a default
and default of "do not trust the glowies. EVER" is the better one
No, the naive position is to assume that the state is on your side because you occasionally gain something from it.
The reasonable position is that the state exists to propagate and protect itself, which is made up of it's citizens, you included. This is just like any organism or organization works.
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
> But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
Not really. The goal is to prevent people from being unhappy enough that they revolt. But so long as that is not a real possibility, the company - or the state - is quite willing to make the population less happy if that means more productivity that can be extracted.
The example you gave - free education - is precisely about that. The point of schools is not to make the people happy, it's to make the people productive. But, also, ideally to brainwash them into being "good citizens" (meaning compliant and not causing problems). It can even mean "happy", but that is not necessarily the desirable state of affairs from the citizens' perspective, either - e.g. in USSR under Stalin, the cult of personality was strong enough that many people were genuinely happy to participate in it, and genuinely sad when the guy finally died; but it wasn't actually good for them!
No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
The reasonable position then is to demand governance that is actually in the interests of those governed. And one can reasonably argue that the resulting entity is not a state.
> No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
Beliefs like that are self-fulfilling prophecies. People who believe in that often give up trying to influence the state and exclude themselves from its interests. If too many people do that, the state will not care about them.
There is a trade-off based on the size of the state. Small states are easier to influence and more likely care about their citizens. Politicians stay more in touch with other citizens, and the average citizen is more likely to know some politicians in their everyday life. But small states often make amateurish mistakes, because they are governed by amateurs without access to sufficient expertise on various topics.
Large states have an easier time finding the expertise they need. But they tend to develop a political class out of touch with ordinary citizens. Political leaders become powerful and important people who mostly associate with other elites.
I believe the ideal size of a state is in single-digit millions, or maybe up to 10 or 20 million. Like most European countries and US states.
If you were to put a name on your ideological position, what would it be?
It can't be liberalism, since that tradition considers the state separate from society, and the state's purpose to provide liberty to the latter.
Communists of the 'tankie' variety (i.e. 'authoritarian' rather than 'libertarian' or anarchist) believe the state is or ought to be made up of its citizens, but they are aiming for scientific industrial administration and would never describe the state as an organism.
The tendency that does describe the state in that way, is fascism.
If the state inherently wanted all that for its citizens, why have people formed unions and militant organisations and struggled to achieve things like common education and so on?
"Hackers should understand governments are complex, dynamic and occasionally chaotic systems"
No. Hackers should understand that government is force. This is the definition of government.
And force is the antithesis of the hacker ethos.
Growth hackers aim for regulatory capture.
In a democracy, the government is its citizen. It sucks when you disagree with the majority of the voters, of course. But it's wrong to say that the government is against the majority of the voters: it was elected by them.
A government or president can definitely be against its voters interests.
Then that president should not be re-elected. Or it's the voters' fault.
So the people should talk to their representative. A government becomes authoritarian not only because of an authoritarian leader, but also because of the enablers, people like the spineless Mike Johnson.
This is Mike Johnson's district:
https://en.wikipedia.org/wiki/Louisiana%27s_4th_congressiona...
The people who voted for him are very happy with what he does and that's why they vote for him again. They voted 75% for trump.
They don't want what you or I want.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
That's the 1%. It's the hair on the back of the elephant.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
That is an absolute nonsense.
At minimum, government will be useful as defence against worse government.
I know that some anarchist had dream of a stateless world, but it is not viable.
And while I am not going to say that any government is ideal, many are better than USSR, Third Reich or Cambodia under Pol Pot.
Government != state.
And the enemy of your enemy is not your friend. It can be a temporary ally, but you always have to be wary of it becoming strong enough because you can become its enemy tomorrow.
Couldn’t agree more.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
It made me feel kinda sad for a few days.
Some of that is attributable to raw inflow/outflow differences, where newer cohorts are bigger and therefore the blend would shifts even if no oldsters ever left.
The truly "eternal" September.
https://en.wikipedia.org/wiki/Eternal_September
It always had a lot of that, I would say 2-3% of articles were about SEO in the early days of HN. It was never slashdot.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
> A future where everyone has a personal computer was exciting and seemed strictly beneficial
I like to frame it in terms of capital goods, even if I didn't think of it at that time: The personal computer's promise was that everyone would own their own digital foundry and factory, creating value for them, controlled by them, and operating according to their own best interests.
Nowadays, you're just renting whatever-it-is from BigCorp, with massive lock-in. A tool for enacting other people's decisions at you.
I find it really hard to classify myself. I've always called myself a "libertarian" - I believe the best strategy to Civilization is to maximise freedom for anyone. As freedom enables enlightenment an enlightenment drives progress. To actually achieve that, in the real world, means that you have to distribute and limit power. That means limiting not only government power but also corporate power. That means regulation, strong regulators (breaking monopolies), policies to keep prices down (including rent/housing!) and to enable free market competition and innovation. And provide an economic system where risks can be taken, enabled by a social let (and social healthcare).
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
This isn't actually unusual in the grand scheme of things, just at the moment. "Libertarian" was originally a word that anarchists came up with to describe themselves for a good reason. Lysander Spooner is famous in right-wing libertarian circles, but the guy also promoted mutualism and was the member of the First International. Today, what you describe goes under the label of "libertarian free-market socialism".
Regarding regulation, I do have to note that in many cases when you try to root-cause corporate power, it turns out that it hinges on active government regulation in practice. For example, consider the fundamentals of capitalism, namely, accumulation of capital. Why do we get those huge monopolies in the first place? Well, because more capital means more way to generate wealth (or, more precisely, to appropriate wealth generated by your workers), which can be invested into more capital etc - there is a natural positive feedback loop here. So at a first glance it feels like you need government to actively do something to prevent companies from becoming too large. But consider: what does it mean for a company to own something? It's not a person, so it can't really have physical possession of things. It's all abstract property rights, and the only reason why that works is because the society as a whole acknowledges those rights and legitimate, and, crucially, because there is a state providing infrastructure (police, courts etc) to enforce them. Now imagine what would happen if, for example, the state simply refused to acknowledge property rights past a certain limit and simply wouldn't enforce them on behalf of the property owners.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
[dead]
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
My rule for a sane HN experience: avoid and flag any articles related to Trump, Elon, <current culture war topic>, American politics, and anything tangential that summons them.
That's getting pretty hard these days. I did a query on Clickhouse and this year a full 1% of all comments on this site mention Trump.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
precisely this. cool detachment or disinterested curiosity around political events is the privilege of those comfortable enough to believe current politics won't affect them. These same people are also usually ultimately responsible for the apathy/failure to act and stop meaningful regime change before it's too late.
I'd love to live in a world where one can neatly compartmentalize reality and view life-altering political shifts with "a lens of curiosity", but that isn't how the world works.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
You might have convinced 2 people to install Signal, but the real test is whether they will still be using it a year from now. My own experience from going Signal-first for a while was that it doesn't stick for most.
Social connections can be a large sacrifice.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
Facebook is still running strong on Marketplace and Groups. They have almost no competition on those.
....and I don't care because I don't use either of those. All the network effects in the world mean nothing if that network has no value to me.
Yes, but then it's about you. A significant portion of society is using Facebook marketplace and group so it won't die with "grandma"
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
I think you might have a different definition of "merit" than OP. "Merit" to me means how much value the company brings to society. If I'm reading correctly about your point of it being legal, to you it seems like "merit" means how much value they bring to their investors.
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
Where can I read more about this? Quick search turns up nothing for me
https://www.theverge.com/news/823191/meta-ftc-antitrust-tria...
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
Wasn't the case here really weak to begin with? I remember reading the FTC's initial filings and they just sounded absurd. The very premise that Meta didn't face meaningful competition from TikTok was a farce.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
> The very premise that Meta didn't face meaningful competition from TikTok was a farce.
The original claim was centered around the timeline of purchasing Instagram and Whatsapp. TikTok came much, much later.
If this is true, the case then becomes "Meta was a monopoly from start_date-tiktok_date" which isn't a very meaningful claim since they are not arguing it is a monopoly to be broken up.
Anyways, I disagree - this is not the case. If you read the filings and their slides, the FTC argues Meta is a monopoly in the personal networking space.
They essentially carve a market out of thin air to selectively exclude Snapchat, TikTok, and Shorts. The judge has understandably called this for what it is.
It was a phenomenally poorly litigated case, most experts at the time doubted it would succeed, but it did wonders for Lina Khan's popularity. Seems to have served her well with NYC and all.
Just to be clear, when you Khan "killed our remaining low cost airline carrier", are you referring to when the DOJ blocked the JetBlue-Spirit Airlines merger? Not arguing, I just want to understand.
Correct, yeah.
https://arstechnica.com/tech-policy/2025/11/meta-wins-monopo...
This is a proposal from the EC. Whether the EU accept it is not clear.
Yeah I really hope they don't. It's ridiculous to throw out all the great work they've been doing.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
It is good to stress this, most people don't know how the EU works, Europeans included.
> What I really want to see is Meta getting irrelevant ON MERIT.
Me too. But losing on merit requires an (at least somewhat) fair marketplace.
> What I really want to see is Meta getting irrelevant ON MERIT.
Why? Is META relevant only on merit?
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
The loudmouths do not necessarily represent a majority of HN users. They're just loud. Some of us find the social-media-bashing threads boring and just go back to our social media.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
I would strongly encourage everyone to read HN with `showdead` enabled (it's in your profile page). There aren't actually all that many downvoted comments, and while mosts are low-level trolling, even with `showdead` you see them at the end of the parent thread and they are greyed out, so it's not all that distracting. But being able to see some of the things that get downvoted / killed unjustly (and then vouch & upvote them) is how you get a better HN.
You can upvote dead comments? I can't maybe you need to have some amount of karma.
You can "vouch" for them, which makes them non-dead (and upvotable again). But, yes, it does have some karma limit - I'm not sure if the specifics are documented anywhere, the FAQ just says "small karma threshold".
Yeah, you can sense how strong libertarianism is in the US.
Europeans here steer more in the "we can, but should we?" category, while Americans are in the "move fast and break things" category.
I literally see upvotes during the day (Europe) and then downvotes during the night. Mostly. But the trend is there.
I think there is plenty of diversity of comments, substantially less diversity in voting and flagging.
You can say lots of things, many that go against the hive mind will just get you more or less instantly grayed or even flagged
> substantially less diversity in voting and flagging
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
[dead]
> What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
To many (especially younger) people, giving up Meta products would make them a social outcast.
Some industries naturally tend torwards monopolies. In social networks, this effect is very strong.
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
Look at what happened to iRobot vs. Roborock though.
can someone explain what happened? how is it relevant to EU laws?
I live in EU. I am totally in support to force Meta down through government's big stick.
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
Then I propose you should support https://noyb.eu/
Their track record is pretty good.
If you support them (I do, they do great work), please set up a yearly subscription. Predictable revenue is very valuable for organizations.
Do we have anything like this in the U.S.?
Yeah, seconded, and I also live in the EU.
I'm a hacker type and generally extremely (left) libertarian. But when it comes to megacorps, I have basically zero sympathy. When they are big enough to rival nation-states in economic and political power, they can't complain when said nation-states start to notice.
(I would still prefer the world without either, though.)
Yeah, I think states need to release that entities as large as them become their competitors. Now we have entities way larger than them.
I wonder what kind of people downvote you. They must have interesting priorities.
The thing is that it didn't work for that objective. It didn't seem to have any meaningful impact on all on the Metas and Googles out there. They control the user base and people depend on their products, it was trivial for them to get full consent like they've always done with their Terms & Conditions.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
so what it like working at meta?
Can contract killers become irrelevant on merit, or does it take government intervention?
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
Meta's only merit is having a lot of users and keeping them hooked at any cost.
It might surprise you, but success is not always rooted in having done great things for the world
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> ...more about protecting European ad firms, many of which are even shadier than big tech.
Where can I read more about that phenomenon?
There are lots of companies like this:
https://zeotap.com/wp-content/uploads/2025/06/Zeotap_-Time-t...
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
That wasn't even the GPDR and it did even less for user privacy.
what was it then? why it did less for user privacy?
It was the 2002 ePrivacy Directive https://en.wikipedia.org/wiki/EPrivacy_Directive
What the law wanted: putting regulatory friction on tracking cookies by requiring collecting consent will make sites do less tracking.
What the law did: endless cookie banners.
What the law wanted: ending the torrent of people's inboxes filling with ads.
What the law did: nothing because they caved to the industry and let people send ads anyway. actual spammers never followed the law anyway and real companies who ship ads weren't at all burdened by an existing customer relationship requirement.
What the law wanted: companies will stop keeping your personal information on their servers forever.
What the law did: nothing because they again caved to the industry and it just got added to the cookie banner consent screen or the company just said they kept the data for "value add" services like personalization.
The 180 does not surprise me at all. GDPR and associated laws are a perfect example of the old 'Good intentions, unintended consequences'-pattern we see in laws all the time.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
can you please explain the driving licenses part?
I'm not as miffled about that as others, but in Germany, licenses used to be forever (unless you yourself gave it back OR there was a court order, e.g. for a traffic-related crime). Enter the EU, and now licenses come with a renewal date, which is considered mostly a cash grab as you now have to buy a new copy every few years.
A few weeks ago, there even was an attempt to have air-traffic-style medicals beginning at 60, which, in a society that becomes both older AND worse at public transit, was highly unpopular.
You may think that's a little thing. The issue is: these little compound. And every time they come around the corner with a new regulatory clown act, people remember ... when lighting bulbs were a few cents instead of the energy-saving 10-euro new bulbs mandated by brussles ... when we were forbidden to have powerful vacuum cleaners or showerheads (yes, the new ones are not really worse, but they sound worse), ... and a hundred other little annoyances.
Not to mention that national governments like to blame Brussles for stuff they wanted, but which were highly unpopular. "Unfortunately, we cannot do anything, it was an EU decision (which we openly supported)".
And eventually, people become eurocritic. Which is one of the reasons why people start to vote for right-wing, eurocritic to anti-EU parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
?? He bought instagram in 2012 when it was tiny. They all moved in 2016.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
What about hp, dell, ibm, compaq, sun? Companies are temporary.
> sers dropped from Facebook like flies and moved to Instagram.
Even worse, bought Whattsapp.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
[1] James Boasberg; "Meta prevails in historic FTC antitrust case, won’t have to break off WhatsApp, Instagram" https://apnews.com/article/meta-antitrust-ftc-instagram-what...
[2] https://wikileaks.org/podesta-emails/emailid/8190
I like what Kagi does which is just using the nuclear option of "Look - if you fill your website with crap we're not going to index you"
That said, Google stripped away +must +include +terms from their searches so I do blame them some and not just SEO
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
So “smart rules” only means “more rules”?
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Right, but it's obviously not overreaching, because user's data is taken:
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
The answer is to force them to adhere to rules. Not to loosen the rules.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.
But uncertainty in compliance and time spent navigating compliance is nearly pure waste.
To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
I'm not sure.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation."
Easy to not play the card game, by only collecting the data needed for your service.
And the answer should be self-served, ideally, with an automated authoritative self-served approval. It could have a lag time of a few days or even a week for a person to approve.
Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.
These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.
I keep hearing that, but do we actually have stories about small European companies being ruined?
I bet we don't, unless they ruined themselves due to being very negligent or unwilling to implement even after being reported and found out.
The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.
I totally agree with this view!
I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.
But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?
I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.
IP addresses are PII. This has long been determined.
This is a perfect example of uncertainty causing compliance overhead.
You say IP addresses are PII and this has long been determined.
Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:
> > logging an IP address.... > Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement. > Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so. > More on that: https://missinfogeek.net/gdpr-consent/
So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.
They are of course, like everything else context-dependent legitimate interest, or even needed to provide a service to the visitor or user, but that doesn't make them non-PII. There is a reason for things like Google captchas and Google Tags manager to have a flag to not even send an IP address to the backend.
> They are of course, like everything else context-dependent legitimate interest,
Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)
I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?
In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
> I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?
Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.
(not a lawyer, but this is my understanding)
> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.
> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
That I cannot answer, or have not thought about in sufficient depth.
> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.
You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.
Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
I agree in theory but in practise, this just results in even more regulations. There are very few or no real world examples of stricter regulations being written in clearer terms. The reasons are numerous, but a big one is that people often have a financial incentive to circumvent these regulations. They attack the edge cases and the ambiguity between each word. If the regulations are not written sufficiently prescriptively, courts are swamped with cases and eventually a precedent is set which nullifies much or most of the intended purpose of the regulations. So regulators go to painstaking lengths to write clear and verbose regulations, but ensuring compliance with tens of thousands of pages of regulations are expensive, and this results in an economies of scale barrier for small businesses.
There are workarounds like exemptions for small businesses, but this creates all kinds of new issues like a regulatory ceiling, which results in enormous new costs on some arbitrary day for a business once it crosses some kind of user or revenue threshold. Ramp-ups are difficult or impossible to legislate in this context. Further, two or multi-tiered regulatory systems are highly inefficient and arguably unfair. They're very difficult for everyone to navigate. Generally speaking, from countless examples around the world, rules should apply to everyone.
Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
> Ultimately this means fewer regulations generally are good for startups - and larger businesses.
Yeah, forcing companies to write food ingredients on the package is bad for business. And I don't care about business more than about the well-being of society and myself. Same with tracking.
I think that when I wrote that fewer regulations help small businesses, but that there are costs for this, you read, "all regulations are bad and I think they should all be removed." Since you didn't read my whole comment, I'm going to paste the important sentence again now:
> Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
The real issue with regulation isn’t the rules themselves; it’s who ends up writing them. And it’s almost always one of two groups:
Politicians, who usually aren’t experts in the field.
Industry leaders, who have every incentive to make the rules tougher for everyone.
Small company and business should be treated differently than big corp. And the fine and punishment should be adjusted accordingly.
While I generally agree, just differentiating the fines is not sufficient.
Small businesses in particular do not have staff or the capacity to to deal with a large amount of compliance overhead. The biggest help for small businesses (and large businesses alike) would probably be if the GDPR would be less vague on the rules surrounding typically collected data
At this point I think it's utopic. Meta has an army of lawyers, they will optimize and adapt.
But it's really hard to tinker as a single hacker when a German legal troll firm can come for you for linking Google fonts on your web page (i.e. transferring IPs so breaching privacy)
European startups will not profit if this deregulation goes through. US and Chinese corporations will.
While everyone talks about souvereign data processing in the EU, both the commission as well as the governments of its member states completely failed in pampering a domestic cloud industry during the last 15 years. Mercy killing.
A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered. Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle. They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I've worked for startups and established industry giants and being compliant with GDPR did not stifle us in any way at all. It's really not that hard unless the business model depends on profiting off of user data. No good will come from this for the EU.
There is no certification to pass or anything. You just have to keep it in mind when creating your business. It's too easy to just abuse data and then claim that it's too late to fix.
I've been through several startups after GDPR went into effect, it's really not a problem.
I keep hearing this argument that it stifles small businesses, but how is that exactly? I've worked for a variety of small startups in NL and GDPR has never, not once, been a real issue or blocker.
Yes, it forced these small businesses to think about how they're handling personal data, but that should be the fucking point, I don't care if a company is Facebook or if it's a 2 person startup, neither should be collecting and redistributing personal data and tracking people.
Browser level consent primitives would be a significant improvement on the status quo.
I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners"). While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
Do Not Track was a spectacular failure.
You can still turn cookies off in your user agent though.
It was a spectacular failure because the people who thought of it didn't stick to it.
I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.
In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.
Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.
> Advertisers said they would ignore it for this reason
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
But they weren't prepped to take action yet.
Microsoft made the user expressed intent and the user expressed no opinion look the same.
That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same.
Microsoft made the default be, well, the default preference - what most users would set this setting to if they had to look. That's a good and sensible default.
The only reason why the advertisers were so unhappy about it is because what they do is neither good nor sensible by most people's standards.
I'm sorry but the word is "consent" not "intent" and that's literally how consent works.
If I (a complete stranger to you) walk up to you and kiss you on the lips, it doesn't make a difference whether you're wearing a t-shirt informing everyone you don't want strangers to kiss you on the lips or not - I don't have any basis on which I can presume to have obtained your consent so I'd still be violating your rights.
This is very much a "tech bros don't understand consent" case: if you do something without consent, you better have a damn good reason other than "but it's good for meeee" (or "good for my bottom line"). "My business model depends on it" also isn't a good justification - there are plenty of business models that depend on things that are unquestionably illegal, we just refer to them as "criminal enterprises" rather than "disruptive startups".
DNT headers are equivalent to those email signatures that pretend to be a legal document. You're just spamming the server with extra crap that does nothing and means nothing.
Actually it's worse, DNT headers are like posting a wall of text on facebook saying you do not consent to them using your images or posts for some purpose.
Track doesn't have a consistent definition across contexts, to regulate this you would have to fix it to something - what are your suggestions? DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
If you have a better write on regulation lets hear it.
DNT headers are not by themselves legally binding. However they can rightfully be considered an indication of a user's preferences (kind like how the OS language settings can be an indication of what language a user wants a website to use).
What most people miss about the GDPR is that most of it (as well as the ePrivacy Directive covering more technical aspects like cookies) really only exists because of the one big thing at its core most people are either not aware of or intentionally omitting:
The GDPR establishes a user's right to ownership and control of their personally identifiable information as an inalienable and irrevocable fundamental human right. This is what makes all the rest of it necessary: it's not about "cookie banners", it's about requiring others to obtain consent for what they want to do with that information; it's not about writing "privacy policies", it's about explaining what you do with that information and how you guarantee their rights are respected by you and disclosing who you're passing it on to and how you're ensuring they too respect those rights.
The alternative to consent dialogs (whether as "pop-ups" or via confirmations when prompting for relevant information) would be requiring every website to have a written contract with each user. Consent is only valid if it is demonstrably informed (and non-coerced but that's a different story) and it must be specific and revocable. You can't have users blanket opt-in to everything you'd like - they wouldn't even know what consent they'd need to withdraw later if they reconsider.
By the way, courts recently seem to have started ruling that the way many AIs work the companies training them are in violation of copyright laws by using intellectual property as training data without permission and in order for contracts to be legally binding, anything given by one party has to be given consideration by the other (i.e. anything of value given by one party has to be balanced out with something of value given by the other party) - so I wouldn't be too quick to ridicule the idea that using Facebook means Facebook can do with your data whatever its terms of service say they can do, even if posting on Facebook can probably not be considered an effective way of informing Meta about your disagreement.
And, they could have been made legally binding. The EU established a precedent of requiring consent for tracking afterwards after the ship had sailed on this technology.
The only thing required to make a signal like that legally binding is the power of law. It just wasn't there for DNT.
> DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
Or it will take one clear message from the regulators saying they're equivalent.
What actual innovation is stifled by data protection laws? What small business is unable to operate because of the GDPR?
Compliance costs almost nothing. If you collect data, explain why and what for. If people ask you to delete it, do that. If you want to share data with others, ask first (or just, you know, don't).
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
> The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
So either you're lying or your lawyers are lying to you.
In 9 years you could've finally read and understood the rather small law yourself.
I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
> What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
It's not a lawyer's job to answer that question because the answer is necessarily "yes" unless you intentionally did the illegal thing (i.e. intentionally did what the law explicitly tells you not to do) - and even then you might be able to defend it somehow.
The question is whether you have a good enough case for a ruling in your favor. And again, lawyers can't answer that because the question is always "it depends" - they're not in the business of fortune telling.
If you ask a lawyer for legal advice, it's their job to give you sufficiently good and accurate enough advice that if you tried to sue them over giving you bad or inaccurate advice they'd have a good enough chance of winning that lawsuit. How much they're willing to speculate about things like what's good enough for you and how high they'll set the bar depends on a variety of factors again.
There's literally no guarantee you can successfully defend something in front of a judge. The law is the law and the facts are the facts. If you end up in court, it helps if you have solid paperwork and a solid papertrail you can use to demonstrate you did everything correctly and in good faith - this is about creating facts that can be used to your advantage.
But the amount of expense required to do literally everything perfectly to the letter of the law and reliably document that you did so would make running a profitable operation impossible regardless of what laws we're talking about, so you necessarily have to strike a balance. And where you strike that balance is a business decision because it's about managing the risk of doing business. And that's not something your lawyer can decide for you - that's something you have to decide for yourself if you run the business. Because at the end of the day it's about your personal liability - whether through financial risk if your business is held liable or direct liability if you get personally held liable for your actions.
But this is not legal advice, I'm not a lawyer. I just know enough about (EU privacy and general German) law to be dangerous and accidentally trick actual lawyers into thinking I have a law degree.
By the way, that's also where that line comes from: it's saying "you can't hold me liable for decisions you make based on what I told you" - even when what a lawyer says is perfectly reasonable and sound to them they'll likely tell you it's "not legal advice" unless you are willing to pay the price tag of being able to hold them liable for what they said.
Before you get to a judge you will get plenty of warnings and anple time to fix whatever it is you're doing wrong.
For the absolute vast majority of companies GDPR compliance is trivial.
For the absolute vast majority of remaining companies GDPR compliance is simple.
There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).
I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy
No wonder you have "trouble complying with GDPR".
I never said we were having trouble complying. I said it cost time and money.
It costs money not earned by illegal selling of people's personal data, indeed.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Schrems? - if you think that this legislation is easy to comply with why did all of that happen? The EU can't even agree with itself on how to interpret its own law or what it does.
How the hell do you expect everyone else to?
Ughhh here we go again.
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
As with many laws people think its what is sold as.
There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.
Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:
https://ico.org.uk/for-organisations/advice-for-small-organi...
Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.
I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?
Imagine you're asked with building, say, a train network within your country. Domestic regulations demand that, because other countries are not certified up to your country's safety standards, you're not allowed to import any foreign technology from outside your country.
So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.
You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.
So you start by asking me to assume the EU can't create IT technology and then give no further argument, much wow! That's was even less persuasive than I expected. BRB, gonna go tell tell Open Office and KDE they don't exist because Europe can't create software.
> I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
I've implemented it like a half-dozen times. Why do you think I'm so confident? It's truly not very difficult, particularly if you don't have to retrofit some hell-app that uses a billion cookies. For the most part, collecting PII is already a liability and you don't want to do this anyway outside of critical information (e.g., email).
> but will continue to go back and forth if GDPR remains as-is.
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.
I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Etc. Etc.
You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
Literally everything.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Here's a good primer: https://trustarc.com/resource/schrems-ii-decision-changed-pr...
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Yes, using USA based services with user data is against GDPR.
But sorry, saying "literally everything" is a gross exaggeration. Debugging a program with the help of ChatGPT is not using user data. Editing a logo is not using user data. Storing code on a web platform is not using user data. And others...
And even then, for some of the services (like mail, communication, erp, etc.) there are alternatives companies in Europe that work just fine.
I think GDPR is not perfect, but I do welcome measures to prevent over-collection of data by whomever.
> If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation
There are only two possible interpretations of this sentence:
1. You have just confessed to a crime. Do your engineers store user data in Notion?
2. You have just confessed to not having even a single clue about GDPR and what it entails. Your engineers using Notion will not make your company liable for GDPR unless bullet point 1.
> This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Ah yes. Your shitty company selling user data left and right to "our privacy-preserving partners" is the same as "access to US intelligence in the context of Russia-Ukraine"
Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them. Doesn’t help to undermine my point that this has become a topic of religious dogma here.
No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion (and is against HN guidelines).
So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
> Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them
You think yourself more important than you really are. I've replied to many comments in this discussion, and three of them, I think, happened to be yours. Two of them happened in the same thread. This one.
> No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion
Ah yes. Where good faith is "GDPR is bad because wellfare state and US intelligence"?
> So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
So, good faith and non-circular arguments are assigning words to opponents and trying to make them argue something they never said, apparently.
Imagine if anti-GDPR crowd actually argued in good faith. I can't. Because of behaviour like this.
> However, this generation is beginning to learn
"This generation" lol. I'm 45.
What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".
None of this is really true, though (except the paper straw thing which... obviously)
> Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Governments have deficit spending because we subsidize private inefficiency at a social level and refuse to run them efficiently. It's insisting on letting private entities run things that is clearly not working.
> clearer safe harbors for small actors
Different rules for different people huh?
Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.
Not different rules for different people.
You would be subject to one rule for your small company and another rule as it grows.
This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.
This is different for different people said differently. Why would small companies have access to things not allowed to big companies?
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
Corporations are not people. This is not different rules for different people.
In the traditionally implied sense of different rules for different social classes.
Because quantity is a quality of its own.
Because their conditions and abilities are different.
But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
>Different rules for different people huh?
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair.
In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I wish you were right though.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.
https://www.independent.co.uk/news/world/americas/asa-baker-...
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
> home owner
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation.
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
> Different rules for different people huh?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
Why did you use an LLM to write a comment?
In my case it is rarely that I use LLM to write comments but rather I frequently use an LLM on my finished comment to fix things I miss as a non native speaker.
The content of the comment is my unique opinion and my unique writing and I mostly also make sure to remove stupid things like directional quotation marks.
But yes, it is possible to be very much human but also trigger certain peoples AI detectors.
What makes you think it's LLM generated?
colons and directional quotation marks scare folks who don't know how to use them properly
Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y"
The structure of what it wrote, and the banality of the point.
The double quotes perhaps?
AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.
HAHAHAHA good joke. Oh wait. You're serious. Oh god please no.
We're already at the point where lawyers are submitting AI-generated videos as court evidence, so...
We really should be at the point where those are former lawyers.
But 60% of the time, it works every time.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Finally!
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
Those “cookie banners” are nonsense aimed at getting this outcome.
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
See this article by GitHub about how they removed cookie banners: https://github.blog/news-insights/company-news/no-cookie-for...
When I open this link I'm greeted with the cookies banner
"We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services listed above will be used. You may change your selection on which cookies to accept by clicking "Manage Cookies" at the bottom of the page to change your selection. This selection is maintained for 180 days. Please review your selections regularly. "
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
The EU's own government websites are polluted with cookie banners. They couldn't even figure out how to comply with their own laws except to just spam the user with cookie consent forms.
The eu's maybe but for my government i have no banners.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
> billion trackers ... dark patterns
Straw man argument.
The rule equally applies to sites with just one tracker and no dark patterns.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
> Besides, you seem to be confusing something.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> Within the context of the discussion of if its malicious compliance or a natural consequence of the law.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
[1] https://techgdpr.com/blog/data-protection-digest-3062025-the...
> Why would EU governments use cookie banners
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
you CAN use analytics! Just need to use first party analytics... it is not so hard to set up, there are many opensource self-hosted options.
I hate how everyone and their mother ships all my data to google and others just because they can.
The regulation is only concerned with cookies that are not required to provide the service. It makes no differentiation between first party and third party - if you use cookies for anything optional (like analytics) you need consent. So you can have third party non-cookie analytics for example without a banner.
Let's not deceive ourselves -- first-party analytics are much, much harder to set up, and a lot less people are trained on other analytics platforms.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Can you actually do meaningful analytics without the banner at all? You need to identify the endpoint to deduplicate web page interactions and this isn't covered under essential use afaik. I think this means you need consent though I don't know if this covered under GDPR or ePrivacy or one of the other myriad of regulations on this.
So take the IP, browser agent, your domain name and some other browser identifiers, stick them together and run them through SHA3-256, now you have a hash you can use for deduplication. You can even send this hash to a 3rd party service.
Or assign the user an anonymous session cookie that lasts an hour but contains nothing but a random GUID.
Or simply pipe your log output through a service that computes stats of accessed endpoints.
None of this requires a cookie banner.
> You need to identify the endpoint to deduplicate web page
You can deduplicate but you cannot store or transmit this identity information. The derived stats are fine as long as it’s aggregated in such a way that preserves anonymity
How would you deduplicate without a unique identifier or fingerprint of some sort (which would not preserve anonymity)?
No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not. The goal of analytics is to see how people in general use your website, not how an individual person use your website.
So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie. Hash it together. Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes). And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
Not rocket science.
> No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not.
Sure you do if for example you want to know how many unique users browse your site per day or month. Which is one of the most commonly requested and used metrics.
> So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie.
That looks a lot like a unique identifier which does require a user's consent and a cookie banner.
> Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes)
The EU Court of Justice has ruled in the past that hashed personal data is still personal data.
> And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
It will also happen after 30 minutes have passed which will happen all the time.
> Not rocket science.
And yet your solution is illegal according to the GDPR and does still not fulfil the basic requirement of returning the number of unique users per day or month.
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
> And now proponents of GDPR are blaming companies for following GDPR.
Not really, proponents of GDPR are aware that GDPR explicitly blocking trackers would be extremely hard as there is a significant gray area where cookies can be useful but non-essential, so you'd have to define very specifically what constitutes a tracker or do a blanket ban and hurt legitimate use-cases. Both are bad.
For some reason though people think that the body that institutes laws that try to make the world a better place, when loopholes are found and abused for profit, this is somehow the standard body making a mistake, rather than each individual profit-seeking loophole-abusing entity being the problematic and blame-worthy actor.
I never understand why, I guess you work somewhere that makes money off of this.
No, those companies do not follow GDPR. They are testing how far they can go without triggering mass complaints etc.
See https://noyb.eu/en/where-did-all-reject-buttons-come
By not setting a cookie until the user does something active when I then tell them (say on “log in” or “add to basket”.
You don't need a cookie banner for authentication/shopping basket cookies, since these are essential.
However, you are still required to provide a list of essential cookies and their usage somewhere on the website.
This. I don't know why there's a heavy overlap between the "GDPR didn't go far enough" people and not actually reading the GRPR. I'd think they would overlap a lot with people who actually read it.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> But I'm making the point that its not malicious compliance.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
Don’t track your site visitors.
No tracking, no banner.
Or respect the now deprecated DNT flag, no banner necessary.
Now we get DNT 2.0 and the website owner will once again maliciously comply.
OK sounds great.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
Again, great. Didn't happen and isn't required by GDPR though.
Malicious compliance are those dark patterns where it takes on click to accept all but multiple clicks to reject all.
I remember the early day cookie banners of Tumbler accept all or deselect 200 tracking cookies by clicking each checkbox.
I could just as easily say don't send data you don't want tracked.
Can we get the do-not-track header instead?
https://en.wikipedia.org/wiki/Do_Not_Track
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
Or a new, opt-in "Do-Track" that means consent to tracking, and anything else means tracking is not allowed. Why should it opt-out?
As long as there is Do-Not-Track as well, and companies must follow BOTH, this would be ok by me.
But this one alone opens the door to behavior similar to tracking cookies, where accepting all was easy and not accepting was hard af.
Instead of what? Instead of the central browser controls?
>Instead of what?
Instead of a different cookie pop-up on every single site you visit
>Instead of the central browser controls?
This is the central browser control. The header is how the browser communicates it to the websites.
This very article is about how we're getting a central browser control, and your comment was "can we finally get a central browser control instead?".
Well, it's a minor details hidden in the middle of the article, I also missed it.
But the person weberer replied to was quoting the exact place.
whoops, didn't read the entire quote ...
So they finally admit that it was a mistake.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
50 is not even close.
Those banners often list up to 3000 ”partners”.
The cookie law made this worse.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
uBlock blocks most of those for me lately.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... does a similar thing.
I use the first of those extensions, its the cookie whitelist one that no longer works for me.
There could be an extension to block the banners, too. I think uBO has a feature to block certain CSS classes?
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
You can just set your browser not to send whichever cookies you don't want to.
Cookies are a client-side technology.
Why does the government need to be involved?
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
You could try and read the law yourself. After all, it's only been 9 years.
It covers all data processing whether automatic or manual.
The law literally doesn't talk about cookies. Or any other ways of tracking. (well, it does. In the preamble. The regulation itself is tech agnostic)
It doesn't have to contain the word "cookies" to describe the way they operate.
Again. You could literally try and read the law. After all, it's only been around for 9 years.
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
--- end quote ---
etc.
Not really, it disallows tracking even if you aren't storing anything (eg via fingerprinting):
https://gdpr.eu/cookies/
That link seems to say the opposite:
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
> Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
> Why would you store the language preference client site anyhow?
You're not storing the language preference in the cookie, you're storing a cookie that identifies the user so that the server can remember their language preference.
Consider the two possible ways that this can work: 1) if the cookie identifies the user then using it for anything outside of the "strictly necessary" category requires the cookie banner, or 2) if the cookie is used for any strictly necessary purpose then you can set the cookie even if you're also using it for other purposes, in which case anyone can set a strictly necessary cookie and then also use the same cookie to do as much tracking as they want without your consent.
Both of these are asinine because if it's the first one they're putting things like remembering your language preference outside of the strictly necessary category and requiring the dumb cookie banner for that, but if it's the second one the law is totally pointless.
> The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
But one row before it mentions "such as accessing secure areas of the site.". If the secure cookie has 12 months validity, this is basically a different way to implement "remember username/password".
Besides, all my browsers (Firefox, Chrome) remember the users and passwords for all the site I access, so are we even talking about this? Is Safari that bad that it doesn't remember your user/password (no experience with that one)?
> You're not storing the language preference in the cookie, you're storing a cookie that identifies the user
Ok, I agree that for sites without username / password that will not work. On the other hand, personally I rarely end up on any site that is not in a language that I can read and on top the browser has a language preference : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/l... . So, in practice, I think there are extremely few cases for sites require a language cookie for a not authenticated user.
> But one row before it mentions "such as accessing secure areas of the site."
Which could be read as allowing session cookies but not ones that allow you to save your login if you come back later. But it's also kind of confusing/ambiguous, which is another problem -- if people don't know what to do then what are they going to do? Cookie banners everywhere, because it's safer.
> Ok, I agree that for sites without username / password that will not work.
How would it work differently for sites with a username and password? The login cookie would still identify the user and would still be used to remember the language preference.
> allow you to save your login if you come back later.
Again, is there any browser nowadays that doesn't save the login? I don't know any, personally but I do not know all of them. And if they are, how much market share they have? (If I myself build tomorrow a browser without the functionality, that can't be an argument that the legislation is wrong...)
> How would it work differently for sites with a username and password?
Generally for sites where you use a username, the site will load from the server several information to display (ex: your full name to write "Hello Mister X", etc.). In the same request you can have the user preferences (theme/language/etc.), and the local javascript uses them to do whatever it needs to do. Even with a cookie, there needs to be some javascript to do some actions, so no difference.
Or you could just redirect via a URL that has the user preferences once he logged in (ex: after site knows you are the correct user it will redirect you to https://mysite.com?lang=en&theme=dark)
There are many technical solutions, not sure why everybody is so crazy about cookie (oh, maybe they think of the food! Yummy)
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Which is presumably the reason nobody uses Midori
I liked it. The reason I don't use it is because it doesn't support modern JS heavy websites.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
Cookies that keep you logged in or maintain a session don’t need consent
Blocking cookies client side will block all cookies regardless of value. Hence the usefullness of law to disambiguate.
Of course, let ME decide if I want to keep fdfhfiudva=dsaafndsafndsoai and remove cindijcasndiuv=fwíáqfewjfoi. I know best what those cookies do!
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
Because it's not about cookies. Ad trackers shouldn't store my precise geolocation for 12 years for example: https://x.com/dmitriid/status/1817122117093056541
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
> Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at.
Server logs can provide this information.
Only in very simple ways.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
This isn't even about ads. It's just about basic business metrics.
And no, you can't just "wait 2 weeks and check for the actual sales volume difference". The example I gave requires individual anonymized tracking. Pretty much anything that has to do with correlations in customer behavior requires individual tracking. And that's how businesses improve.
Also, it's not just giving up "some percentage points". There are a huge number of small businesses that can only exist because Facebook ads work so well in targeting very precise customer segments who would never know about their product otherwise. Targeting advertising does actually work, and you'd be putting tons of small business owners out of work if you got rid of it.
Maybe what you say is correct, but without a reference can also be an opinion influenced by your domain of activity.
What I see though is many shops closing, because more and more people buying online. What I hear is people buying crap from Amazon and throwing it very fast, or using fast fashion from the like of Shein. Neither seem to me a great outcome.
I did a cursory look and I found this https://www.pewresearch.org/short-reads/2024/04/22/a-look-at... , will quote "The number of high-propensity business applications – those that are highly likely to turn into businesses with payrolls – remained relatively stable between 2009 and 2019,". This for me does not support the idea that of "huge number" that only exist due to Facebook (business exits have also grown over the period, more data at https://data-explorer.oecd.org/), but of course this is an interpretation.
Not for the amount of stuff on the web now that is client-side rendered.
Client side rendering means in practice clicking a product retrieves JSON and images instead of HTML and images. This can be logged.
Okay, and why do you need to share whatever info you collect with thousands of random data "partners" if it's just for you to keep track of whatever made up thing you say you need to track? Because in reality that's what GDPR exposed, that random ecomm website selling socks or whatever is sharing everything they know about you with a billion random companies for some unknowable reason.
Cookie banners are made obtrusive by the people running CMPs as they want to make it as hard as possible to stop collecting the data
Funny thing is that I often will go out of my way to find the least permissive settings if the banner is obnoxious or has a dark pattern.
every accusation is a confession you see...
> if you don't do anything "bad" then you don't need the banners.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
worst implementation ever. I bet it is the reason that most people are now taking anti depressants.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
Why do European government websites do the same thing then? They’re also spreading propaganda?
Related ongoing thread:
Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)
The cookie thing sounds good at first but then it shows that they rant to reduce cookiewalls by making more things ok without asking :(
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
No it doesn't. A website's own preferences fall under the 'necessary for site functionality" exception.
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I'll keep blocking all ads and tracking anyway.
No, preferences are not strictly necessary, check https://gdpr.eu/cookies/
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
the issue was never the law.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
https://noyb.eu/en/project/cookie-banners (edit: link)
The issue is the lack of enforcement of the law. And instead of strengthening the enforcement, they are diluting the law now.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
A cookie is something that is sent to the server, by design - that's their whole point! So if the only part of your code that needs them lives on the client, cookies are the wrong mechanism for that - use localStorage instead.
> lets you set font size and dark/bright theme,
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
That's not true. You can use those cookies, you just need to explain them somewhere on the site. No opt in required.
I talked with our then national information law official (funny fact, same person is currently president of our country), rule of thumb is if you're not using your users' personal data to pay for other people's services (e.g Google analytics) or putting actual personal data in them, you're generally fine without the banner.
Further, if you're a small shop or individual acting in good faith and somehow still violated the law, they will issue a warning first so you can fix the issue. Only the blatant violations by people who should've known better will get a fine instantly (that is the practice here, anyway, I assumed that was the agreement between EU information officers)
I'm not sure why this is being downvoted?
The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.
That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
0. https://guides.libraries.psu.edu/european-union/official-ser...
1. https://www.europarl.europa.eu/portal/en
2. https://www.consilium.europa.eu/en/
3. https://european-union.europa.eu/index_en
> "lawbreaking" (as defined by you)
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
That is unfortunate, EU could well present itself as an example of how things can be done right. Unfortunately incompetence and/or indifference, plus lack of IT talent willing to work for the public sector is also a thing in politics. It's an opportunity lost for sure.
> law wasn't poorly written, most websites just don't follow the law
I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.
Most websites in the EU also aren't following the law.
people intentionally made the banners annoying or tried to make the reject button smaller / more awkward so that they could keep tracking.
Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either
I'd settle for companies obeying the letter of the law. They don't do that either.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
A lot of people at HN work in industries that track, or are the ones choosing to use the banners in the first place.
> Most websites do. not. need. cookies.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
Functional cookies are fine. Even analytics is fine if you're using your own (though said own analytics must also company with GDPR personal data retention rules).
What is not fine is giving away your users' personal data to pay for your analytics bill.
Non-risk cookies never required a banner.
jokes on them i never followed the law anyway
I'm convinced there's a psyop on this site when it comes to GDPR, and I'm only half-joking. If people would bother to read those intrusive banners, they'd notice that their info is being harvested and shared with hundreds, even thousands of "partners". In what universe is this something we should be okay with? Why exactly does some random ecommerce site need to harvest my data and share it with a bajillion "partners" of theirs? Why are we okay with that?
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
That's the real news. There's no U turn, no weakening of GDPR. This article is propaganda.
I will believe this when I see it.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
Just let Estonia run the programme [1].
[1] https://e-estonia.com/solutions/estonian-e-identity/id-card/
Sure, ideally we can decouple the provider implementation and use a yubikey-type device if we want, or let the OS Secure Enclave handle it for the 99% of users that don’t care.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Good kid mode[0].
[0] https://www.lego.com/en-gb/product/retro-telephone-31174
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
I don't want an internet designed by lawyers and politicians. And I'm afraid that's what this level of regulation and enforcement would create.
Right, because an internet designed by profit motive is going great
I kind of like it. I mean here we all are on it. And sites like HN can just be written by one person and put up by one person with no permissions. The alternative if the government controlled it would be something like the Apple app store where you have to pay a fee to maybe be allowed to do something.
No it would not. We're already in some alternative where the government says that you can't make a website to sell CSAM, for instance. And we all agree that this is a good thing.
The goal of regulations is to prevent undesirable behaviours by making it "too costly" to do. The goal is not to take 30% on every app sale.
The post I replied to was on an internet designed with a "profit motive". What you describe is still basically profit motive with laws to stop bad things. I'm not quite sure what you get if you removed the profit motive. Maybe the app store wasn't a good example. Maybe something like the BBC?
My point was that the post you replied to was not saying that the alternative would be that the government would run it for profit. It was just saying that maybe it's better to have rules set by the government than to have the whole thing driven by profit-maximising machines.
If it wasn't, you would see illegal adds all over the place. I mean you already do, but the "soft" ones.
Complaining about regulations as a concept is usually about forgetting those that work and seeing exclusively those that annoy you.
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I don't want an internet designed by businessmen and advertisers, yet here we are.
"I don't want a society regulated by rules"
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
Yes, that's what I meant.
Also businesses are not people. People may not do illegal things "just because they are illegal" or because they want to be "good" (e.g. I agree that we should not litter, I wouldn't even need a regulation for that).
Businesses are profit-maximising machines. If it it profitable to litter, a business will do it. The framework in which businesses maximise is set by regulations, which represent what society wants. That's how capitalism works.
The limit of capitalism is when businesses are more powerful than the entities in charge of enforcing the regulations. If "enforcing a regulation" means having lawyers work on it, but the businesses themselves have orders of magnitudes more lawyers trying to prevent those entities from doing their jobs, then we have a problem. That's a limit of capitalism, IMO.
The EU's own government websites are littered with cookie consent banners. They want the data too.
Again, because those entities ("EU", "governments") are made of many people. It's not one guy who says "this should be illegal, but I will put it on my website too".
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
0. https://news.ycombinator.com/item?id=45970663
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
What were they doing with user data?
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
How do I stop you from tracking this information about me?
Do not consent when asked or, better yet, do not use websites that implement these techniques.
So can’t abuse people’s data without their consent is being strangled?
Is that like I’m strangled with my start up of “cheapdvds.com” because I can’t sell someone else’s data?
You have a funny definition of the word “abuse,” and “sell.”
“25% of our users that arrived from the newest ad came from Facebook and 85% of those were mobile users.”
So abusive. So much selling.
And when someone visits your website, you don't tell anyone about their visit, right?
RIGHT?!
That's an egregiously poor faith interpretation of what they said.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
> What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
Why do things that are important to the advertiser trump what's important to the user? I don't care how hard it is for you to track the performance of your ad sources, I just want you to stop tracking me.
Because without ads we're not profitable so there would be no service?
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
It does work, I have seen enormous and well designed tests to show it.
> GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
Good! I don't want ads to be a thing in the first place. It's a good thing that industry is being strangled by regulation.
Essentially all modern advertising is evil.
They are strangled by rules in using personal data on algorithmic advertismenet?
GOOD!
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
This is pretty much untrue. Look at India, Africa, South America, Japan, Singapore, UK, Israel, the Arab world, Turkey, Russia, Ukraine, Norway, Switzerland, or Australia and compared to them the EU is doing just fine
You’re comparing the tech sector of the EU to that of Africa?
No
Nice edit
Bad troll!
Sure but since the EU has destroyed it's own innovation so much soon you'll get no choice in the matter.
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
> to blocking self-driving cars.
This part seems mis-informed.
https://www.arenaev.com/mercedes_gets_level_3_autonomous_dri...
https://www.arenaev.com/bmw_ix3_gets_handsoff_motorway_assis...
European cars from almost every brand, already have emergency braking, adaptive cruise control, lane keeping, lane switching, etc., which get us 70% of the way there in terms of road safety.
I don't want to be experimented on by companies like Tesla:
Let them kill US citizens and keep lying and hiding things:
https://www.arenaev.com/tesla_robotaxi_troubles_grow_with_se...
> Understanding exactly whose fault these crashes are is tricky because of how Tesla fills out its forms. Automakers must send reports to the National Highway Traffic Safety Administration (NHTSA). Most companies explain the crash in a written section called the narrative. This narrative tells the public whether another driver ran a red light or if the computer made a mistake.
> Tesla chooses to block out this information and redacts the narrative section entirely. This prevents the public from knowing the truth, but it is entirely legal, even if it frustrates data analysts. Without the story, nobody knows if the Robotaxi caused the crash or if it was a victim. Fans of the brand often argue that other drivers cause these wrecks. That might be true. But since the company hides the proof, nobody can say for sure. Other autonomous companies like Waymo share these details openly.
I love how you can think about any of these ideas in a really basic way like a 5 year old and you'll know intuitively that it'll all fail, particularly if you invert it:
for example:
- bureaucracy creates less bureaucracy
- price controls create more supply
- adding more rules creates more freedom
- government is good at understanding technology
- the more people you have the better your decisions will be
- the further someone is from a problem, the better they can solve it
etc
Let me introduce you to the concept of "Negative Liberty": https://en.wikipedia.org/wiki/Negative_liberty
I quite like not having my personal data stolen by foreign megacorps for nefarious purposes. In that, I am freer than Americans thanks to Europeans regulations.
Generally agree, except for point three.
- adding more rules creates more freedom. Imagine the US without a constitution. It’d be madness. In a lawless country, people would be less free to do things they actually want to do because they’re so occupied with just surviving.
Rules are necessary, but ideally you'd strive for the minimum set that produces the desired outcome w/ the least side-effects.
Europe should make business registration a single one page one step operation first.
There are dozens of stories how registering a business alone can take several months and tons of paperwork.
Well, yes, Europe is after all a collection of 44 countries, with 27 of them being in the EU, and three EFTA countries. So you're dealing with that many different sets of laws.
Some countries are extremely strict, others are more lax. Where I live (Norway), starting a business is pretty easy and straightforward. Other countries, like Germany, are notoriously difficult from what I've read.
And again, some countries have very strict laws and guidelines you need to follow, once you've started a certain type of business. Where I live it is relatively easy to start a LLC, but you'll need to put some money into it, and you can easily get fined - or even face jail - if you don't follow the laws for accounting/auditing. It becomes problematic, quite fast, if there's no unified codes for these things, if everyone's going to be able to operate cross borders.
Not to mention all the other laws (consumer laws, etc.)
How is Europe, much less the EU, supposed to do that?
Registering a business in Estonia is famously relatively straightforward, while it is an absolute pain here in Germany. But business registration is the responsibility of the countries themselves and it should remain that way
There's the idea of creating a so-called 28th regime under which a streamlined registration process would allow the creation of business entities in all EU countries. See: https://www.eu-inc.org/ - https://en.wikipedia.org/wiki/28th_regime
how realistic is it that it will be implemented? Sounds more like wishful thinking at the moment.
In Sweden and Netherlands it is quite easy and straightforward to register a business, speaking from personal experience. Tax filing is quite straightforward as well, especially for personal income tax.
Starting a company in Sweden requires (uploaded PDF from Bolagsverket to ChatGPT who summarized):
1. Prepare the foundation deed and the articles of association. 2. Identify the beneficial owner(s). 3. Pay the share capital and obtain the bank certificate or auditor’s statement. 4. Submit the registration application for the limited company to the Swedish Companies Registration Office (Bolagsverket) and wait for approval. 5. If applicable: submit a certified copy of your passport (non-Swedish citizens). 6. Apply for F-tax approval and VAT registration and wait for the decision. 7. Register as an employer if you will pay salaries. 8. Keep continuous bookkeeping and prepare the annual accounts each financial year. 9. Submit the annual report to Bolagsverket every year.
Optional:
1. Obtain business and personal insurance. 2. Register trademarks or protect other intellectual property. 3. Choose an auditor if you want one or when the company later reaches the required thresholds. 4. Register a cash register if you accept cash or card payments. 5. Meet requirements for import/export and obtain an EORI number. 6. Follow rules for buying/selling goods or services within or outside the EU. 7. Keep a staff ledger if required for your industry. 8. Follow reverse-charge VAT rules if you operate in construction. 9. Apply for permits if your specific business activity requires them.
This is not what I'd call a straightforward process, personally. Also speaking from personal experience. Sorry for the formatting.
Are you implying that there is a country somewhere you don't have to "keep bookkeeping and prepare annual accounts"? Sounds like bog standard things.
No, that's not what I'm implying. I'm saying that it's needlessly complicated.
> This is not what I'd call a straightforward process, personally.
It's a (check)list....what could be more straightforward?
I guess it depends what we mean with straightforward. If we mean something along the lines of "no ambiguity" then yes. If we mean something along the lines of "simple, easy to do" then no. Almost anything can be accomplished with a sufficiently long checklist. I just feel like the entire process could be streamlined and simplified.
> There are dozens of stories how registering a business alone can take several months and tons of paperwork.
What does this even mean? You have examples from ALL of Europe? Each country has its own process, and at least in "my" country it is very easy.
They had enough time to push browser vendors to implement an API which allows the user to specify the preferences, so that the page queries the API, instead of the user.
This is a step back. All these years of clicking those banners is now for nothing.
As someone who had to implement GDPR, it would be really frustrating if all people thought it was was the banners (which I’m not even sure was GDPR).
While our company was very good at handling customer data already, it forced us to up even our game.
Other companies, however, were absolutely miserable at it.
GDPR has improved user privacy for the billion+ Internet users across the board, whether they are EU citizens or not, and most won’t even know about it.
Maybe that's just media consumption and reporting bias, but I feel like data leaks have been a lot rarer and less impactful in Europe in recent years compared to the US and based on that the scam/identity theft activity also less intense.
Poor Europe - lobbyists make sure that Europe stays weak.
That statement includes Ursula by the way.
Lobbyists make sure that ~~Europe~~ the world stays weak.
They need more strict financial regulation than politicians do!
The current situation of having enough rules and regulations that all the AI companies set up in other countries is going great eh?
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
The GDPR is about protecting personal data, what personal data could you possibly need to train an AI model?
Let's turn that around. What personal data wouldn't help train an AI model?
I know the HN rules say the title should not be changed, so its the article's fault, but the EU is NOT Europe.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
They seem to be reporting on two drafts that were leaked by Netzpolitik.
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
https://ec.europa.eu/transparency/documents-register/detail?...
https://ec.europa.eu/transparency/documents-register/detail?...
They can be downloaded here: https://digital-strategy.ec.europa.eu/en/library/digital-omn...
> The proposal now heads to the European Parliament and the EU’s 27 member states — where it will need a qualified majority — for approval...
Not a done deal.
AI seems like the real deal. I have never seen a technology so quickly and aggressively adopted in corporate america -- every ceo is horny to adopt ai, thinking it will cut costs (read that to mean: "replace you").
They did not have the same fervor for SaaS or cloud, if you recall. You needed sales people for that tech and they were compensated well bc its hard closing a multi year, potentially multi million dollar deal.
But AI needs no sales people to sell its value prop. CEOs have fully bought in. And now, even European bureaucrats, the most bureaucratic of bureaucrats, are loosing regulations. And these are the same group of people who thought cookie banners would help with privacy. Strange times.
Wait for the bubble to burst, shouldn't be long now. Bureaucrats are like C-suites, they're very susceptible to hype and trends.
I have been waiting for a bubble to burst since the dow hit 20,000.
Europe has no chance to compete with the USA and China. I'm European and I can only see ineptitude and corruption everywhere.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
> All consuming vague regulations like GDPR increase the cost of a startup by 500%.
Source?
I would say it's a lot more than 500%. If your business is based on doing things that are illegal under GDPR then the cost of doing that startup is close to infinite. But that's kinda the point of GDPR.
This. Sure, it's X% more difficult to do Y in Europe, because Europe doesn't want you to do Y, either at all, or unless you clean up after yourself so the costs aren't just eaten up by the environment or whatever, or unless you do it without causing harm. That's not a problem. That's the system working as intended.
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
Europe does have Microsoft. Actually, it has Microsoft in almost every single respect except the primary beneficial ones: taxes, employment and oversight.
Yes, and I wish we'd give them the boot for not following the relevant regulations.
Europe having its own Microsoft might be better than Europe having to use the US one and sending it like $100/user/yr in whatever subscription they've tricked them into.
Europe doesn't have to use the US one. It's been the easier choice historically, but there's little beyond inertia forcing Europe to stick to Microsoft. Not that that inertia isn't nothing though.
> That's not a problem. That's the system working as intended.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
> You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
Draghi's recommendations to roll back regulations had nothing to do with purported special interests, but with his view that regulation was stifling European development. And he's as old guard Euro-establishment as they come.
I mean Europe doesn't really get to make the choices when it comes to the USA because of their hilarious practice of hamstringing themselves. If that was the goal it definitely worked.
I think what they mean is that what EU in general kinda knows that for various they won't be able to make their version of money machine big tech. So why not to try different path? The individual laws will always be flawed because there is huge pressure to make them flawed by corps and lobby that want's to exploit them.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
It's gonna take a decade to roll down all those cookie banners.
Is this one of the initiatives to start syncing with the new 28th regime?
https://en.wikipedia.org/wiki/28th_regime
> Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
For 'central browser control', what is technically mechanism behind this? Is it something like an entirely new request header sent by the browser? Or re-using some existing RFC? Also curious if the regulation will compel browsers to implement this or something.
Managing cookie permissions at the browser level always made the most sense, but implementing it with regulation is what seems hard.
Of all the things to yield on, the GDPR really isn't it. The cookie banner problem is one caused by site owners consistently preferring using dark patterns over just not doing the stuff that makes you need a banner. If anything, the EU should have put the hammer down and enforced its regulations on those cookie banners consistently having 'accept all' being the default option and the alternative be more difficult to access.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.
I'd love for them to be made illegal, but I imagine certain groups of people wouldn't take kindly to that, so we need to do the dance and have people be tracked under nominal consent.
They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.
Here's a story about how the mere perception of "regulations exist and are strict" is dragging down my european AI start-up:
Our product makes it easy to capture and share knowledge on the factory floor, which is very important when many of your workers about to retire. Interest is enormous. It is a simple SaaS. You'd think selling would be easy. And it is: In the USA. In Europe the mere existence of the regulations (not what's in them) delays us by 6 months at least per deal.
No european executive really understands what is in the GDPR, and eventhough we are 100% compliant, there is nothing we can do to take away this fear. This means that when we talk to European companies, IT and Legal departments always have to be closely involved, leading to all sorts of political games; each department conjures up non-existing risk by talking vaguely about data privacy, just so they appear important. Half a year later when the dust has settled, the executive buys the product, or their mind has moved to other things.
My point is this: What is in the laws is not important to me. What is important is that current perception of laws turn companies into slugs. I want us to mentally move back to 2018 where we could "just buy SaaS" without worrying endlessly about data privacy. I understand hesitency when it comes to cyber security, but that is not what is slowing us down.
One of our workarounds currently is simply never to mention we use AI.
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
What exactly did you see about cucumbers?
They scrapped it actually but this law used to be the main example for overbearing EU bureaucracy
https://www.theguardian.com/lifeandstyle/wordofmouth/2008/no...
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
I have mixed feelings about this one. While I was never too excited about some of the unintended consequences of GDPR. That said, I do see benefit of the EU being the world's regulator on these types of things. I don't have confidence that anyone else would do it if the EU didn't. Even for those of us that don't live in the EU (I am in the US myself), I do feel like the EU plays the role of keeping things in check for the rest of us even if we are directly impacted by their regulations.
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
I don't see how training an LLM has anything to do with privacy laws.
It is perfectly possible to not train them on personal information, to remove or rewrite names, to remove IP addresses, etc.
Names and IP addresses are like 1% of what meets the gdpr definition of personal data.
> Training a large language model and privacy law as it's written today cannot coexist
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
Good luck getting rid of LLMs
I wish there was a link to the source of this information in the article! I'd like to read the updated version of these laws (if they're public).
So they've missed the innovation train due to regulation, and now they are likely to axe the side-effect benefit of said regulation.
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
What constitutes data about people?
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
You're being deceptively dense.
PII has a very clear definition. Posts on a public forum are not part of it.
> PII has a very clear definition.
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
We're in post-growth-times, please understand that we need to get all your names and data, so that the Elysium-Cloud can reach, and help you all, the full 8-Billion surrogates ...
It's perhaps worth linking to the official EC page on this proposal: https://digital-strategy.ec.europa.eu/en/faqs/digital-packag...
What data are cookies providing that browser fingerprinting can't?
From what I can tell, we have to click all these pop ups for no reason at all.
The llm answer to this was clarifying. Thanks for bringing up the q.
Europe is also introducing Chat Control so that might be why they are moving back.
Wasn't that put on hold?
Now we are fucked too as EU citizens. I hate AI more and more! MY DATA IS MINE. I hate the future. I just hope this gets sacked by the parliament or the judges. If not I need to find ways to keep as much personal data to myself as possible. The internet has become a very hostile environment for real humans and we need to learn to tread very carefully and avoid giving anything to the data poachers. My life is not a resource like crude oil ffs!
You don’t need politicians to help you keep your personal data to yourself.
I wonder if Apple holding back features helped the EU realize that hey, maybe the regulations are getting too onerous. I like to think so.
Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
You should probably look into pseudononymization in your case, not actual anonymization. Look into C‑413/23 P in more detail to see if it's applicable in your situation, it's essentially the first case law around it. You probably do need some extra controls (like contract that the data is not shared) just in case to avoid the data coming in hands of someone else who could identify the people depending on how detailed the data is.
So no more cookie banners taking up half the screen of every website I load?! Great!
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
> The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant
It absolutely isn't. I set up a blog for a friend where she shows her art and publishes an appearances itinerary/schedule. It doesn't collect ANY info from visitors, therefore requires no cookie banner at all. Simple as that.
HTTP logs are retained for 7 days for security analysis and then wiped. No analytics available, although my understanding is that a self-hosted Matomo instance set to anonymize the last 2 IP bytes of every logline it ingests would still be considered exempt from a banner.
> HTTP logs are retained for 7 days
There you go. The moment you save any information that can help identify someone for any period, you are within the scope of the law. God forbid you keep the IPS for any reason.
> for security analysis
The law doesnt give a zit about what you do it for. If you retain any personal info or set any cookie, you have to tell the user about it and give options.
> Matomo instance
Hahaha - matomo itself is non-compliant with the law. Its developers think that anonymizing info or collecting bits and pieces for functional info and setting a cookie for that purpose allows you not to show a banner. That's wrong. It doesnt matter for what you collect info or set a cookie - the moment you set a cookie, you have to show a cookie banner and tell exactly what you are collecting and what you are using it for. Even for functional cookies.
The only way you can be compliant with this law is by setting an apache header or something to delete all cookies the moment they are set so that you wont leave any cookie. Even in that case, you may be responsible for you are holding that information even for a few miliseconds. (yeah, you as a techie think that its not important, but law doesnt work that way). Best chance is to have a server that does not set any cookie or collect any info in any way. Good job preventing spam, fraud, ddos with such a setup.
Related:
Europe's cookie nightmare is crumbling. EC wants preference at browser level
https://news.ycombinator.com/item?id=45979527
> European Commission wants browsers to manage cookie preferences instead of pop-ups on every website.
Better late than never, but it's insane it took them almost a decade to figure this out.
People here act as if GDPR was some kind of big reason why all the digital tech is from US. But come on it's not like the game hasn't been rigged forever. To be more specific it's been part of the deal with europe being close US ally. None of the european digital tech is ever supposed to be relevant. And in case some european digital tech is relevant it has to be absorbed by US or at least made to look irrelevant so nobody sees or cares about it.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
Is this related to the upcoming EU-Inc initiatives next year?
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
Big players don't want this either, we rely on open source software and frequently contribute back
This is just another dumb EU reg that hurts everyone
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
This is what infuriates me with people that knock GDPR. They simply don't understand it's prime purpose: creation of a legally enforceable audit chain of data ownership. This is a prerequisite if you want to enforce how people's data is used and shared amongst private entities.
Far less than 1% of people would care about either.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
But far more than 1% are harmed by it.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Most people don't care about these things. Who are you to say that the harm is severe to people who don't care?
Many of the people who "don't care" don't know. Once you inform people about how much data meta has on them, for example, many of them do in fact care and they are in fact disturbed by it.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
It is a government who says that…
They are quite unwise to do so.
But that extra click to read any webpage was keeping me safe
The cookie banner is the superficial part. The meat of it is how user data is collected or not and stored or not. Rolling this back would be a catastrophic defeat. Perhaps if there were an automatic cookie preference browser API that could automate the user experience it would be better for users.
Does this mean fewer less-annoying cookie pop ups?
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
Can you point to any of these guides?
In our case we were working on a Dutch project so we used this; AVG is the GDPR implementation for the Netherlands:
https://ictrecht.shop/en/products/handboek-avg-compliance-in...
Are cookie banners going away anytime soon? There is no law more ‘European’ than this one.
The GDPR somehow had the power to make (almost) everyone comply with it, even outside of the EU. If only they had specified that instead of banners, companies had to actually respect the Do Not Track header, even if set by default on a browser, and everything that could be rejected would be rejected if that were sent.
Remember that at its core GDPR was to harmonize privacy laws around the EU to ease the transfer of data between those countries.
Previously:
European Commission plans “digital omnibus” package to simplify its tech laws
https://news.ycombinator.com/item?id=45878311
EU introduces Chat Control, then scales back GDPR, what's left? Digital ID and digital currency (with no possibility of paying by cash)?
Yes. This is their public roadmap.
The CBDC, the “Digital Euro”, will be nail in the coffin.
In Italy they’re pretty advanced with the Digital ID, for example.
Let me steelman the new proposal a little bit:
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
> The new proposal which suggests that pseudonymized data is not always PII is a different thing.
This actually is already the case, see the recent CJEU C‑413/23 P. Currently the main question is if the recipient has a way to unmask the user. In case of IP address the answer is almost always yes since the recipient could ask competent authority to unmask the IP address if there is crime involved. That was the exact reasoning provided in the Breyer case.
In C‑413/23 P the recipient didn't have any reasonable way to map the opinion to real person so it was determined that it's not PII from recipient's POV but it was from the data controller's.
One of the issues in the new proposal is that it lowers the standard quite a bit compared to C‑413/23 P.
Imagine the useful, user friendly, well designed features when business had a big incentive to push privacy
The issue isn’t too much regulation. It’s that an organization such as eu cannot adapt
There are lots of principled arguments about privacy versus growth versus monopoly here. But the reality is: for 95% of people in the EU (or the UK), their only direct experience of GDPR is the cookie banner. They aren't going to understand your subtle arguments about whose fault it is; they know that GDPR came along and they had to click on cookie banners. And they (and I) absolutely hate it.
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything 'Cause the corridors of power, they're an ocean away"
https://www.youtube.com/watch?v=Xpo2-nVc27I
Cowards.
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
Is that why most of the EU governmental websites have the same cookie pop up banners?
Lack of product ownership and cargo cult developers.
Legislation can’t change culture.
Goalposts moved.
The original claim was that the compliance was done for malicious reasons to change the law. Another possibility is that lawyers are a cautious bunch and advise their clients to take a less risky option when implementing a legal requirement. From personal experience, I would saw that latter is much more likely and would also explain why government agencies interpret these rules the same way when developing their websites.
Big mistake
...the companies will be very pleased.
I work right at the junction of marketing tech -- eCommerce, marketing sites, account management systems. Theoretically I should be living in compliance hell, but here's the dirty secret:
To "follow" every rule, all you really need is another layer of UX friction. Another modal. Another "consent wizard." A few toggles buried under Manage Settings → Advanced → Optional → Something You'll Never Click → Opt Me Out.
If you want to be sneaky, add a dark pattern. Make "yes" mean "no." Delay the buttons loading behind some animation, while showing other buttons from the start. (Users will always mash the first one that looks vaguely like "close" without reading anything.)
Or just bribe them, "Get 200 extra points for opting in! Only 45,000 more to redeem a free small drink!" Congratulations -- you're now "compliant.
In practice, GDPR mostly results in one more click. That's the whole impact. A seemingly smart privacy law reduced to just an annoyance tax.
(This is a big reason I run Firefox with uBlock Origin, and NextDNS on my router and phone, with Steven Black's block list. Ha. I do value my privacy, and the more ads and trackers you can block the better shot you'll have at keeping some of it. At least until you go and do something stupid like join a social network or messenger app, or start clicking accept to get 200 extra points.)
* StevenBlack/hosts: Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories. // https://github.com/StevenBlack/hosts
* NextDNS - The new firewall for the modern Internet // https://nextdns.io/
* uBlock Origin – Get this Extension for Firefox (en-US) // https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
EU's citizens are ripe for the taking. GAFAM, Palantir & co are going for the kill (we hope not like in Gaza)
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
What about GDPR is "scaling back"?
This sounds interesting and all but I'd like a more technically informed source than The Verge to judge whether the headline is accurate:
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
That's nonsensical. The GDPR doesn't require "cookie banners and pop-ups". Obtaining consent for things you can't do without consent does - if you insist on handling it that way. And "'non-risk' cookies", i.e. technical cookies required to fulfil the functionality requested by the user (e.g. maintain a login session) definitionally don't require consent and thus no "pop-up" or "banner". So what is the actual change here?
I'm sure capitulation will teach the surveillance racket a strong lesson.
Hold the line. Don't make the same mistake we did in the US. Your data is your data.
That is too bad, I had hope in this case regular people would win and get privacy we deserve. But as always big money wins, it just takes time.
> if the development of the GDPR and AI Act are anything to go by, a political and lobbying firestorm is on its way.
No doubt that now the flood gates are open, powerful interests will do everything they can to water down the protections even more. This is already bad enough as it is.
The changes to the GDPR are completely irrelevant compared to what the EU is planning with chat control.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
Is EU suffering from FOMO?
As an EU citizen, this is shameful and even kind of pathetic to read.
Will we start outsourcing all our IT needs to USA again?
Start?
I stand corrected. :D
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
> We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy.
That's an odd way to say EU regulations....
The AI bubble is so big at this point that this just feels like coercion/bribery induced.
Shameful decision, caving to foreign capital interests.
Do better, EU.
The EU should pass a Foreign Lobbying Ban Act.
For example, if you are a french company with american shareholders, you can't lobby the EU.
They can't pass an act like that. USA would retaliate economically.
Why can't we counter-retaliate? Where are our cojones?
the consequences of their laws is pushing their hands
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
That was already the case for the majority of domains.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
I for one like it to be able to post stuff on my website without the risk of someone sending me pizza or swat teams to my home address...
I see the tech bros finally figured out who they needed to bribe.
Come on, AI needs data, relaxing GDPR brings more data.
The question is what AI will do with these data and whether giving away privacy is good.
There is no transparency or trust and for this reason I want to keep my privacy.
But now, I am robbed out of this based on majority votes and not common sense.
Yet again, European countries are showing who their leaders are: US Big Tech
No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens
Well, that's a bummer.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
Given that they were largely ignored anyways, who cares? Laws have become almost meaningless, in a world where power lies within companies and not governments or the public, which anyways has been trained to either act against their own interest or disillusioned enough to largely don't care.
The only space where there's still laws from people is in the social media world, where the outcome are laws that don't change the life of anything but make you feel good. Eg. minorities, women, etc. still have low income, bad life outlook, etc., but hey now you need to clearly state that the programmer job is also for women and trans people. Assholes can be assholes as long as they use the right pronoun, whole industries thriving on lowering the baseline (delivery, etc.) of what humane treatment at a workplace is celebrate and pinkwashing. Everyone is "happy".
Also on the ecological side. Laws that that would change something fail, but everything that can be exploited in terms of taxation passes - seriously look at summaries on voting on directives. It's completely split at this line, and all the "liberals" celebrate how great they are for driving essentially tax funded electric cars.
It's no surprise that companies reacted by making the most obnoxious cookie banners instead of removing the need to having those in first place (fun fact: you do NOT need those for cookies at all). Whenever you read a "We care about your privacy" that is an outright lie. If they even remotely did there would be no need to have such banners. Even for much of the more shady stuff you don't need to. And still most companies don't even adhere to the GDPR. They just have a meeting do pick some pieces and forget about it.
Democracies sadly have become a real farce. I think the world has over-optimized for it, companies have "min-maxed" for the current set of laws and now well intended laws are effectively meaningless, cause smart people came up with nice hacks to not really have to care about it. It's just like a video game, where people realize that your skill set is nice, but you can just max out DPS and bring along a tank, where you realize and realize that the debuff on your armor doesn't matter if it doesn't hit you and where the penalty on item costs is meaningless because you don't know where to put your money anyways.
And honestly, finding such strategies to optimize for "just not breaking the law" or getting around it entirely is extremely fun, compared to all the boring work at a job.
What people used to call "honest work" just doesn't work outside of very localized and small scale setting, and even there it's hard. To compare with video games again, it's like all the "soloing is possible" and yeah sure, sometimes it works, but if the big guys decide to crush you they will. So best to join up with them which is exactly what is happening.
We also see that in other laws. Monopolies are forbidden? Well either keep at least one competitor alive (iOS vs Android, AMD and Intel, etc.) or make a cartel, even a completely passive one where you just do "market analysis" to have a similar price. If your competitor raises prices, it is your job to adapt your prices to increase profits. If your competitors use cheaper materials, etc. it's the same. You never ever need to interact with your competitors.
Working together in one way or another is what made humans really productive, it works well for companies, yet somehow there is that believe that magically this won't happen and instead it's all fierce competition, which is ridiculous when the biggest threat to large successful companies is literally the market changing. So they just take safe bets and buy all the smaller largely already working products and call it innovation on their side.
It's a good, smart, reasonable strategy. But it's also very obviously not as intended.
The thing is that big surprise, it's the same for privacy protection laws. Companies don't care about your privacy at all and most people are in fact ordered to store data just to have it. They make sure it's annoying so both to make you accept them and to complain about the law. It's a real farce to think that somehow people, governments, etc. think that companies (at large) are nice and just want you, the world and everyone to be good and happy. It is baffling that people really believe that and somehow always think their favorite brand is magically different, because they met a nice lad working there in marketing.
A mostly philosophical comment:
I would say something like "the issue is that 'people' are underestimating how many ugly characters there are, in the private as well in the corporate spheres" but that doesn't mean much anymore because people adapt against their interest just to display competence. "Ugly business practices" have become the norm.
It even trickled down into culture via funny little behavioral nudges like "nett is das neue Scheisse" (German for something like “Being ‘nice’ is the new way to be awful.” or "Nice is the new toxic." but mostly meant to say "Politeness is the new bullshit."). I'm quite certain it was a clever mid-term Machiavellian marketing play which paved the high speed Autobahn for the Right Wing and faux-cause refugee aid and further downstream also the acceptance of misinformation about the escalated and long ignored civil conflict in Ukraine. But that's a long stretch and beside the point.
Regulations serve to keep the balance. Rules can be broken. Linguistics and just being a horny fucking human create more loopholes and blind spots than anyone can count and this dynamic evolves and becomes more complex.
When it seems like you have to choose between a police state and a state which allows "AI companies to legally use personal data to train AI models", meaning unrestricted, unhinged economical practices that will have it even easier to get into teen heads and all the minds who just don't have the time and energy to evolve after a 9-5 day to raise their kids with abilities to defend against all the ugly bullshit that ugly business practices use to advance their proprietary propaganda(s) while the civil weight that is supposed to balance and positively offset the resulting negatives--the counter-movement, the counter force--is reduced to a motherfucking s k e l e t o n that our current civil society is, which can barely hold it's own few pounds, because too many people are busy being more productive and efficient or are numbing their brains with some drugs or meds and doom-scrolling or something with the content-creator economy or something else "with media", meaning when they are literally working for the other side against their own interest because it's cooler, then we all will get both, a police state with a subscription model for tickets out of jail, court as well as an economy that doesn't have to nudge and prime and co-evolve with customers, workers, employees, citizens, people anymore, because the law permits reverse lobotomies, marketing campaigns that create new needs and new desires via straight injection into your brains, including all the good PR that turns the bad PR into nothing but showmastership.
Our intelligence agencies, police and judicial representatives of the people are constantly looking away because citizens don't point the spear at what the tip already knows. Our law and the maintainers of justice should have evolved to investigate way more than they have done and they continue to disappoint.
The people have been misinformed, deceived, nudged, primed, exhausted for decades and with inter-generational effects, where the old don't defend and protect the minds of the young and the young then hijack the minds of the old or tire them out additionally and vice versa. Everybody just thinks or feels and perceives that "this the world", "this is the way" when it's the opposite, the absence of critical thought in your own interest. "They" (whatever that means to you), are selfish against all your interests while selling you their interests and how they want you to be.
Dramatic emphasis: THERE MUST BE BALANCE. And shoving the people back on the right side, not by moving them directly, which would be "fiddling with them" as much as ugly corporate and smaller business people do, but by offsetting and countering, HACKING corporate "dark patterns", ugly business practices (and I don't mean shiny buttons and countdowns), for HACKINGS sake.
If I hadn't been fucking poisoned and spiked god fucking how many times and had my brain been capable of recovering from that shit a bit fucking quicker, I'd be on the fucking frontlines of all that obvious, ridiculous fucking shit. I don't believe so many of you just roll with this shit because you are ok with it. How is all that not exactly the hacking challenge, the systems design challenge you are looking for? So many are doing so much on small scales and with tiny projects. Where is the hell is the weight. It has nothing to do with behavioral locks. You can remain in that lock, the world has chosen. BUT THAT IS NOT IT.
There are a lot of you who know and see and who were not poisoned and whose feet were not fucking poured into concrete bullshit and walled in by a jealous wannabe-fathist-coping-with-inferiority-instead-of-actively-evolving-others-to-evolve-their-offspring pthycho-thothial environment ...
"I don't care, I'm just doing my thing, you know ..." (which is not his thing but it got him that marshmallow and there's this thing previous generations, who believe that "history repeats" while the people writing it advance their interests, can't teach you because it's covered in new language, memetics, symbols, which are hidden behind misinformation enough other, slightly younger people are perfectly aware of but keep lying to themselves want their abilities enable them to do, but they are just doing their thing, which is not their thing but it gets them that marshmallow ...) only leads to the propagation of proprietary agendas, the results of which, if not offset properly, will be disliked adequately, way way way too late. I don't know what means exactly, but I know that enough of you have those conversations all the time and a lot of it was spelled out in various books; in fiction, science-fiction and more than enough of it in historical and current non-fiction.
I'm just wondering.
I could have said something about constraints, self-organizing systems and organic emergence of cultural phenomena via the non-linear propagation of imperative regulations between co-evolving colonies that are reaching for a state that maximizes the architectural potential of all areas of civilization for the sake of the minimum amount of conflict necessary to ensure survival and thriving in a changing world, which requires just enough friction and oil to keep the temperature down, but you all know that.
Someone smart, published, internationally recognized, and with humble origins in a current or former war zone, I believe, once noted that the middle class/ middle working class needs be heard so that their perspective can be accounted for when dealing with and for a world--and future, full of uncertainty, colorful swans, emerging and re-emerging constraints, calculated probabilities of instability in the various areas affected by climate change (the fact, not the debate), and so on ... well, above are some bits to start with.
The sentences "What the fuck are you serious? Give my kind time and the peace of mind to raise my children in a way that offsets some of the bullshit systematically taught in schools off-curriculum and they will help you. You need help. This is wrong, pathetic, only funny if you are drunk or drugged and in a particularly sassy mood that makes even the help- and hopeless feel cool and powerful. If we did our jobs like you do yours, everything would burn." kind of sum up some more bits ...
GDPR was never about privacy, but to legitimise data trade. It was two step process - first train people to Agree to anything by introducing "harmless" Cookie Law, then once people just click Agree to anything, create legal basis for data trade, where it is no longer a grey area as most users give consent. With Chat Controls coming back, never assume EU is doing anything for the benefit of general public. What is particularly bad, is that they are not honest about it, just keep gaslighting.
This is kind of my take. I can't believe the outcome where most people just click "agree" to explicitly opt in to tracking was some kind of unforseen mistake.
GDPR doesn't really work as you describe. Under GDPR data is a liability.
[flagged]
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
The EU is a great example of a spineless paper tiger to Big Tech and is the reason why AI startups run to the US.
Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.
> The EU folds under Big Tech’s pressure.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
> due in part to burdensome privacy regulations.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
I think this is a very rosy framing.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
If I sign up your company I can opt into that personalisation at signup time.
You have no business stealing my personal data until we enter an equal agreement.
> If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting
I feel like, there's nothing in my statement you can actually disagree with, so you're just expressing general frustration with the state of the world.
That's fine. You can set up aggressive PII laws, you're a big boy sovereign nation. But then you will not get domestic tech giants. That's not like, my opinion, that is the reality we are in.
I am describing that reality, and that the EU is unhappy with it, and your response is "Here's why we set up laws!". OK. I'm not sure what you are looking for here. We all know how you got here.
This notion that tech companies or even internet companies somehow fundamentally rely on PII is false and just an indicator of how normalized we've let unbounded and needless data collection become.
There are tons of business that can run without collecting any or extremely minimal PII. We already let the big companies take this data unnecessarily, let's not also let them brainwash us all into thinking unfettered surveillance is somehow essential to building a software business.
>acutely feeling the pain of having no big tech companies
That's good, there should be no big tech companies like FAANG at all. These monstrosities wield to much power and need to be brought in line.
The EU is not folding. The article is two facts surrounded by a huge ball of propaganda.
europe got stuck in the old world, they will never have tech companies.
We have plenty of tech companies. The reason you've not heard about them is because most of them cater to their domestic market first. Neighbors second. Rest of the world third or never.
This is criminal.
How so? Like, figuratively, as-in outrageous?
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I assume you mean the AI related stuff?
It was never required to show a pop-up for essential cookies.
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
I used to live and work in EU, get out of EU before it is too late.
like UK, you mean? boy that did really work out well for them!
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
The UK was known for bureaucracy even before they joined the EU. The idea that the red tape would vanish was always silly.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[1] Western, Educated, Industrialized, Rich, Democratic
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
Watch out for French government bonds (10yr), France will be the next before 2030.
I did the opposite, I moved to the EU before it is too late.
It's the only power left that stands for rule of law.
Wow. Powerful statement. I suppose other places are probably scaling back GDPR and relaxing AI laws, unlike the glorious EU?
I disagree with this move. However, I disagree with moves made in other places even more. Especially the US has been moving away from rule of law at a rapid pace.
Europe learn the hard way that you cant have a cake and eat it too
EU citizens: WE DEMAND XYZ PROTECTIONS
EU: WE SHALL BUILD XYZ FOR EVERYONE
(years pass)
EU citizens: WE HATE XYZ PROTECTIONS
Who demanded cookie banners?
Cookie banners are an AI solved problem ... just train on "minimize eyes spying on me"... a business model?
The companies trying to persuade you to click "Accept All".
The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy. It is a moralising and irresponsible attitude that older people can afford to adopt, but like so many other things, it hits younger generations mercilessly hard.
Ehmmm... If we learnt something in the past century, it is that companies don't have morals because they are not real persons. And even the real persons running them may be legally liable to the shareholders if they act based on their personal morality.
So, yes, the default should be that companies are inherently ill-intentioned to society, because that gets them an unfair advantage and gets more "value to the shareholders".
> The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy.
History tells us they are. Well technically, they are not ill intentioned. They just don't care if they do harm on their search for profit
This is a general approach applied also to the population.
In Europe there is a particular concept of freedom.
Like the old adage goes. In the USA you have freedom for things. In Europe you have freedom from things.