I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
And when it comes to privacy, consumer advocate types and privacy wonks (I include myself in this group) want the heater to be on, and technology companies and advertising companies and all of their hangers-on want the heater to be off.
One group has a lot more money, power, and influence than the other.
It is the perfect and correct antidote to any slippery slope argument. If the consequences of the law turns out to be as bad as you say they will be then we adjust the law.
Nothing is more permanent in politics than temporary solution. As a Norwegian, for example, I am still paying a temporary 25% on all spending that was enacted as a "temporary" measure over 100 years ago.
Control Theory does not work (in the general) for politics for the simple reason that incentives are misaligned. That is to say that control theory itself obviosuly works, but for it to be a good solution in some political context you must additionally prove the existance of some Nash equilibrium where it is being correctly applied.
Bizarrely horrible approach. A lot of damage would already be done, most importantly changing the status quo is inherently much harder than doing nothing. So going back won’t necessarily be straightforward.
Claiming that “slippery slope” is always a fallacy is a gross misconception and misinterpretation. It varies case by case, very often it can be a perfectly rational argument.
“Let’s restrict democracy and individual freedoms just a bit, maybe an authoritarian strongman is just what we need to get us out of this mess, we can always go back later..”
“Let’s try scanning all personal communication in a non intrusive way, if it doesn’t solve CSAM problems we can always adjust the law”, right.. as if that was ever going to happen.
Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
I very heavily disagree here, we aren't doing as much of this as we should be.
Society is too complex of a system to predict what consequences a law will have. Badly written laws slip through. Loopholes are discovered after the fact. Incentives do what incentives do, and people eventually figure out how to game them to their own benefit. First order effects cause second order effects, which cause third order effects. Technology changes. We can't predict all of that in advance.
Trying to write a perfect law is like trying to write a perfect program on your first try, with no testing and verification, just reasoning about it in a notebook. If the code or law is of any complexity, it just can't be done. Programmers have figured this out and came up with ways to mitigate the problem, from unit testing and formal verification to canaries, feature flags, blue-green deployments and slow rollouts. Lawmakers could learn those same lessons (and use very similar strategies), but that is very rarely done.
In the same post you are arguing for and against "slippery slope".
Either it is possible to easy change law to make it worse ("slippery slope" is valid objection) or changing law is "much harder than doing nothing"("slippery slope" is a fallacy).
>Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
Too late. We already let the government cross the lines during Covid with freedom of movement and freedom of speech restrictions, and they got away with it because it was "for your protection". Now a lot of EU countries are crossing them even more also "for your protection" due to "Russian misinformation" and "far right/hate speech" scaremongering, which at this point is a label applied loosely to anyone speaking against unpopular government policies or exposing their corruption.
And the snowball effect continues. Governments are only increasing their grip on power(looking enviously at what China has achieved), not loosening it back. And worse, not only are they more authoritarian, but they're also practicing selective enforcement of said strict rules with the justification that it's OK because we're doing it to the "bad guys". I'm afraid we aren't gonna go back to the levels of freedom we had in 2014- 2019, that ship has long sailed.
> If the consequences of the law turns out to be as bad
This is the usual "the market will regulate itself" argument. It works when the imbalance arises organically, not so much when it's intentional on the side with more power and part of their larger roadmap.
The conflict of interest needs to be accounted for. Consequences for whom? Think of initiatives like any generic backdooring of encrypted communication but legislators are exempt. If legislators aren't truly dogfooding the results of that law then there's no real "market pressure" to fix anything. There's only "deployment strategy", roll out the changes slowly enough that the people have time to acclimate.
Control theory doesn't apply all that well to dynamical systems made entirely of human beings. You need psychohistory for that.
So, you do think “useCase.regulation” being a single dial. It’s a pretty reductive framework. I have an easier framework where in 90% of cases current law was already good enough and we don’t need to tweak that dial
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
There's a reason we call them judges. Selective enforcement is there for a reason. Lawmakers can't anticipated everything. Just look at how bad of an idea zero tolerance policies in schools have been with thinks like getting expelled for biting a sandwich into the shape of a gun.
The world isn't black and white. Flexibility, including selective enforcement, is necessary in a just system.
The reason that selective enforcement exists is that it is very hard to avoid having rules selectively enforced.
But the history of selective enforcement strongly suggests that it does not usually lead to just results. It is often instead something that unaccountable officials find themselves easily able to exploit for questionable purposes.
For a notable example, witness how selective enforcement during the War on Drugs was used to justify mass incarceration of blacks, even though actual rates of drug usage were similar in black and white communities.
Yes, I would argue that it would be better for more to have been incarcerated, for that would bring greater focus to injustice and the law would be changed. Selective enforcement interferes with the feedback mechanism that would otherwise make the law work better.
Any instance of selective enforcement being necessary is ipso facto evidence of a bad law. This is completely orthogonal to the matter of the world not being black and white - you're right, it's not, but a good law recognizes that fact, and laws can also be amended as needed.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
Yep, and while we fix that bad law we need judges to be able to say "I won't apply that" or "I won't sentence you to jail for this". That's kinda the point.
Legislation is much worse than organically derived common law, for the common law comprises decisions that apply to particular conditions with all their details while the former are mere idealizations.
The problem with laws that both the enforcer and the subject (enforcee?) agree are bad, is that enforcement is variable. And that leads to corruption. Every damn time.
The fix for corruption is vote the bums out of office. It is not to go whole hog into blind application of the law.
Think about how hard it is to write code that has no bugs. Now imagine you're using English and working with a system with so many parameters and side effects that you can't possibly anticipate all eventualities.
And now you want to rigidly apply your operators to this parameter space?
Selective enforcement is necessary for justice, because no law is perfectly just, and selective enforcement helps move toward justice.
It unfortunately also means there is the eventuality of corruption. So you just have to keep vigilant. Because a rigid system with no selective enforcement has no fix for injustice other than "live with it."
> The fix for corruption is vote the bums out of office.
That doesn’t seem to be working.
I argue there’s an acceptable level of corruption, only the particular flavours change from time to time.
Come out of government better off than when you when in. Fine, good on ya. No need to tells us about how you’re going about it while you’re going about it.
Learn to be at least a little bit discreet, and at least do something occasionally that comes across as good for the average person.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
`inline` in C has very little to do with inlining these days. You most certainly don't need to actually use it to have functions in the same translation units inlined, and LTO will inline across units as well. The heuristics for either generally don't care if the function is marked as `inline` or not, only how complex it is. If you actually want to reliably control inlining, you use stuff like `__forceinline` or `[[gnu:always_inline]]`.
Regarding code size, it's not just that binary becomes larger, it's that overly aggressive inlining can actually have a detrimental effect on performance for a number of reasons.
One of the problems with regulation is that politicians "understand" complex systems like computers or software or "the platforms" almost entirely by way of analogy. Yet at the point of actually introducing rules about (for example) tracking or what happens to your data, you need to throw away analogy entirely and start talking and thinking (and implementing) not an analogy but what the thing _actually_ is. Rarely do they resolve down to this last stage where you move from analogy to how things really work, or might work. I see this everywhere I have touched government and regulation over many years.
When we let the market bubble-up protective conditions through buyer behavior, we advantage innovation at the cost of accepting more harms, because the market response is always reactive instead of proactive, and the reaction can sometimes take decades or more (like GHG emissions and global warming).
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
That depends, are the people who are negatively impacted aware, and able to do anything about it?
There are some "mosquito" businesses that imho provide no net value and we'd be better off if they didn't exist (c.f. Bastiat's window breaker⁰). For example; payday loans, gadget insurance, MLMs, f2p games. The trouble is that there is an apparent need they're meeting, and nobody wants to "destroy jobs" or even worry too hard about exploiting the vulnerable.
Even if I were emperor and believed hese businesses were unjustifiably bad, I'd be worried about the authoritarian consequences of shutting down the less egregious ones. I'd also hope to have the humility to entertain the idea that I don't understand their full benefits.
In conclusion I think it's bad to have unethical businesses, and that even if they make the indicator go up, they are probably a net negative on the economy and society. However, I don't know what's to be done about it.
Lmao you can’t be serious. This is something that can only be said if you can’t/won’t quantify social cost.
Deregulated gambling has had a horrible impact on individuals. Repealing Glass—Steagall led to a global financial crisis. Gig economy businesses are exploiting workers by the thousands through self employment loopholes. We have insane monopolistic pricing and practices in the US in eg the telecom industry. Worst of all is that we’ve likely doomed the entire planet based on what is effectively too little environmental regulation.
>Deregulated gambling has had a horrible impact on individuals.
Yes, but gambling and all vices for that matter, are a centuries old issue that's well studied and well understood by everyone, while AI(hate that term in this case) LLMs are only an issue since November 2022, while most influential politicians are dumbass boomers who don't understand how a PC or the internet works let alone how LLMs work but yet are expected to make critical decisions on these topics.
So then it's safe to assume that the politicians will either fudge up the regulations due to sheer cluelessness, or they will just make decisions based on what their most influential corporate lobbyists will tell them. Either way it's bad.
Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
> insane monopolistic pricing and practices in the US in eg the telecom industry
It's actually regulations deterring competition in telecom who are responsible to those practices.
It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
> too little environmental regulation
In China. You forgot "in China". That is where most of that planet dooming is happening. Good luck promoting environmental regulation there.
> Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
Over-regulation being what, minimum wages? Coverage for basic social safety nets? ‘Cause that’s what we lost.
> It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
Bell system was broken up into seven different companies, thanks to regulation. It’s _lack_ of regulation that let telecoms merge together into behemoths. There _are_ small ISPs and telecoms in the US, they just can’t compete due to the size differential.
> In China. You forgot "in China". … Good luck promoting environmental regulation there.
Right, let’s jump for a Tu Quoque. China is destroying the planet so who cares what we do ¯\_(ツ)_/¯
I’m not blind to the existence of plain bad regulation, regulatory barriers and capture — but the overwhelming majority of these arguments have just been used to make regular people’s lives’ worse.
“Cheap housing isn’t being built in the UK because regulation makes it more expensive!” -> remove regulations -> there’s still no cheap housing but anything from 1990s onwards is now also badly built.
As a construction developer I’m sure I’d say there’s still too much regulation though. Gotta bump those margins.
One easy example is regulation making it hard to fire people. Then, naturally, firms will hire just as hard. The tradeoff is thus between a healthy, fast, dynamic and competitive job market with plenty of opportunities but with job insecurity and - fewer jobs, smaller salaries but the lazy unproductive bum slowing everybody down is now impossible to get rid of.
Yes, minimum wage is another. In effect it makes people whose work is worth less than the minimum wage - legally unemployable.
> Bell system
Bell system was a monopoly thanks to government regulation in the first place. The government actually passed a law that made illegal to connect a 3rd party telephone to Bell's network!
Yes, you need more regulation when your regulation f'd up a market. In free markets competition keeps market participants honest and even breaks monopolies. This is why one of the first regulation incumbents lobby for is meant to deter competition.
> Cheap housing isn’t being built in the UK
I do not live in the UK, but I am willing to bet everything that there is still a ton of regulation stopping building there. Last summer I visited London during a heat wave. We were sweating in our AirBnB, complained to the owner but he answered that he couldn't install an A/C because he wasn't allowed to change the building facade...
>latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course.
Normally I'm against overrgulation, but when it comes to privacy more fine for big corp is need if ANY violation is found. Rather NOT have AI than compromise on privacy.
Interesting that you have privacy so high on your list of priorities. The general public usually considers other small thing like "cost" and "convenience" when thinking about privacy.
Most of us actually don't mind losing a little privacy to read a news article when faced with the alternative of paying money or that news website ceasing to exist at all.
But, hey, keep pushing your warped privacy sense onto all of us, I am sure you are right.
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
Seems pretty real. E.g. CRA official impact assessment estimates one-time (in addition to ongoing costs) compliance cost at €500K per one product. That is enough for 10 man years per product.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
> Businesses have absolutely zero incentive to say that regulations are not bad.
Your overall point is solid, but I'd like to what I think is another reason that businesses could desire regulation. You're right that a dominant business can use its political power to "regulatory capture" its market and prevent new entrants, but I believe this isn't limited to uncompetitive markets.
Regulation can also prevent "arms races" by acting like explicit collusion. A straightforward example is competitive advertising in a saturated market, like cigarettes. Under the rough assumption that cigarettes are all equivalent and most potential smokers already smoke, then competitve advertising cuts into the profit margin, and companies have to participate or lose out. If you ban advertising then it's as if the bosses all got together and agreed not to compete like that. See e.g. https://pubmed.ncbi.nlm.nih.gov/31547234/
That's an executive order (regulation) requiring proposed regulations undergo a cost-benefit analysis before being promulgated.
It's why we got mandated backup cameras in cars: the cost-benefit analysis revealed the cost to have these in every new car was dwarfed by the cost in human lives of all the kids who were being run over in driveways bc they weren't visible behind cars.
Right, but that's a follow on to regulations about increased rear and side still heights for occupant protection, and that's a follow on from increased vehicle sizes, and that's a follow on from commercial vehicles being sold to the general public instead of regular passenger vehicles due to tax breaks, etc.
I was somewhat disappointed, however, to aee that this applies only to "major rules" from "executive agencies" and as such doesn't seem to apply to an executive order. There would have been some recursive satisfaction to see EO12291 itself tested by its own standard.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
At scale, no. But when very small there is a reason that people from Norway made rain jackets, and the brand cachet follows that too.
European people also still have a much stronger national identity than a European identity, especially compared to the US with state vs. country level.
Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
The translation infrastructure is huge, and reasonable-quality machine translation⁰ has been freely available for years now.
I don't mean to refute your experience, but I am suprised by the claim, because it's really not what I've seen here. Could you give some more detail on what you mean.
> Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
All of this is correct, and that's why the single market for goods (except for booze and tobacco) has been such a massive success. However, lots of growth (particularly in the US) comes from services, and for this, languages matter a lot more.
Sure, lots of continental Europeans speak multiple languages, but the vast discrepancies in languages and regulations (insolvency, capital markets etc) means that there are dis-economies of scale in the EU. Like, there's a reason that companies start selling in their home market and then move directly to the US.
A common language can't be assumed across the EU, while other large blocs (China, US) can make this assumption which is important for services trades in particular, as well as bespoke goods trade.
Ah, you're absolutely right. Only when reading your comment did I realise that I'll often go to the UK for some human-mediated service I need in English.
(This despite Ireland and Malta having it as an official language, and the Nordics often having better English skills than natives.)
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
Such unhinged takes are one of the reasons EU has fallen behind so much. Nobody is arguing for child labor. We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
The challenge with regulation is that its the result of those in charge of a power imbalance being able to decide what is "good" PR "bad."
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Ok. I hereby do. The only complaint I have is that it isn't enforced automatically and that we often don't have a way to force the worst offenders, because they have the military we rely on on their side.
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
Big enterprises like regulation because it enables them to capture the market and slow startups down: that's why they invest so much in standardization, for instance.
It allows them to force startups to match their (slow) pace of development.
> Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
Have you missed all the large AI companies in US loudly demanding and otherwise lobbying for more regulation?
Regulations can be good for companies when you can make sure that they are written in a way that entrenches them against any new competitors.
> The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long
My feeling is that in 9 years you could read it.
However, I read most of the relevant bits in an afternoon. Most people on HN making preposterous claims about GDPR have never in their life read anything but industry's take on it.
> it's actually super easy to comply, you can read it yourself, it's one sentence!
It's trivial to comply with for the absolute vast majority of companies, you can very easily read it yourself, the bits that are relevant to most businesses shouldn't even take an hour to read.
You’ve addressed nothing in my comment and have simply repeated the religious chant: it’s easy to read so easy to comply!
Thank you for illustrating my original point about this being religious dogma here.
Every HN thread about GDPR devolves into this circular argument. It’s getting so tiring. There are many issues with the actual reality of its implementation which I’ve explained in my other comments. You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
> Every HN thread about GDPR devolves into this circular argument.
The only reason it devolves into a "circular argument" is that the vast majority of anti-GDPR comments on HN come from people who have never ever read even a single line from the regulation and just parrot the same old "GDPR requires these stupid banners".
> You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
Yup. And this is the other reason: bad faith word soup that doesn't even pretend to be coherent, mixes up everything together, and goes from non-sequitur to non-sequitur.
So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
Your midbrow dismissal only makes sense if there is nobody who denies that regulation is nuanced. In fact, the entire political landscape is set up around a "regulation is GOOD" vs "regulation is BAD" worldview.
There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
The problems are in the details: why are news organizations exempt from this rule in Europe? You can’t read news websites unless you accept all cookies or pay to read.
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
> You can’t read news websites unless you accept all cookies or pay to read.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
Are you sure they are exempt? I was always under the impression that their practice is pretty obviously illegal. I just did a quick google search and didn't find anything about exemption. So they are as exempt from the GDPR as much as Al Capone was exempt from taxes ;)
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
That cookie banner needs to be standardized and offered by the browser. It should be like a certificate popup. Why is every website forced into doing a shoddy job ?
We had a do-not-track header that has been deprecated. Simply enforcing the header legally and having it on by default would suffice and it would be much easier to test, because it's not bespoke from the client side of things.
They aren't forced, they choose to. They're forced to get user permission before tracking them across websites and sharing info with 3rd parties, but how they do it is left up to the industry. And the industry chose dark patterns, hoping to annoy the users into complaining to the EU about them.
It is the fault of the EU. If you leave a steak on the floor you don't punish the dog for eating it. Site operators just chose to do what was most convenient for them within the boundaries of the law, as would you.
I assume it's because a business has different ideas about what to collect from their users and users are more or less willing to share some data with some specific businesses. Hence, every business needs their own consent rules. The fact that this is achieved with a cookie banner for 99,9% of all businesses is a side-effect. Could there be a better solution? Probably. But the law and the incentives aligned to cookie banner hell.
The law doesn't even mention cookies. This is a common misunderstanding and causes a lot of annoyance as I've seen websites ask for permission to store cookies even when they don't need explicit permission.
The law only concerns itself with tracking. If you don't use a mechanism to uniquely identify people over multiple visits and/or websites, you're fine. You can store simple preferences in a cookie without asking. No need to bother your users with a cookie wall for that.
Fingerprinting is actually covered by the regulations and needs to be "consented" to.
There are different regulations, but basically they are technology agnostic (a good thing). If you as a compnay want to use data that could theoretically be used as an identifyer for me, you need my consent. For any type of use. Except if it is absolutely necessary to provide the basic service. Or if we have a contractual relationship, but there are also protective rules in place to protect the customer.
Different regulations handle storing data (like cookies, but also local/session storage and similar things on the devices of your users. But those are separate from GDPR.
GDPR is - as said - only concerned with data that could be theoretically linked to me as an individual. Regardless what this data is. Could be an id in a cookie, could be a fingerprint, could be smoke signals. It could even be the combination of different data points, that taken together allow for an identification.
Theoretical example:
Imagine I live in a village with 500 people. The company tracks the location and that I am male (so roughtly 50% of the population), that I am between 45 - 50 (say about 10% of the population), have multiple cats (say maybe only three people now in that village, use a Linux based machine - bingo: You found me. And now you have a set of data that falls under the GDPR. Welcome in having to ensure you only use this data in a way that I gave consent to.
See: The law doesn't even just look at marketing or tracking data. Or what happens in an app or a browser. It covers all data that is either pointing ti me as an "ID" - like a cookie ID, or at personal identifiable data - like bei combination in my example.
I mean, websites don't need to use non-functional cookies in the first place. If they use it, they have to declare it. It's a problem created by website owners themselves.
They are regulating websites anyway, surely they can just invent some standard format to say what function each cookie has. How about requiring that the name of every cookie has to start with one of "Strictly Necessary", "Functional", "Performance", and "Targeting/Advertising"?
I'm 100% on the same page as you. I just wanna point out that apparently, the enforcement of said regulation just failed. There are way too many businesses that don't give you a single "reject all" button and get away with their dark patterns. A regulation that can't be enforced consistently is not desirable and failed to some degree.
I recently registered a complaint with my local data protection authority. This then got routed to their colleagues in North Rhine-Westphalia that are responsible, as the company in question had their business location there.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
> Most of the harsher regulations only come into effect when the company hits a specific size.
That’s very market and country specific. Spain makes more than 1k tweaks to it’s food regulations each year, which would kill lots of restaurants if they were to be in compliance.
The result is that everyone tries to make as much money as they can and build a “inspection fund”, because you’re guaranteed to get a fine if inspected.
Why isn't #1 an import duty sales tax system instead and you need to declare the proper value as part of shipping, or the good is rejected / confiscated?
Actually, online shops that mail stuff to Australian customers who request them to do so don't have to collect or pay any sales tax. The Australian government might stomp their feet and declare otherwise, but they have no legal or jurisdictional authority to do so, nor any real means for enforcement.
This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas.
> This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas
I disagree.
Imagine I ban health potions in my realm. I am running a Darwininistic experiment to make my people the most resilient people of the world and I want them to succeed through survival of the fittest. I tolerate non magical medicine but anything else will pay 1000% duties or be confiscated. A merchant comes by with a delivery of health potions to "Johnathan Man". The guards point to the "Survival of the ssssttttrrroooong" banner, while the merchant throws a fit saying she has a very powerful uncle that just happens to be a known warlord. The guards laugh, close the gates and go back inside for another pushup context. Meanwhile Johnathan and the merchant complain things about jurisdiction to no one in particular.
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
If you want to do business in the EU, just follow the law.
You are not allowed to sell Heroin to anyone in Germany. I don't see you making the argument, that we should - in the same fashion as with digital spyware using companies - not target drug dealers. Becase hey, people can just decide to not buy drugs.
My search told me that unless you are a gatekeeper, offering a reasonably priced ad-free tier allows to make the ad-monetized version personalized only.
I think it makes sense. Either pay, or consent to effective ads. There's no free lunch
This is why I just bought a Pixel and put GrapheneOS on it. And one with a SIM card that I can take out whenever I want. No AI, limited tracking, and no big tech. This is my personal boycott.
Are cookies really tracking you? 3rd party cookies don’t work in any browser. Ads are passing session data on the URLs instead. You can alow easily change some settings to stop persistent cookies. You can install privacy extensions like ghostery to block beacons. You can use features like ICloud private relay to prevent IP tracking. Solutions are all there and they aren’t because of any law.
Everything you mentioned is advanced knowledge. An average person, who doesn't deal with all these technicalities simply doesn't know this. It's like Telegram saying that it's the most secure messenger while not offering encrypted chats by default and not allowing to have encrypted group chats. An average person in tis case ends up completely unprepared and unprotected.
Don't mix PII data and cookies (or any other similar tech). There are different regulations in place here.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
There are a bunch of sites that stop working if you tweak privacy related settings. Twitter straight up tells you that if you experience problems, you should disable Firefox's tracking protection.
And by that they are actually in violation of GDPR. But hey - since when was Musk interested in following regulations. And since when has a governmental or supra-governmental entity been able to curb that tendency of the super rich and biggest cooperations.
Like with meta: They know they mke 7 billion annualy from serving 15 billion scam ads daily. They calculated that they will have at most have to pay about a billion in governmental fines all over the world, if they should one day be regulated for that.
So it is a clear business decision to go on shoing 15 billion+ scam ads per day to their "users". Were some interesting journalistic pieces on that a few days ago.
And exactly those companies are the reason we need stronger protection. And these protections more heavily enforced.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
Look at what YT loads in terms of tracking, when opening a page with an embedded YT video - even if you do not play that.
Or install something like pi-hole and watch how many analytics calls to Adobe Analytics the Adible app is sending out. Even if just idle in the background. Given the fact that you pay Adobe by the server call, Audible clearly must earn a shitload of money, if they can burn tracking calls like this.
If you are on a Mac, try Little Snitch and see where your data is going while surfing the net. No wonder in the US there are companies, that can sell you a clear image of all relevant data on nearly any person to enable algorithmic wage discrimination [1].
I know, that industry is trying to push EU further and further towards less consumer protections. But we have a great example of what that means for workers, consumers and all of us in the US.
So anywhere there is a YouTube embed we instead display a static thumbnail with 2 inline buttons underneath. 1 button to accept cookies and then load the embed and 1 button to view the video directly on YouTube in a new tab.
It works nicely and also pushed us to switch most of our videos to being first party hosted instead of YouTube.
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
My conclusion would be that under the current GDPR that if someone had the browser setting on, if a company did not respect that setting and kept private data, that they could be reported for GDPR violations and then the issue could be adjudicated, i.e that the courts would then decide if in fact GDPR violations occur by not following that browser setting.
Secondary conclusion - it might be more beneficial if one just contacted the EDPB and said since this browser setting exists and nobody is using it please issue a ruling if the browser setting must be followed, set it to go into effect by this date giving people time to implement it, and if they agreed the browser setting would be adequate to represent your GDPR wishes they might also conclude that it would be an onerous process to make you go through a GDPR acceptance if it were turned on, howe ver as this article is saying that they are "scaling back" the GDPR that would seem to be dead in the water, which is why I said under "the current GDPR".
In the absence of any explicit consent, no-consent is always assumed by the GDPR. The absence of a DNT header definitely doesn't count as consent, so that header is kind of useless, since the GDPR basically requires every request to be handled as if it has a DNT header.
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
Private browsing is equivalent to creating an ephemeral browser profile everytime. It might get rid of more browser storage, but for how tracking works now-a-days, it is useless. It is only for what you want to store on your disk, not for how you want to be seen to remotes.
Are you sure cookies get scrapped after you close a tab? Does opening a single session-based web site in multiple tabs work (eg. logged into Amazon in a private browser)? What browser are you using?
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
It's broader, it's about users data. For example, you can store my address so you can send the item I ordered to me. You can't, without permission, use that to send me marketing stuff.
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
Every regulation has some unforeseen consequences. Most of the time it's impacts are worse than the effect we wanted to regulate from the start. Us humans discard the effects we can't predict as benign even over smaller inconveniences we can see.
> Every regulation has some unforeseen consequences.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
Since you asked: I care. I leave sites which insist on tracking me and appreciate that it is now mandatory for said sites to inform me about their intentions. So this is a solution to a problem I actually have.
There are sites which place a "reject all" button above all and make this easy for me. Others try it the sneaky way, by making me turn off every single tracking vendor and then a lot more hidden under legitimate interest. Those are the sites I leave and never come back.
The hurdle in question has a lot of simple solutions. 1, don't use cookies. Github does that AFAIK. 2, be transparent about your tracking intentions and use one of the several premade solutions. 3, design a dark pattern UI that hides the important switches in technical named lists and count on the laziness and confusion of users to use them. That is probably the most expensive way for a 3 person company, as you need devs and UX designers and lawyers to judge if you bended the regulation requirements just enough without breaking them.
People don't know whether they are or are not doing things that require consent under the law. That's because, if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs. Notably missing from that list is "lawyers who can be bothered to research the question".
People put the banners up because they see other people doing it and it seems safest. That all of this would be so should have been perfectly obviously to whoever contemplated bringing the regulation into existence. Therefore they are either imperceptive or malign.
> if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs.
Those are the people who should know best what is meant by "ask visitors for consent before you track them.".
Lawyers and more work is needed if you want to track anyway and look for ways to make people accidentally consent. "Let's ask the question, but hide the unwanted answer as deeply as possibly without breaking the law."
You may blame EU bureaucrats, I blame the unwillingness of the companies to fulfill the spirit of the law and putting all the work into pretending.
> People don't know whether they are or are not doing things that require consent under the law.
This knowledge is taught in school and we also had one lecture in university and I am not even studying CS or anything computer adjacent. You can very much rely on CS graduates to know this, and even if they don't, the company could organize a training day, like they do for all the other stuff. This is really a dumb excuse for a company.
Is that what really happens though? EU countries usually don't immediately punish violations unless they're particularly egregious. You're more likely to get a warning and a grace period to meet the requirements. So the rational approach would be to not bother with consent banners, GDPR and whatnot until you attract the attention of the regulators, at which point you should definitely hire a legal team that can tell you what exactly you need to do to comply.
Any company that can hire teams of software developers can afford to hire a lawyer to tell them whether they need to irritate all their customers. And frankly, they'd be dumb not to hire a lawyer if they think they need some legal cover to determine whether that cover is sufficient.
Good god. I certainly wasn't suggesting this situation would be improved by software teams hiring lawyers to advise on their software! You appear to have completely lost perspective.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
I'm guessing that in many cases, it's not one software developer who decides. Most people are told what to do, and for many websites I'm guessing that it's just some kind of Wordpress add-on.
Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".
Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".
That's why we need to realize, that decisions in the small constitute what happens in the large. If some person comes and tells me to implement dark patterns into the consent popup, I'll tell them that this is illegal. I'll also tell people, when their current consent is manufactured or when their cookie/consent popup does not conform with GDPR. Been there, done that. Only unfortunate, that it was not my role to deal with that. It was simply that most people didn't care (I must assume frontend developer knew better, otherwise they were utterly uninformed about their job), some people who should have known better didn't (everyone else in the engineering team), some people wanted dark patterns to be in there (project management and marketing/sales, as usual), and I was the only one pointing out the tiny problem with the law. Of course no one ever thanked me for that.
I have been in that situation in a startup. The boss would come to me and ask for some dark pattern (not cookies, I don't remember exactly what it was). I said I wouldn't do it. They literally asked a guy in the adjacent room, and he took it as a new task and did it.
He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.
It's not that people who implement those things don't care, per se. It's that they care about getting their paycheck more (or, in the current climate, retaining their job). And they are also acutely aware that if they refuse to do it, a replacement that won't is easy to find.
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
But that's a great example of why we might not need to turn into professionally licensed experts: the risk of messing the implementation of GDPR up is nowhere near messing a bridge or even a single family home up.
Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
It might be hard in some places, with especially toxic higher ups. A good start is pointing out the law a few times. If that doesn't get them to stop, what you can do is ask them to give you a signed piece of paper, where it says, that against your objection and warning about this being illegal, they want you to still do that. Usually at that point they will find someone else, or stop trying to do it.
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
Lucky you. In my experience it ends up with talks to HR, where they will explain that "you are being difficult to work with" and "things are going to have to change" or "we are going to have to look for alternative avenues"
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
How much incompetence do we accept or tolerate, before we deem it negligence? If someone adds a consent popup or similar thing to a website, usually knowing, that there is a reason why this must be done, and that this reason is GDPR, it seems quite incompetent to not know the first bit about what is required, and not doing their due diligence to read up on it when not one doesn't know.
Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.
Why not accept and let cookie autodelete delete it after closing the site?
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
What kind of a discussion can there be? It's very simple. I don't want any business or individual or whatever to collect any of my personal data if I don't agree to it. Right now companies do everything they can to do the opposite. And there's nothing here that can prove them right.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
I would consider making people to vote for a criminal dictator to be more harmful than selling drugs, the former is destroying way more lives than the latter. And I am someone who would vote for more enforcement and regulation of bans on drugs.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Uh, no, not in the same way. You have absolutely zero proof that you NEED to fuck users up the ass to make the service work.
Many services worked without the ass fucking. We did it for a very long time.
> but most people prefer free with ads to paid without ads.
No, you can't actually say this, because part of the deal is that nobody actually knows HOW or WHAT they are giving up for this free service.
Things like GPDR or consent, again, do not outlaw the actual thing. Ads are still legal, personalized ads are still legal, tracking is still legal. It just forces you to ask consumers. If what you're saying is true, then GPDR is fantastic!! All the users should click 'accept all cookies', because that's what they actually want right?
Unless, wait, you think... maybe that's not what they want? And they're only agreeing to the current situation because they don't know what they're agreeing to? Hmm... what a conundrum!
this is a false dichotomy. You don't need to track your users to show ads.
Contextual advertising works fine for many sites, especially those with a specific targeted audience (for example a gaming website can show ads for gaming related products).
so you want people cant earn livelihood by your saying?????
for some people and I mean some people in this are entire industry that working with directly and indirectly. this is the only way to earn a living for them and you saying this people cant do that????
"If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for."
well. you are free to choose not to?????? what we even doing here? life its about choice and you are free to not sign up service that scummy
it literally totally difference case that worth another article/post for that
1. Consumers can't just 'not use something' because of network effects, and you know that. Don't play stupid with me.
2. The service is scummy because they lie. That's the scummy part. Sit back and read what I wrote. I'm not saying services CAN'T commit crimes against humanity. They can! I'm saying they must DO IT HONESTLY.
If this is about choice, and you want users to choose what they want, then you have to be on my side. It's not optional. IF what you're saying is true, and consumers have the choice "not sign up service that scummy", THEN they must know if the service is scummy. Necessarily!
> if there are better ways to do this, it would be born already
That's not how it works in capitalism. If there are more profitable ways to do this, then it would have been adopted. But better is subjective - better for whom? For the users? The businesses don't give a fuck about the users, only about their money.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
no.
even including a font from a different host is not allowed under the gdpr because you are leaking the users IP to that host.
you are poorly informed on this topic.
That's true. But it's just a small part of overall tracking. And nobody would care if the cookies were used only for auth or purely functional reasons.
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
I don't think GDPR is the problem that makes science and technology succeed more elsewhere or fail more in the EU. There are far, far bigger problems, that are at play here. For starters we have a war still ongoing in the east. Economic power houses have had utterly corrupt governments for decades. Standardization of many things is difficult with so many separate nations. Education systems are questionable. All of these will play a larger role than GDPR.
There is nothing stopping the industry from standardising on an alternative form of expressing consent, for example on browser installation. GDPR is agnostic to the form the consent takes, as long as it's informed and freely given.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I very much doubt, that the practice of putting hundreds or thousands of partners into the legitimate interest category is legal. I wish this was more challenged and brought in front of the courts. And not just wristslaps dished out. Such practices need to have business threatening punishments attached to them.
I'm sure that happens in some cases. But the EU is building a reputation for handling out fines that actually hurt, and I'm sure that actively lying to consumers about this would warrant a big one, if ever discovered. And in any case, tracking will be a lot less robust without those 388 cookies.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
I might get worried when mainstream computers won't be able to run Linux. Until then.. I'm not worried.
Seems there are efforts to bring openness to platforms that inherently have an interest to resist it and while the progress is slow.. there is progress
> Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
No. It's reflecting on an overall culture that embraces taking chances. Even if 50% of those chances lead to failure it still beats the paralyzing fear of moving forward.
As a hacker, I don't care about cookies or what the EU thinks about them. Disable them if you really care. Or at least use a browser that blocks 3P cookies (not Chrome).
people still insist on using a browser built by a company that makes money off of ads and act surprised when said company purposefully compromises their privacy and data on said browser.
What about when the lack of cookies makes everything break and you cannot work around it because it's too much JS to reverse-engineer, and/or it's a copyright-felony in your country to develop workarounds?
"I'll use my l33t hacker skillz to avoid it on my own" is a losing strategy in the long run.
A similar thing happens with the proliferation of cameras and license-plate readers.
You can keep them enabled and clear at end of session. I'm not saying this makes you untrackable; that is a losing strategy due to all the non-cookie tracking, but also the cookie popup isn't helping there.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
The thing that anarchists have a problem with is hierarchy, of which states are a manifestation. Most anarchists aren't just "okay" with some kind of government, but believe it to be necessary.
i guess I can see how it might work in a single person's life or small group, but on a large scale doomed to failure because the neighboring country/cit-state/etc will be organized, with and organized army. That group will eventually desire something the anarchist community has and will destroy it.
That is indeed the sticky question, but, again, anarchists aren't opposed to organizing either, even at scale - only that such organizing should be fundamentally egalitarian, not forced.
You can argue that hierarchical organization is fundamentally more efficient, but by the same logic authoritarian governments ought to always outcompete democracies militarily, yet it's clearly not as simple as that.
One could also argue that in a world where anarchist modes of organization are the norm, an attempt by some group to organize for the purpose of conquering neighbors would be treated as a fundamental threat by basically all other groups and treated as an imminent threat that warrants legitimate community self-defense. Of course, then the question is how you get to that state of affairs from the world of nation-states.
I don't have answers to these questions, but it should also be noted that it's not a binary. Look at Rojava for an example of a society that, while not anarchist, is much closer to that, yet has shown itself quite capable of organizing specifically for the purpose of war (they were largely responsible for crushing ISIS, and are still holding against Turkey).
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
The reasonable position is that the state exists to propagate and protect itself, which is made up of it's citizens, you included. This is just like any organism or organization works.
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
> But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
Not really. The goal is to prevent people from being unhappy enough that they revolt. But so long as that is not a real possibility, the company - or the state - is quite willing to make the population less happy if that means more productivity that can be extracted.
The example you gave - free education - is precisely about that. The point of schools is not to make the people happy, it's to make the people productive. But, also, ideally to brainwash them into being "good citizens" (meaning compliant and not causing problems). It can even mean "happy", but that is not necessarily the desirable state of affairs from the citizens' perspective, either - e.g. in USSR under Stalin, the cult of personality was strong enough that many people were genuinely happy to participate in it, and genuinely sad when the guy finally died; but it wasn't actually good for them!
No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
The reasonable position then is to demand governance that is actually in the interests of those governed. And one can reasonably argue that the resulting entity is not a state.
> No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
Beliefs like that are self-fulfilling prophecies. People who believe in that often give up trying to influence the state and exclude themselves from its interests. If too many people do that, the state will not care about them.
There is a trade-off based on the size of the state. Small states are easier to influence and more likely care about their citizens. Politicians stay more in touch with other citizens, and the average citizen is more likely to know some politicians in their everyday life. But small states often make amateurish mistakes, because they are governed by amateurs without access to sufficient expertise on various topics.
Large states have an easier time finding the expertise they need. But they tend to develop a political class out of touch with ordinary citizens. Political leaders become powerful and important people who mostly associate with other elites.
I believe the ideal size of a state is in single-digit millions, or maybe up to 10 or 20 million. Like most European countries and US states.
If you were to put a name on your ideological position, what would it be?
It can't be liberalism, since that tradition considers the state separate from society, and the state's purpose to provide liberty to the latter.
Communists of the 'tankie' variety (i.e. 'authoritarian' rather than 'libertarian' or anarchist) believe the state is or ought to be made up of its citizens, but they are aiming for scientific industrial administration and would never describe the state as an organism.
The tendency that does describe the state in that way, is fascism.
If the state inherently wanted all that for its citizens, why have people formed unions and militant organisations and struggled to achieve things like common education and so on?
In a democracy, the government is its citizen. It sucks when you disagree with the majority of the voters, of course. But it's wrong to say that the government is against the majority of the voters: it was elected by them.
So the people should talk to their representative. A government becomes authoritarian not only because of an authoritarian leader, but also because of the enablers, people like the spineless Mike Johnson.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
That's the 1%. It's the hair on the back of the elephant.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
And the enemy of your enemy is not your friend. It can be a temporary ally, but you always have to be wary of it becoming strong enough because you can become its enemy tomorrow.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
Some of that is attributable to raw inflow/outflow differences, where newer cohorts are bigger and therefore the blend would shifts even if no oldsters ever left.
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
> A future where everyone has a personal computer was exciting and seemed strictly beneficial
I like to frame it in terms of capital goods, even if I didn't think of it at that time: The personal computer's promise was that everyone would own their own digital foundry and factory, creating value for them, controlled by them, and operating according to their own best interests.
Nowadays, you're just renting whatever-it-is from BigCorp, with massive lock-in. A tool for enacting other people's decisions at you.
I find it really hard to classify myself. I've always called myself a "libertarian" - I believe the best strategy to Civilization is to maximise freedom for anyone. As freedom enables enlightenment an enlightenment drives progress. To actually achieve that, in the real world, means that you have to distribute and limit power. That means limiting not only government power but also corporate power. That means regulation, strong regulators (breaking monopolies), policies to keep prices down (including rent/housing!) and to enable free market competition and innovation. And provide an economic system where risks can be taken, enabled by a social let (and social healthcare).
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
This isn't actually unusual in the grand scheme of things, just at the moment. "Libertarian" was originally a word that anarchists came up with to describe themselves for a good reason. Lysander Spooner is famous in right-wing libertarian circles, but the guy also promoted mutualism and was the member of the First International. Today, what you describe goes under the label of "libertarian free-market socialism".
Regarding regulation, I do have to note that in many cases when you try to root-cause corporate power, it turns out that it hinges on active government regulation in practice. For example, consider the fundamentals of capitalism, namely, accumulation of capital. Why do we get those huge monopolies in the first place? Well, because more capital means more way to generate wealth (or, more precisely, to appropriate wealth generated by your workers), which can be invested into more capital etc - there is a natural positive feedback loop here. So at a first glance it feels like you need government to actively do something to prevent companies from becoming too large. But consider: what does it mean for a company to own something? It's not a person, so it can't really have physical possession of things. It's all abstract property rights, and the only reason why that works is because the society as a whole acknowledges those rights and legitimate, and, crucially, because there is a state providing infrastructure (police, courts etc) to enforce them. Now imagine what would happen if, for example, the state simply refused to acknowledge property rights past a certain limit and simply wouldn't enforce them on behalf of the property owners.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
My rule for a sane HN experience: avoid and flag any articles related to Trump, Elon, <current culture war topic>, American politics, and anything tangential that summons them.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
precisely this. cool detachment or disinterested curiosity around political events is the privilege of those comfortable enough to believe current politics won't affect them. These same people are also usually ultimately responsible for the apathy/failure to act and stop meaningful regime change before it's too late.
I'd love to live in a world where one can neatly compartmentalize reality and view life-altering political shifts with "a lens of curiosity", but that isn't how the world works.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
You might have convinced 2 people to install Signal, but the real test is whether they will still be using it a year from now. My own experience from going Signal-first for a while was that it doesn't stick for most.
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
I think you might have a different definition of "merit" than OP. "Merit" to me means how much value the company brings to society. If I'm reading correctly about your point of it being legal, to you it seems like "merit" means how much value they bring to their investors.
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
Wasn't the case here really weak to begin with? I remember reading the FTC's initial filings and they just sounded absurd. The very premise that Meta didn't face meaningful competition from TikTok was a farce.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
If this is true, the case then becomes "Meta was a monopoly from start_date-tiktok_date" which isn't a very meaningful claim since they are not arguing it is a monopoly to be broken up.
Anyways, I disagree - this is not the case. If you read the filings and their slides, the FTC argues Meta is a monopoly in the personal networking space.
They essentially carve a market out of thin air to selectively exclude Snapchat, TikTok, and Shorts. The judge has understandably called this for what it is.
It was a phenomenally poorly litigated case, most experts at the time doubted it would succeed, but it did wonders for Lina Khan's popularity. Seems to have served her well with NYC and all.
Just to be clear, when you Khan "killed our remaining low cost airline carrier", are you referring to when the DOJ blocked the JetBlue-Spirit Airlines merger? Not arguing, I just want to understand.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
The loudmouths do not necessarily represent a majority of HN users. They're just loud. Some of us find the social-media-bashing threads boring and just go back to our social media.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
I would strongly encourage everyone to read HN with `showdead` enabled (it's in your profile page). There aren't actually all that many downvoted comments, and while mosts are low-level trolling, even with `showdead` you see them at the end of the parent thread and they are greyed out, so it's not all that distracting. But being able to see some of the things that get downvoted / killed unjustly (and then vouch & upvote them) is how you get a better HN.
> substantially less diversity in voting and flagging
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
> What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
The thing is that it didn't work for that objective. It didn't seem to have any meaningful impact on all on the Metas and Googles out there. They control the user base and people depend on their products, it was trivial for them to get full consent like they've always done with their Terms & Conditions.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
I'm a hacker type and generally extremely (left) libertarian. But when it comes to megacorps, I have basically zero sympathy. When they are big enough to rival nation-states in economic and political power, they can't complain when said nation-states start to notice.
(I would still prefer the world without either, though.)
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
The 180 does not surprise me at all. GDPR and associated laws are a perfect example of the old 'Good intentions, unintended consequences'-pattern we see in laws all the time.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways
to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Right, but it's obviously not overreaching, because user's data is taken:
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
And the answer should be self-served, ideally, with an automated authoritative self-served approval. It could have a lag time of a few days or even a week for a person to approve.
Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.
These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.
I bet we don't, unless they ruined themselves due to being very negligent or unwilling to implement even after being reported and found out.
The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.
To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.
But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?
I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.
This is a perfect example of uncertainty causing compliance overhead.
You say IP addresses are PII and this has long been determined.
Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:
> > logging an IP address....
> Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement.
> Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so.
> More on that: https://missinfogeek.net/gdpr-consent/
So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.
European startups will not profit if this deregulation goes through. US and Chinese corporations will.
While everyone talks about souvereign data processing in the EU, both the commission as well as the governments of its member states completely failed in pampering a domestic cloud industry during the last 15 years. Mercy killing.
You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.
Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
While I generally agree, just differentiating the fines is not sufficient.
Small businesses in particular do not have staff or the capacity to to deal with a large amount of compliance overhead. The biggest help for small businesses (and large businesses alike) would probably be if the GDPR would be less vague on the rules surrounding typically collected data
I agree in theory but in practise, this just results in even more regulations. There are very few or no real world examples of stricter regulations being written in clearer terms. The reasons are numerous, but a big one is that people often have a financial incentive to circumvent these regulations. They attack the edge cases and the ambiguity between each word. If the regulations are not written sufficiently prescriptively, courts are swamped with cases and eventually a precedent is set which nullifies much or most of the intended purpose of the regulations. So regulators go to painstaking lengths to write clear and verbose regulations, but ensuring compliance with tens of thousands of pages of regulations are expensive, and this results in an economies of scale barrier for small businesses.
There are workarounds like exemptions for small businesses, but this creates all kinds of new issues like a regulatory ceiling, which results in enormous new costs on some arbitrary day for a business once it crosses some kind of user or revenue threshold. Ramp-ups are difficult or impossible to legislate in this context. Further, two or multi-tiered regulatory systems are highly inefficient and arguably unfair. They're very difficult for everyone to navigate. Generally speaking, from countless examples around the world, rules should apply to everyone.
Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
> Ultimately this means fewer regulations generally are good for startups - and larger businesses.
Yeah, forcing companies to write food ingredients on the package is bad for business. And I don't care about business more than about the well-being of society and myself. Same with tracking.
I think that when I wrote that fewer regulations help small businesses, but that there are costs for this, you read, "all regulations are bad and I think they should all be removed." Since you didn't read my whole comment, I'm going to paste the important sentence again now:
> Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered.
Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle.
They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I keep hearing this argument that it stifles small businesses, but how is that exactly? I've worked for a variety of small startups in NL and GDPR has never, not once, been a real issue or blocker.
Yes, it forced these small businesses to think about how they're handling personal data, but that should be the fucking point, I don't care if a company is Facebook or if it's a 2 person startup, neither should be collecting and redistributing personal data and tracking people.
There is no certification to pass or anything. You just have to keep it in mind when creating your business. It's too easy to just abuse data and then claim that it's too late to fix.
I've been through several startups after GDPR went into effect, it's really not a problem.
I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners").
While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.
In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.
Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.
> Advertisers said they would ignore it for this reason
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same.
Microsoft made the default be, well, the default preference - what most users would set this setting to if they had to look. That's a good and sensible default.
The only reason why the advertisers were so unhappy about it is because what they do is neither good nor sensible by most people's standards.
I'm sorry but the word is "consent" not "intent" and that's literally how consent works.
If I (a complete stranger to you) walk up to you and kiss you on the lips, it doesn't make a difference whether you're wearing a t-shirt informing everyone you don't want strangers to kiss you on the lips or not - I don't have any basis on which I can presume to have obtained your consent so I'd still be violating your rights.
This is very much a "tech bros don't understand consent" case: if you do something without consent, you better have a damn good reason other than "but it's good for meeee" (or "good for my bottom line"). "My business model depends on it" also isn't a good justification - there are plenty of business models that depend on things that are unquestionably illegal, we just refer to them as "criminal enterprises" rather than "disruptive startups".
DNT headers are equivalent to those email signatures that pretend to be a legal document. You're just spamming the server with extra crap that does nothing and means nothing.
Actually it's worse, DNT headers are like posting a wall of text on facebook saying you do not consent to them using your images or posts for some purpose.
Track doesn't have a consistent definition across contexts, to regulate this you would have to fix it to something - what are your suggestions? DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
If you have a better write on regulation lets hear it.
DNT headers are not by themselves legally binding. However they can rightfully be considered an indication of a user's preferences (kind like how the OS language settings can be an indication of what language a user wants a website to use).
What most people miss about the GDPR is that most of it (as well as the ePrivacy Directive covering more technical aspects like cookies) really only exists because of the one big thing at its core most people are either not aware of or intentionally omitting:
The GDPR establishes a user's right to ownership and control of their personally identifiable information as an inalienable and irrevocable fundamental human right. This is what makes all the rest of it necessary: it's not about "cookie banners", it's about requiring others to obtain consent for what they want to do with that information; it's not about writing "privacy policies", it's about explaining what you do with that information and how you guarantee their rights are respected by you and disclosing who you're passing it on to and how you're ensuring they too respect those rights.
The alternative to consent dialogs (whether as "pop-ups" or via confirmations when prompting for relevant information) would be requiring every website to have a written contract with each user. Consent is only valid if it is demonstrably informed (and non-coerced but that's a different story) and it must be specific and revocable. You can't have users blanket opt-in to everything you'd like - they wouldn't even know what consent they'd need to withdraw later if they reconsider.
By the way, courts recently seem to have started ruling that the way many AIs work the companies training them are in violation of copyright laws by using intellectual property as training data without permission and in order for contracts to be legally binding, anything given by one party has to be given consideration by the other (i.e. anything of value given by one party has to be balanced out with something of value given by the other party) - so I wouldn't be too quick to ridicule the idea that using Facebook means Facebook can do with your data whatever its terms of service say they can do, even if posting on Facebook can probably not be considered an effective way of informing Meta about your disagreement.
> DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
Or it will take one clear message from the regulators saying they're equivalent.
What actual innovation is stifled by data protection laws? What small business is unable to operate because of the GDPR?
Compliance costs almost nothing. If you collect data, explain why and what for. If people ask you to delete it, do that. If you want to share data with others, ask first (or just, you know, don't).
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
Before you get to a judge you will get plenty of warnings and anple time to fix whatever it is you're doing wrong.
For the absolute vast majority of companies GDPR compliance is trivial.
For the absolute vast majority of remaining companies GDPR compliance is simple.
There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).
I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Schrems? - if you think that this legislation is easy to comply with why did all of that happen? The EU can't even agree with itself on how to interpret its own law or what it does.
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
As with many laws people think its what is sold as.
There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.
Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:
Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.
I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?
Imagine you're asked with building, say, a train network within your country. Domestic regulations demand that, because other countries are not certified up to your country's safety standards, you're not allowed to import any foreign technology from outside your country.
So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.
You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.
So you start by asking me to assume the EU can't create IT technology and then give no further argument, much wow! That's was even less persuasive than I expected. BRB, gonna go tell tell Open Office and KDE they don't exist because Europe can't create software.
> but will continue to go back and forth if GDPR remains as-is.
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.
I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
> If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation
There are only two possible interpretations of this sentence:
1. You have just confessed to a crime. Do your engineers store user data in Notion?
2. You have just confessed to not having even a single clue about GDPR and what it entails. Your engineers using Notion will not make your company liable for GDPR unless bullet point 1.
> This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Ah yes. Your shitty company selling user data left and right to "our privacy-preserving partners" is the same as "access to US intelligence in the context of Russia-Ukraine"
Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them. Doesn’t help to undermine my point that this has become a topic of religious dogma here.
No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion (and is against HN guidelines).
So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
In my case it is rarely that I use LLM to write comments but rather I frequently use an LLM on my finished comment to fix things I miss as a non native speaker.
The content of the comment is my unique opinion and my unique writing and I mostly also make sure to remove stupid things like directional quotation marks.
But yes, it is possible to be very much human but also trigger certain peoples AI detectors.
AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services.
[...] we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.
When I open this link I'm greeted with the cookies banner
"We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services listed above will be used. You may change your selection on which cookies to accept by clicking "Manage Cookies" at the bottom of the page to change your selection. This selection is maintained for 180 days. Please review your selections regularly. "
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
The EU's own government websites are polluted with cookie banners. They couldn't even figure out how to comply with their own laws except to just spam the user with cookie consent forms.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> Within the context of the discussion of if its malicious compliance or a natural consequence of the law.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
Let's not deceive ourselves -- first-party analytics are much, much harder to set up, and a lot less people are trained on other analytics platforms.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Can you actually do meaningful analytics without the banner at all? You need to identify the endpoint to deduplicate web page interactions and this isn't covered under essential use afaik. I think this means you need consent though I don't know if this covered under GDPR or ePrivacy or one of the other myriad of regulations on this.
> You need to identify the endpoint to deduplicate web page
You can deduplicate but you cannot store or transmit this identity information. The derived stats are fine as long as it’s aggregated in such a way that preserves anonymity
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
This. I don't know why there's a heavy overlap between the "GDPR didn't go far enough" people and not actually reading the GRPR. I'd think they would overlap a lot with people who actually read it.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> But I'm making the point that its not malicious compliance.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
Okay, and why do you need to share whatever info you collect with thousands of random data "partners" if it's just for you to keep track of whatever made up thing you say you need to track? Because in reality that's what GDPR exposed, that random ecomm website selling socks or whatever is sharing everything they know about you with a billion random companies for some unknowable reason.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
Again. You could literally try and read the law. After all, it's only been around for 9 years.
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32)
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
> Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
> Why would you store the language preference client site anyhow?
You're not storing the language preference in the cookie, you're storing a cookie that identifies the user so that the server can remember their language preference.
Consider the two possible ways that this can work: 1) if the cookie identifies the user then using it for anything outside of the "strictly necessary" category requires the cookie banner, or 2) if the cookie is used for any strictly necessary purpose then you can set the cookie even if you're also using it for other purposes, in which case anyone can set a strictly necessary cookie and then also use the same cookie to do as much tracking as they want without your consent.
Both of these are asinine because if it's the first one they're putting things like remembering your language preference outside of the strictly necessary category and requiring the dumb cookie banner for that, but if it's the second one the law is totally pointless.
> The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
But one row before it mentions "such as accessing secure areas of the site.". If the secure cookie has 12 months validity, this is basically a different way to implement "remember username/password".
Besides, all my browsers (Firefox, Chrome) remember the users and passwords for all the site I access, so are we even talking about this? Is Safari that bad that it doesn't remember your user/password (no experience with that one)?
> You're not storing the language preference in the cookie, you're storing a cookie that identifies the user
Ok, I agree that for sites without username / password that will not work. On the other hand, personally I rarely end up on any site that is not in a language that I can read and on top the browser has a language preference : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/l... . So, in practice, I think there are extremely few cases for sites require a language cookie for a not authenticated user.
> But one row before it mentions "such as accessing secure areas of the site."
Which could be read as allowing session cookies but not ones that allow you to save your login if you come back later. But it's also kind of confusing/ambiguous, which is another problem -- if people don't know what to do then what are they going to do? Cookie banners everywhere, because it's safer.
> Ok, I agree that for sites without username / password that will not work.
How would it work differently for sites with a username and password? The login cookie would still identify the user and would still be used to remember the language preference.
> allow you to save your login if you come back later.
Again, is there any browser nowadays that doesn't save the login? I don't know any, personally but I do not know all of them. And if they are, how much market share they have? (If I myself build tomorrow a browser without the functionality, that can't be an argument that the legislation is wrong...)
> How would it work differently for sites with a username and password?
Generally for sites where you use a username, the site will load from the server several information to display (ex: your full name to write "Hello Mister X", etc.). In the same request you can have the user preferences (theme/language/etc.), and the local javascript uses them to do whatever it needs to do. Even with a cookie, there needs to be some javascript to do some actions, so no difference.
Or you could just redirect via a URL that has the user preferences once he logged in (ex: after site knows you are the correct user it will redirect you to https://mysite.com?lang=en&theme=dark)
There are many technical solutions, not sure why everybody is so crazy about cookie (oh, maybe they think of the food! Yummy)
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
No it doesn't. A website's own preferences fall under the 'necessary for site functionality" exception.
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
A cookie is something that is sent to the server, by design - that's their whole point! So if the only part of your code that needs them lives on the client, cookies are the wrong mechanism for that - use localStorage instead.
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
That's not true. You can use those cookies, you just need to explain them somewhere on the site. No opt in required.
I talked with our then national information law official (funny fact, same person is currently president of our country), rule of thumb is if you're not using your users' personal data to pay for other people's services (e.g Google analytics) or putting actual personal data in them, you're generally fine without the banner.
Further, if you're a small shop or individual acting in good faith and somehow still violated the law, they will issue a warning first so you can fix the issue. Only the blatant violations by people who should've known better will get a fine instantly (that is the practice here, anyway, I assumed that was the agreement between EU information officers)
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
That is unfortunate, EU could well present itself as an example of how things can be done right. Unfortunately incompetence and/or indifference, plus lack of IT talent willing to work for the public sector is also a thing in politics. It's an opportunity lost for sure.
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
Functional cookies are fine. Even analytics is fine if you're using your own (though said own analytics must also company with GDPR personal data retention rules).
What is not fine is giving away your users' personal data to pay for your analytics bill.
I'm convinced there's a psyop on this site when it comes to GDPR, and I'm only half-joking. If people would bother to read those intrusive banners, they'd notice that their info is being harvested and shared with hundreds, even thousands of "partners". In what universe is this something we should be okay with? Why exactly does some random ecommerce site need to harvest my data and share it with a bajillion "partners" of theirs? Why are we okay with that?
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
> Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
Sure, ideally we can decouple the provider implementation and use a yubikey-type device if we want, or let the OS Secure Enclave handle it for the 99% of users that don’t care.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
I love how you can think about any of these ideas in a really basic way like a 5 year old and you'll know intuitively that it'll all fail, particularly if you invert it:
for example:
- bureaucracy creates less bureaucracy
- price controls create more supply
- adding more rules creates more freedom
- government is good at understanding technology
- the more people you have the better your decisions will be
- the further someone is from a problem, the better they can solve it
- adding more rules creates more freedom. Imagine the US without a constitution. It’d be madness. In a lawless country, people would be less free to do things they actually want to do because they’re so occupied with just surviving.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
I kind of like it. I mean here we all are on it. And sites like HN can just be written by one person and put up by one person with no permissions. The alternative if the government controlled it would be something like the Apple app store where you have to pay a fee to maybe be allowed to do something.
No it would not. We're already in some alternative where the government says that you can't make a website to sell CSAM, for instance. And we all agree that this is a good thing.
The goal of regulations is to prevent undesirable behaviours by making it "too costly" to do. The goal is not to take 30% on every app sale.
The post I replied to was on an internet designed with a "profit motive". What you describe is still basically profit motive with laws to stop bad things. I'm not quite sure what you get if you removed the profit motive. Maybe the app store wasn't a good example. Maybe something like the BBC?
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
Also businesses are not people. People may not do illegal things "just because they are illegal" or because they want to be "good" (e.g. I agree that we should not litter, I wouldn't even need a regulation for that).
Businesses are profit-maximising machines. If it it profitable to litter, a business will do it. The framework in which businesses maximise is set by regulations, which represent what society wants. That's how capitalism works.
The limit of capitalism is when businesses are more powerful than the entities in charge of enforcing the regulations. If "enforcing a regulation" means having lawyers work on it, but the businesses themselves have orders of magnitudes more lawyers trying to prevent those entities from doing their jobs, then we have a problem. That's a limit of capitalism, IMO.
Again, because those entities ("EU", "governments") are made of many people. It's not one guy who says "this should be illegal, but I will put it on my website too".
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
They had enough time to push browser vendors to implement an API which allows the user to specify the preferences, so that the page queries the API, instead of the user.
This is a step back. All these years of clicking those banners is now for nothing.
As someone who had to implement GDPR, it would be really frustrating if all people thought it was was the banners (which I’m not even sure was GDPR).
While our company was very good at handling customer data already, it forced us to up even our game.
Other companies, however, were absolutely miserable at it.
GDPR has improved user privacy for the billion+ Internet users across the board, whether they are EU citizens or not, and most won’t even know about it.
Maybe that's just media consumption and reporting bias, but I feel like data leaks have been a lot rarer and less impactful in Europe in recent years compared to the US and based on that the scam/identity theft activity also less intense.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
> What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
Why do things that are important to the advertiser trump what's important to the user? I don't care how hard it is for you to track the performance of your ad sources, I just want you to stop tracking me.
Because without ads we're not profitable so there would be no service?
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
This is pretty much untrue. Look at India, Africa, South America, Japan, Singapore, UK, Israel, the Arab world, Turkey, Russia, Ukraine, Norway, Switzerland, or Australia and compared to them the EU is doing just fine
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
Well, yes, Europe is after all a collection of 44 countries, with 27 of them being in the EU, and three EFTA countries. So you're dealing with that many different sets of laws.
Some countries are extremely strict, others are more lax. Where I live (Norway), starting a business is pretty easy and straightforward. Other countries, like Germany, are notoriously difficult from what I've read.
And again, some countries have very strict laws and guidelines you need to follow, once you've started a certain type of business. Where I live it is relatively easy to start a LLC, but you'll need to put some money into it, and you can easily get fined - or even face jail - if you don't follow the laws for accounting/auditing. It becomes problematic, quite fast, if there's no unified codes for these things, if everyone's going to be able to operate cross borders.
Not to mention all the other laws (consumer laws, etc.)
How is Europe, much less the EU, supposed to do that?
Registering a business in Estonia is famously relatively straightforward, while it is an absolute pain here in Germany. But business registration is the responsibility of the countries themselves and it should remain that way
In Sweden and Netherlands it is quite easy and straightforward to register a business, speaking from personal experience. Tax filing is quite straightforward as well, especially for personal income tax.
Starting a company in Sweden requires (uploaded PDF from Bolagsverket to ChatGPT who summarized):
1. Prepare the foundation deed and the articles of association.
2. Identify the beneficial owner(s).
3. Pay the share capital and obtain the bank certificate or auditor’s statement.
4. Submit the registration application for the limited company to the Swedish Companies Registration Office (Bolagsverket) and wait for approval.
5. If applicable: submit a certified copy of your passport (non-Swedish citizens).
6. Apply for F-tax approval and VAT registration and wait for the decision.
7. Register as an employer if you will pay salaries.
8. Keep continuous bookkeeping and prepare the annual accounts each financial year.
9. Submit the annual report to Bolagsverket every year.
Optional:
1. Obtain business and personal insurance.
2. Register trademarks or protect other intellectual property.
3. Choose an auditor if you want one or when the company later reaches the required thresholds.
4. Register a cash register if you accept cash or card payments.
5. Meet requirements for import/export and obtain an EORI number.
6. Follow rules for buying/selling goods or services within or outside the EU.
7. Keep a staff ledger if required for your industry.
8. Follow reverse-charge VAT rules if you operate in construction.
9. Apply for permits if your specific business activity requires them.
This is not what I'd call a straightforward process, personally. Also speaking from personal experience. Sorry for the formatting.
I guess it depends what we mean with straightforward. If we mean something along the lines of "no ambiguity" then yes. If we mean something along the lines of "simple, easy to do" then no. Almost anything can be accomplished with a sufficiently long checklist. I just feel like the entire process could be streamlined and simplified.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
European cars from almost every brand, already have emergency braking, adaptive cruise control, lane keeping, lane switching, etc., which get us 70% of the way there in terms of road safety.
I don't want to be experimented on by companies like Tesla:
Let them kill US citizens and keep lying and hiding things:
> Understanding exactly whose fault these crashes are is tricky because of how Tesla fills out its forms. Automakers must send reports to the National Highway Traffic Safety Administration (NHTSA). Most companies explain the crash in a written section called the narrative. This narrative tells the public whether another driver ran a red light or if the computer made a mistake.
> Tesla chooses to block out this information and redacts the narrative section entirely. This prevents the public from knowing the truth, but it is entirely legal, even if it frustrates data analysts. Without the story, nobody knows if the Robotaxi caused the crash or if it was a victim. Fans of the brand often argue that other drivers cause these wrecks. That might be true. But since the company hides the proof, nobody can say for sure. Other autonomous companies like Waymo share these details openly.
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
Of all the things to yield on, the GDPR really isn't it. The cookie banner problem is one caused by site owners consistently preferring using dark patterns over just not doing the stuff that makes you need a banner. If anything, the EU should have put the hammer down and enforced its regulations on those cookie banners consistently having 'accept all' being the default option and the alternative be more difficult to access.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.
I'd love for them to be made illegal, but I imagine certain groups of people wouldn't take kindly to that, so we need to do the dance and have people be tracked under nominal consent.
They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.
I have mixed feelings about this one. While I was never too excited about some of the unintended consequences of GDPR. That said, I do see benefit of the EU being the world's regulator on these types of things. I don't have confidence that anyone else would do it if the EU didn't. Even for those of us that don't live in the EU (I am in the US myself), I do feel like the EU plays the role of keeping things in check for the rest of us even if we are directly impacted by their regulations.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
I would say it's a lot more than 500%. If your business is based on doing things that are illegal under GDPR then the cost of doing that startup is close to infinite. But that's kinda the point of GDPR.
This. Sure, it's X% more difficult to do Y in Europe, because Europe doesn't want you to do Y, either at all, or unless you clean up after yourself so the costs aren't just eaten up by the environment or whatever, or unless you do it without causing harm. That's not a problem. That's the system working as intended.
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
Europe having its own Microsoft might be better than Europe having to use the US one and sending it like $100/user/yr in whatever subscription they've tricked them into.
Europe doesn't have to use the US one. It's been the easier choice historically, but there's little beyond inertia forcing Europe to stick to Microsoft. Not that that inertia isn't nothing though.
Europe does have Microsoft. Actually, it has Microsoft in almost every single respect except the primary beneficial ones: taxes, employment and oversight.
> That's not a problem. That's the system working as intended.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
> You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
I mean Europe doesn't really get to make the choices when it comes to the USA because of their hilarious practice of hamstringing themselves. If that was the goal it definitely worked.
I think what they mean is that what EU in general kinda knows that for various they won't be able to make their version of money machine big tech. So why not to try different path? The individual laws will always be flawed because there is huge pressure to make them flawed by corps and lobby that want's to exploit them.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
> Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
For 'central browser control', what is technically mechanism behind this? Is it something like an entirely new request header sent by the browser? Or re-using some existing RFC? Also curious if the regulation will compel browsers to implement this or something.
Managing cookie permissions at the browser level always made the most sense, but implementing it with regulation is what seems hard.
Here's a story about how the mere perception of "regulations exist and are strict" is dragging down my european AI start-up:
Our product makes it easy to capture and share knowledge on the factory floor, which is very important when many of your workers about to retire. Interest is enormous. It is a simple SaaS. You'd think selling would be easy. And it is: In the USA. In Europe the mere existence of the regulations (not what's in them) delays us by 6 months at least per deal.
No european executive really understands what is in the GDPR, and eventhough we are 100% compliant, there is nothing we can do to take away this fear. This means that when we talk to European companies, IT and Legal departments always have to be closely involved, leading to all sorts of political games; each department conjures up non-existing risk by talking vaguely about data privacy, just so they appear important. Half a year later when the dust has settled, the executive buys the product, or their mind has moved to other things.
My point is this: What is in the laws is not important to me. What is important is that current perception of laws turn companies into slugs. I want us to mentally move back to 2018 where we could "just buy SaaS" without worrying endlessly about data privacy. I understand hesitency when it comes to cyber security, but that is not what is slowing us down.
One of our workarounds currently is simply never to mention we use AI.
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
> Training a large language model and privacy law as it's written today cannot coexist
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
> The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant
It absolutely isn't. I set up a blog for a friend where she shows her art and publishes an appearances itinerary/schedule. It doesn't collect ANY info from visitors, therefore requires no cookie banner at all. Simple as that.
HTTP logs are retained for 7 days for security analysis and then wiped. No analytics available, although my understanding is that a self-hosted Matomo instance set to anonymize the last 2 IP bytes of every logline it ingests would still be considered exempt from a banner.
People here act as if GDPR was some kind of big reason why all the digital tech is from US. But come on it's not like the game hasn't been rigged forever. To be more specific it's been part of the deal with europe being close US ally. None of the european digital tech is ever supposed to be relevant. And in case some european digital tech is relevant it has to be absorbed by US or at least made to look irrelevant so nobody sees or cares about it.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
The cookie banner is the superficial part. The meat of it is how user data is collected or not and stored or not. Rolling this back would be a catastrophic defeat. Perhaps if there were an automatic cookie preference browser API that could automate the user experience it would be better for users.
Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
You should probably look into pseudononymization in your case, not actual anonymization. Look into C‑413/23 P in more detail to see if it's applicable in your situation, it's essentially the first case law around it. You probably do need some extra controls (like contract that the data is not shared) just in case to avoid the data coming in hands of someone else who could identify the people depending on how detailed the data is.
This sounds interesting and all but I'd like a more technically informed source than The Verge to judge whether the headline is accurate:
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
That's nonsensical. The GDPR doesn't require "cookie banners and pop-ups". Obtaining consent for things you can't do without consent does - if you insist on handling it that way. And "'non-risk' cookies", i.e. technical cookies required to fulfil the functionality requested by the user (e.g. maintain a login session) definitionally don't require consent and thus no "pop-up" or "banner". So what is the actual change here?
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
The GDPR somehow had the power to make (almost) everyone comply with it, even outside of the EU. If only they had specified that instead of banners, companies had to actually respect the Do Not Track header, even if set by default on a browser, and everything that could be rejected would be rejected if that were sent.
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
> The new proposal which suggests that pseudonymized data is not always PII is a different thing.
This actually is already the case, see the recent CJEU C‑413/23 P. Currently the main question is if the recipient has a way to unmask the user. In case of IP address the answer is almost always yes since the recipient could ask competent authority to unmask the IP address if there is crime involved. That was the exact reasoning provided in the Breyer case.
In C‑413/23 P the recipient didn't have any reasonable way to map the opinion to real person so it was determined that it's not PII from recipient's POV but it was from the data controller's.
One of the issues in the new proposal is that it lowers the standard quite a bit compared to C‑413/23 P.
There are lots of principled arguments about privacy versus growth versus monopoly here. But the reality is: for 95% of people in the EU (or the UK), their only direct experience of GDPR is the cookie banner. They aren't going to understand your subtle arguments about whose fault it is; they know that GDPR came along and they had to click on cookie banners. And they (and I) absolutely hate it.
> if the development of the GDPR and AI Act are anything to go by, a political and lobbying firestorm is on its way.
No doubt that now the flood gates are open, powerful interests will do everything they can to water down the protections even more. This is already bad enough as it is.
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything
'Cause the corridors of power, they're an ocean away"
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
This is what infuriates me with people that knock GDPR. They simply don't understand it's prime purpose: creation of a legally enforceable audit chain of data ownership. This is a prerequisite if you want to enforce how people's data is used and shared amongst private entities.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Many of the people who "don't care" don't know. Once you inform people about how much data meta has on them, for example, many of them do in fact care and they are in fact disturbed by it.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
The changes to the GDPR are completely irrelevant compared to what the EU is planning with chat control.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
Given that they were largely ignored anyways, who cares? Laws have become almost meaningless, in a world where power lies within companies and not governments or the public, which anyways has been trained to either act against their own interest or disillusioned enough to largely don't care.
The only space where there's still laws from people is in the social media world, where the outcome are laws that don't change the life of anything but make you feel good. Eg. minorities, women, etc. still have low income, bad life outlook, etc., but hey now you need to clearly state that the programmer job is also for women and trans people. Assholes can be assholes as long as they use the right pronoun, whole industries thriving on lowering the baseline (delivery, etc.) of what humane treatment at a workplace is celebrate and pinkwashing. Everyone is "happy".
Also on the ecological side. Laws that that would change something fail, but everything that can be exploited in terms of taxation passes - seriously look at summaries on voting on directives. It's completely split at this line, and all the "liberals" celebrate how great they are for driving essentially tax funded electric cars.
It's no surprise that companies reacted by making the most obnoxious cookie banners instead of removing the need to having those in first place (fun fact: you do NOT need those for cookies at all). Whenever you read a "We care about your privacy" that is an outright lie. If they even remotely did there would be no need to have such banners. Even for much of the more shady stuff you don't need to. And still most companies don't even adhere to the GDPR. They just have a meeting do pick some pieces and forget about it.
Democracies sadly have become a real farce. I think the world has over-optimized for it, companies have "min-maxed" for the current set of laws and now well intended laws are effectively meaningless, cause smart people came up with nice hacks to not really have to care about it. It's just like a video game, where people realize that your skill set is nice, but you can just max out DPS and bring along a tank, where you realize and realize that the debuff on your armor doesn't matter if it doesn't hit you and where the penalty on item costs is meaningless because you don't know where to put your money anyways.
And honestly, finding such strategies to optimize for "just not breaking the law" or getting around it entirely is extremely fun, compared to all the boring work at a job.
What people used to call "honest work" just doesn't work outside of very localized and small scale setting, and even there it's hard. To compare with video games again, it's like all the "soloing is possible" and yeah sure, sometimes it works, but if the big guys decide to crush you they will. So best to join up with them which is exactly what is happening.
We also see that in other laws. Monopolies are forbidden? Well either keep at least one competitor alive (iOS vs Android, AMD and Intel, etc.) or make a cartel, even a completely passive one where you just do "market analysis" to have a similar price. If your competitor raises prices, it is your job to adapt your prices to increase profits. If your competitors use cheaper materials, etc. it's the same. You never ever need to interact with your competitors.
Working together in one way or another is what made humans really productive, it works well for companies, yet somehow there is that believe that magically this won't happen and instead it's all fierce competition, which is ridiculous when the biggest threat to large successful companies is literally the market changing. So they just take safe bets and buy all the smaller largely already working products and call it innovation on their side.
It's a good, smart, reasonable strategy. But it's also very obviously not as intended.
The thing is that big surprise, it's the same for privacy protection laws. Companies don't care about your privacy at all and most people are in fact ordered to store data just to have it. They make sure it's annoying so both to make you accept them and to complain about the law. It's a real farce to think that somehow people, governments, etc. think that companies (at large) are nice and just want you, the world and everyone to be good and happy. It is baffling that people really believe that and somehow always think their favorite brand is magically different, because they met a nice lad working there in marketing.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
GDPR was never about privacy, but to legitimise data trade. It was two step process - first train people to Agree to anything by introducing "harmless" Cookie Law, then once people just click Agree to anything, create legal basis for data trade, where it is no longer a grey area as most users give consent.
With Chat Controls coming back, never assume EU is doing anything for the benefit of general public.
What is particularly bad, is that they are not honest about it, just keep gaslighting.
This is kind of my take.
I can't believe the outcome where most people just click "agree" to explicitly opt in to tracking was some kind of unforseen mistake.
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
This notion that tech companies or even internet companies somehow fundamentally rely on PII is false and just an indicator of how normalized we've let unbounded and needless data collection become.
There are tons of business that can run without collecting any or extremely minimal PII. We already let the big companies take this data unnecessarily, let's not also let them brainwash us all into thinking unfettered surveillance is somehow essential to building a software business.
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
I disagree with this move. However, I disagree with moves made in other places even more. Especially the US has been moving away from rule of law at a rapid pace.
The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy. It is a moralising and irresponsible attitude that older people can afford to adopt, but like so many other things, it hits younger generations mercilessly hard.
I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
I strongly agree with this position. This is basically the foundation of Control Theory!
https://en.wikipedia.org/wiki/Control_theory
This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
> This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
I think the problem here is more that _some_ people want the heater to be on and _other_ people want the heater to be off.
And when it comes to privacy, consumer advocate types and privacy wonks (I include myself in this group) want the heater to be on, and technology companies and advertising companies and all of their hangers-on want the heater to be off.
One group has a lot more money, power, and influence than the other.
And, at least in your example, sometimes you need both at the same time!
Reminds me of the book Thinking in Systems.
Thanks for the link.
It is the perfect and correct antidote to any slippery slope argument. If the consequences of the law turns out to be as bad as you say they will be then we adjust the law.
Nothing is more permanent in politics than temporary solution. As a Norwegian, for example, I am still paying a temporary 25% on all spending that was enacted as a "temporary" measure over 100 years ago.
Control Theory does not work (in the general) for politics for the simple reason that incentives are misaligned. That is to say that control theory itself obviosuly works, but for it to be a good solution in some political context you must additionally prove the existance of some Nash equilibrium where it is being correctly applied.
Edit: See https://www.youtube.com/watch?v=rStL7niR7gs (CGP Grey - Why Do All Governments Work the Same Way?)
> they will be then we adjust the law.
Bizarrely horrible approach. A lot of damage would already be done, most importantly changing the status quo is inherently much harder than doing nothing. So going back won’t necessarily be straightforward.
Claiming that “slippery slope” is always a fallacy is a gross misconception and misinterpretation. It varies case by case, very often it can be a perfectly rational argument.
“Let’s restrict democracy and individual freedoms just a bit, maybe an authoritarian strongman is just what we need to get us out of this mess, we can always go back later..”
“Let’s try scanning all personal communication in a non intrusive way, if it doesn’t solve CSAM problems we can always adjust the law”, right.. as if that was ever going to happen.
Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
> Bizarrely horrible approach
I very heavily disagree here, we aren't doing as much of this as we should be.
Society is too complex of a system to predict what consequences a law will have. Badly written laws slip through. Loopholes are discovered after the fact. Incentives do what incentives do, and people eventually figure out how to game them to their own benefit. First order effects cause second order effects, which cause third order effects. Technology changes. We can't predict all of that in advance.
Trying to write a perfect law is like trying to write a perfect program on your first try, with no testing and verification, just reasoning about it in a notebook. If the code or law is of any complexity, it just can't be done. Programmers have figured this out and came up with ways to mitigate the problem, from unit testing and formal verification to canaries, feature flags, blue-green deployments and slow rollouts. Lawmakers could learn those same lessons (and use very similar strategies), but that is very rarely done.
In the same post you are arguing for and against "slippery slope".
Either it is possible to easy change law to make it worse ("slippery slope" is valid objection) or changing law is "much harder than doing nothing"("slippery slope" is a fallacy).
>Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
Too late. We already let the government cross the lines during Covid with freedom of movement and freedom of speech restrictions, and they got away with it because it was "for your protection". Now a lot of EU countries are crossing them even more also "for your protection" due to "Russian misinformation" and "far right/hate speech" scaremongering, which at this point is a label applied loosely to anyone speaking against unpopular government policies or exposing their corruption.
And the snowball effect continues. Governments are only increasing their grip on power(looking enviously at what China has achieved), not loosening it back. And worse, not only are they more authoritarian, but they're also practicing selective enforcement of said strict rules with the justification that it's OK because we're doing it to the "bad guys". I'm afraid we aren't gonna go back to the levels of freedom we had in 2014- 2019, that ship has long sailed.
The libertarian approach to COVID would be that infecting someone is assault and you are justified in shooting someone who is trying to do that.
> If the consequences of the law turns out to be as bad
This is the usual "the market will regulate itself" argument. It works when the imbalance arises organically, not so much when it's intentional on the side with more power and part of their larger roadmap.
The conflict of interest needs to be accounted for. Consequences for whom? Think of initiatives like any generic backdooring of encrypted communication but legislators are exempt. If legislators aren't truly dogfooding the results of that law then there's no real "market pressure" to fix anything. There's only "deployment strategy", roll out the changes slowly enough that the people have time to acclimate.
Control theory doesn't apply all that well to dynamical systems made entirely of human beings. You need psychohistory for that.
So, you do think “useCase.regulation” being a single dial. It’s a pretty reductive framework. I have an easier framework where in 90% of cases current law was already good enough and we don’t need to tweak that dial
The road to hell is paved with “good enough”.
Is the road to nowhere paved with "perfect"?
Perhaps not when it comes to matters like these.
It's a funny thing to say because the popular saying you're modifying says the exact opposite.
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
The worst possibility is selective enforcement.
There's a reason we call them judges. Selective enforcement is there for a reason. Lawmakers can't anticipated everything. Just look at how bad of an idea zero tolerance policies in schools have been with thinks like getting expelled for biting a sandwich into the shape of a gun.
The world isn't black and white. Flexibility, including selective enforcement, is necessary in a just system.
The reason that selective enforcement exists is that it is very hard to avoid having rules selectively enforced.
But the history of selective enforcement strongly suggests that it does not usually lead to just results. It is often instead something that unaccountable officials find themselves easily able to exploit for questionable purposes.
For a notable example, witness how selective enforcement during the War on Drugs was used to justify mass incarceration of blacks, even though actual rates of drug usage were similar in black and white communities.
You’re arguing that the mass incarceration of more people would have been better?
Yes, I would argue that it would be better for more to have been incarcerated, for that would bring greater focus to injustice and the law would be changed. Selective enforcement interferes with the feedback mechanism that would otherwise make the law work better.
If a law were to mass incarcerate people from affluent white neighborhoods it would be quickly repealed
Any instance of selective enforcement being necessary is ipso facto evidence of a bad law. This is completely orthogonal to the matter of the world not being black and white - you're right, it's not, but a good law recognizes that fact, and laws can also be amended as needed.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
Yep, and while we fix that bad law we need judges to be able to say "I won't apply that" or "I won't sentence you to jail for this". That's kinda the point.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
By that measure every law is a bad law.
Legislation is much worse than organically derived common law, for the common law comprises decisions that apply to particular conditions with all their details while the former are mere idealizations.
If the law is code, then law enforcement is a JITter
(joke)
Optimised compiler makes sense though.
Unenforceable laws go unenforced, undefined behaviour is undefined and varies based on compiler (law enforcement agency or officer).
A jitter is like a lawyer on retainer. Law enforcement is more like the OS that segfaults you when you fail to follow the lawyers advice.
Law enforcement is more like a toddler holding a glass of water over your CPU and saying "stop transistoring!"
Bad law enforced perfectly is also undesirable.
I'm not convinced. Perfect enforcement would be a great signal exposing bad law much more clearly, so it can be rewritten/scrapped.
Until a bad law takes your friends and family out of the gene pool.
Sure, but what about those who got hit by that bad law in the meantime?
Usually laws are created because of the people being harmed because the law doesn't exist. So it could go either way.
The problem with laws that both the enforcer and the subject (enforcee?) agree are bad, is that enforcement is variable. And that leads to corruption. Every damn time.
The fix for corruption is vote the bums out of office. It is not to go whole hog into blind application of the law.
Think about how hard it is to write code that has no bugs. Now imagine you're using English and working with a system with so many parameters and side effects that you can't possibly anticipate all eventualities.
And now you want to rigidly apply your operators to this parameter space?
Selective enforcement is necessary for justice, because no law is perfectly just, and selective enforcement helps move toward justice.
It unfortunately also means there is the eventuality of corruption. So you just have to keep vigilant. Because a rigid system with no selective enforcement has no fix for injustice other than "live with it."
> The fix for corruption is vote the bums out of office.
That doesn’t seem to be working.
I argue there’s an acceptable level of corruption, only the particular flavours change from time to time.
Come out of government better off than when you when in. Fine, good on ya. No need to tells us about how you’re going about it while you’re going about it.
Learn to be at least a little bit discreet, and at least do something occasionally that comes across as good for the average person.
And lines of code is like the mass of an airplane.
Just put all code on one line then. Statements (or tokens) is what matters.
In general you want as few as possible of both.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
this is wrong for the same reason using single letter variable names to keep things concise is usually wrong.
i’d rather something a bit more verbose and clear than cryptic and confusing. there are many actors in the world with different brains.
that's right. This is the reason all my code looks like an entry to PerlGolf. /s
The world's complicated. "Every complex problem has a solution which is simple, direct, and wrong"
Simplicity is a laudable goal, but it's not always the one thing to optimize for.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
As soon as you start developing web sites/applications, you are entering distributed systems.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
`inline` in C has very little to do with inlining these days. You most certainly don't need to actually use it to have functions in the same translation units inlined, and LTO will inline across units as well. The heuristics for either generally don't care if the function is marked as `inline` or not, only how complex it is. If you actually want to reliably control inlining, you use stuff like `__forceinline` or `[[gnu:always_inline]]`.
Regarding code size, it's not just that binary becomes larger, it's that overly aggressive inlining can actually have a detrimental effect on performance for a number of reasons.
Modern cpus are optimized for calling functions. Spaghetti code with gotos is actually slower.
One of the problems with regulation is that politicians "understand" complex systems like computers or software or "the platforms" almost entirely by way of analogy. Yet at the point of actually introducing rules about (for example) tracking or what happens to your data, you need to throw away analogy entirely and start talking and thinking (and implementing) not an analogy but what the thing _actually_ is. Rarely do they resolve down to this last stage where you move from analogy to how things really work, or might work. I see this everywhere I have touched government and regulation over many years.
But how do you actually do that?
When we let the market bubble-up protective conditions through buyer behavior, we advantage innovation at the cost of accepting more harms, because the market response is always reactive instead of proactive, and the reaction can sometimes take decades or more (like GHG emissions and global warming).
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
I’m not saying the following regarding Draghi’s report or particular regulation in mind:
If an unethical business gets started due to underregulation and it generates revenue and contributes to GDP, is that a good thing?
That depends, are the people who are negatively impacted aware, and able to do anything about it?
There are some "mosquito" businesses that imho provide no net value and we'd be better off if they didn't exist (c.f. Bastiat's window breaker⁰). For example; payday loans, gadget insurance, MLMs, f2p games. The trouble is that there is an apparent need they're meeting, and nobody wants to "destroy jobs" or even worry too hard about exploiting the vulnerable.
Even if I were emperor and believed hese businesses were unjustifiably bad, I'd be worried about the authoritarian consequences of shutting down the less egregious ones. I'd also hope to have the humility to entertain the idea that I don't understand their full benefits.
In conclusion I think it's bad to have unethical businesses, and that even if they make the indicator go up, they are probably a net negative on the economy and society. However, I don't know what's to be done about it.
⁰ https://en.wikipedia.org/wiki/Parable_of_the_broken_window
If the net social cost is less than the cost from overregulation, yes
Lmao you can’t be serious. This is something that can only be said if you can’t/won’t quantify social cost.
Deregulated gambling has had a horrible impact on individuals. Repealing Glass—Steagall led to a global financial crisis. Gig economy businesses are exploiting workers by the thousands through self employment loopholes. We have insane monopolistic pricing and practices in the US in eg the telecom industry. Worst of all is that we’ve likely doomed the entire planet based on what is effectively too little environmental regulation.
>Deregulated gambling has had a horrible impact on individuals.
Yes, but gambling and all vices for that matter, are a centuries old issue that's well studied and well understood by everyone, while AI(hate that term in this case) LLMs are only an issue since November 2022, while most influential politicians are dumbass boomers who don't understand how a PC or the internet works let alone how LLMs work but yet are expected to make critical decisions on these topics.
So then it's safe to assume that the politicians will either fudge up the regulations due to sheer cluelessness, or they will just make decisions based on what their most influential corporate lobbyists will tell them. Either way it's bad.
> Gig economy businesses are exploiting workers
Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
> insane monopolistic pricing and practices in the US in eg the telecom industry
It's actually regulations deterring competition in telecom who are responsible to those practices.
It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
> too little environmental regulation
In China. You forgot "in China". That is where most of that planet dooming is happening. Good luck promoting environmental regulation there.
> Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
Over-regulation being what, minimum wages? Coverage for basic social safety nets? ‘Cause that’s what we lost.
> It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
Bell system was broken up into seven different companies, thanks to regulation. It’s _lack_ of regulation that let telecoms merge together into behemoths. There _are_ small ISPs and telecoms in the US, they just can’t compete due to the size differential.
> In China. You forgot "in China". … Good luck promoting environmental regulation there.
Right, let’s jump for a Tu Quoque. China is destroying the planet so who cares what we do ¯\_(ツ)_/¯
I’m not blind to the existence of plain bad regulation, regulatory barriers and capture — but the overwhelming majority of these arguments have just been used to make regular people’s lives’ worse.
“Cheap housing isn’t being built in the UK because regulation makes it more expensive!” -> remove regulations -> there’s still no cheap housing but anything from 1990s onwards is now also badly built.
As a construction developer I’m sure I’d say there’s still too much regulation though. Gotta bump those margins.
> Over-regulation being what
One easy example is regulation making it hard to fire people. Then, naturally, firms will hire just as hard. The tradeoff is thus between a healthy, fast, dynamic and competitive job market with plenty of opportunities but with job insecurity and - fewer jobs, smaller salaries but the lazy unproductive bum slowing everybody down is now impossible to get rid of.
Yes, minimum wage is another. In effect it makes people whose work is worth less than the minimum wage - legally unemployable.
> Bell system
Bell system was a monopoly thanks to government regulation in the first place. The government actually passed a law that made illegal to connect a 3rd party telephone to Bell's network!
Yes, you need more regulation when your regulation f'd up a market. In free markets competition keeps market participants honest and even breaks monopolies. This is why one of the first regulation incumbents lobby for is meant to deter competition.
> Cheap housing isn’t being built in the UK
I do not live in the UK, but I am willing to bet everything that there is still a ton of regulation stopping building there. Last summer I visited London during a heat wave. We were sweating in our AirBnB, complained to the owner but he answered that he couldn't install an A/C because he wasn't allowed to change the building facade...
It's not just China. It's everybody.
The logical extreme there is legalizing murder for hire, human trafficking, and a bunch of other crazy stuff.
Privacy is in a different category altogether, but there's more to think about than just how much things cost companies.
That's a straight up slippery slope logical fallacy.
>latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course.
Normally I'm against overrgulation, but when it comes to privacy more fine for big corp is need if ANY violation is found. Rather NOT have AI than compromise on privacy.
"I'm against overrgulation, but when it comes to privacy"
Our ancestors survived perfectly fine with telephone directories dropped at every house for free which contained everyone's name and address.
Are you sure someone knowing your address is that bad?
Interesting that you have privacy so high on your list of priorities. The general public usually considers other small thing like "cost" and "convenience" when thinking about privacy.
Most of us actually don't mind losing a little privacy to read a news article when faced with the alternative of paying money or that news website ceasing to exist at all.
But, hey, keep pushing your warped privacy sense onto all of us, I am sure you are right.
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
Seems pretty real. E.g. CRA official impact assessment estimates one-time (in addition to ongoing costs) compliance cost at €500K per one product. That is enough for 10 man years per product.
And that is just one of many new regulations.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Source: https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-...
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
> Businesses have absolutely zero incentive to say that regulations are not bad.
Your overall point is solid, but I'd like to what I think is another reason that businesses could desire regulation. You're right that a dominant business can use its political power to "regulatory capture" its market and prevent new entrants, but I believe this isn't limited to uncompetitive markets.
Regulation can also prevent "arms races" by acting like explicit collusion. A straightforward example is competitive advertising in a saturated market, like cigarettes. Under the rough assumption that cigarettes are all equivalent and most potential smokers already smoke, then competitve advertising cuts into the profit margin, and companies have to participate or lose out. If you ban advertising then it's as if the bosses all got together and agreed not to compete like that. See e.g. https://pubmed.ncbi.nlm.nih.gov/31547234/
The number of regulations is not as important as the quality of those regulations.
Shame we can’t regulate the quality of regulations.
The US actually has done this very thing since Reagan: https://ballotpedia.org/Presidential_Executive_Order_12291_(...
That's an executive order (regulation) requiring proposed regulations undergo a cost-benefit analysis before being promulgated.
It's why we got mandated backup cameras in cars: the cost-benefit analysis revealed the cost to have these in every new car was dwarfed by the cost in human lives of all the kids who were being run over in driveways bc they weren't visible behind cars.
Right, but that's a follow on to regulations about increased rear and side still heights for occupant protection, and that's a follow on from increased vehicle sizes, and that's a follow on from commercial vehicles being sold to the general public instead of regular passenger vehicles due to tax breaks, etc.
That's actually pretty cool.
I was somewhat disappointed, however, to aee that this applies only to "major rules" from "executive agencies" and as such doesn't seem to apply to an executive order. There would have been some recursive satisfaction to see EO12291 itself tested by its own standard.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
> Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?
There's no reason to expect the warm clothes to be made in the north and the cool clothes to be made in the south.
At scale, no. But when very small there is a reason that people from Norway made rain jackets, and the brand cachet follows that too.
European people also still have a much stronger national identity than a European identity, especially compared to the US with state vs. country level.
Languages are the biggest trade barrier in the EU.
Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
The translation infrastructure is huge, and reasonable-quality machine translation⁰ has been freely available for years now.
I don't mean to refute your experience, but I am suprised by the claim, because it's really not what I've seen here. Could you give some more detail on what you mean.
⁰ EU procedure means there are some notable absences in the list, but it's pretty comprehensive once you include citizens' second languages. See https://european-union.europa.eu/principles-countries-histor...
> Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
All of this is correct, and that's why the single market for goods (except for booze and tobacco) has been such a massive success. However, lots of growth (particularly in the US) comes from services, and for this, languages matter a lot more.
Sure, lots of continental Europeans speak multiple languages, but the vast discrepancies in languages and regulations (insolvency, capital markets etc) means that there are dis-economies of scale in the EU. Like, there's a reason that companies start selling in their home market and then move directly to the US.
A common language can't be assumed across the EU, while other large blocs (China, US) can make this assumption which is important for services trades in particular, as well as bespoke goods trade.
Ah, you're absolutely right. Only when reading your comment did I realise that I'll often go to the UK for some human-mediated service I need in English.
(This despite Ireland and Malta having it as an official language, and the Nordics often having better English skills than natives.)
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
should you filter out the covid era from that?
coats have gotten higher, but across the board for different countries
Ok let’s take this at face value. Not being able to use child labor is a 40%+ tariff.
What have we gained by framing it as such other than an extremely biased take pro unregulated business?
Such unhinged takes are one of the reasons EU has fallen behind so much. Nobody is arguing for child labor. We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
Based take. It is rarely back and white when it comes to social-technical challenges like this.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
The challenge with regulation is that its the result of those in charge of a power imbalance being able to decide what is "good" PR "bad."
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
I agree
People bemoan bureaucracy (which is a totally fair criticism) without understanding its deeper meaning:
Bureaucracy is how it works
That's it. Digital government is also bureaucracy. Applying to YC is also bureaucracy.
Of course the meaning drifted with the times, but it still means that
First definition here https://dictionary.cambridge.org/dictionary/english/bureaucr...
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
>Unfortunately politics has become the religion of modernity.
religion was classically politics. Moses's tablets were Law. the circle of life.
Because both is trying to create a better society. One by internal, the other one by external motivation.
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Well, I see multiple in this thread, one of which is currently adjacent to your comment.
https://news.ycombinator.com/item?id=45986410
> displaying a positive opinion on GDPR
Ok. I hereby do. The only complaint I have is that it isn't enforced automatically and that we often don't have a way to force the worst offenders, because they have the military we rely on on their side.
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
Hear hear.
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
Heres the full text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
> 87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
That's some serious speed reading! :-)
20 minutes to “read” 87 dense pages of legalese? Perhaps you meant to say “skim over.”
Perhaps they meant 200 minutes.
Or perhaps they also never read the law they are chiding others for not reading.
Try reading it, it's like 10 sentences per page and plain language.
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
I would call this the religious zeal response, it's been parroted so many times here that it's become fact, even though this is false.
The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/#:~:tex...
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
Big enterprises like regulation because it enables them to capture the market and slow startups down: that's why they invest so much in standardization, for instance.
It allows them to force startups to match their (slow) pace of development.
> Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
Have you missed all the large AI companies in US loudly demanding and otherwise lobbying for more regulation?
Regulations can be good for companies when you can make sure that they are written in a way that entrenches them against any new competitors.
> The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long
My feeling is that in 9 years you could read it.
However, I read most of the relevant bits in an afternoon. Most people on HN making preposterous claims about GDPR have never in their life read anything but industry's take on it.
> it's actually super easy to comply, you can read it yourself, it's one sentence!
It's trivial to comply with for the absolute vast majority of companies, you can very easily read it yourself, the bits that are relevant to most businesses shouldn't even take an hour to read.
You’ve addressed nothing in my comment and have simply repeated the religious chant: it’s easy to read so easy to comply!
Thank you for illustrating my original point about this being religious dogma here.
Every HN thread about GDPR devolves into this circular argument. It’s getting so tiring. There are many issues with the actual reality of its implementation which I’ve explained in my other comments. You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
> Every HN thread about GDPR devolves into this circular argument.
The only reason it devolves into a "circular argument" is that the vast majority of anti-GDPR comments on HN come from people who have never ever read even a single line from the regulation and just parrot the same old "GDPR requires these stupid banners".
> You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
Yup. And this is the other reason: bad faith word soup that doesn't even pretend to be coherent, mixes up everything together, and goes from non-sequitur to non-sequitur.
So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
The regulation good/bad dichotomy has been very effective reducing the thinking of the constituents of modern neolibs in the US.
On one end we have regulations as part of regulatory capture. Opposite effect of regulations that would help say a small business compete fairly.
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
you didn't really say anything
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
Well he is saying something here, because as pointed out, many people approach this from an ideological place.
Your midbrow dismissal only makes sense if there is nobody who denies that regulation is nuanced. In fact, the entire political landscape is set up around a "regulation is GOOD" vs "regulation is BAD" worldview.
https://en.wikipedia.org/wiki/False_equivalence
false equivalence describes a false equivalence. the equivalence that I pointed out was true. he didn't say anything.
The thing you pointed out is barely even grammatical.
There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
It's not more effective and trustworthy, particularly as you can do both. The laws also cover dramatically more than tracking scripts and cookies.
> They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater.
Then large law abiding sites can still do enormous amounts of tracking, and can do lots with my data that they currently are not doing.
The problems are in the details: why are news organizations exempt from this rule in Europe? You can’t read news websites unless you accept all cookies or pay to read.
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
> You can’t read news websites unless you accept all cookies or pay to read.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
Are you sure they are exempt? I was always under the impression that their practice is pretty obviously illegal. I just did a quick google search and didn't find anything about exemption. So they are as exempt from the GDPR as much as Al Capone was exempt from taxes ;)
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
It seems there were lawsuits but "pay to reject" is apparently legal as long as the pay is reasonable. I despise it personally.
If you're under UK law the ICO guidance on "pay to reject" can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
That cookie banner needs to be standardized and offered by the browser. It should be like a certificate popup. Why is every website forced into doing a shoddy job ?
We had a do-not-track header that has been deprecated. Simply enforcing the header legally and having it on by default would suffice and it would be much easier to test, because it's not bespoke from the client side of things.
They aren't forced, they choose to. They're forced to get user permission before tracking them across websites and sharing info with 3rd parties, but how they do it is left up to the industry. And the industry chose dark patterns, hoping to annoy the users into complaining to the EU about them.
It is the fault of the EU. If you leave a steak on the floor you don't punish the dog for eating it. Site operators just chose to do what was most convenient for them within the boundaries of the law, as would you.
> That cookie banner needs to be standardized and offered by the browser.
That's actually part of these changes. It's mentioned in the linked article about halfway down.
I assume it's because a business has different ideas about what to collect from their users and users are more or less willing to share some data with some specific businesses. Hence, every business needs their own consent rules. The fact that this is achieved with a cookie banner for 99,9% of all businesses is a side-effect. Could there be a better solution? Probably. But the law and the incentives aligned to cookie banner hell.
> Probably. But the law and the incentives aligned to cookie banner hell.
Most cookie banners are non-compliant, so I doubt that.
Aren’t tracking cookies mostly irrelevant nowadays, because every browser can be uniquely fingerprinted anyway?
The law doesn't even mention cookies. This is a common misunderstanding and causes a lot of annoyance as I've seen websites ask for permission to store cookies even when they don't need explicit permission.
The law only concerns itself with tracking. If you don't use a mechanism to uniquely identify people over multiple visits and/or websites, you're fine. You can store simple preferences in a cookie without asking. No need to bother your users with a cookie wall for that.
No. The regulation is about processing your personal information, cookies are just an implementation detail.
Fingerprinting is actually covered by the regulations and needs to be "consented" to.
There are different regulations, but basically they are technology agnostic (a good thing). If you as a compnay want to use data that could theoretically be used as an identifyer for me, you need my consent. For any type of use. Except if it is absolutely necessary to provide the basic service. Or if we have a contractual relationship, but there are also protective rules in place to protect the customer.
Different regulations handle storing data (like cookies, but also local/session storage and similar things on the devices of your users. But those are separate from GDPR.
GDPR is - as said - only concerned with data that could be theoretically linked to me as an individual. Regardless what this data is. Could be an id in a cookie, could be a fingerprint, could be smoke signals. It could even be the combination of different data points, that taken together allow for an identification.
Theoretical example: Imagine I live in a village with 500 people. The company tracks the location and that I am male (so roughtly 50% of the population), that I am between 45 - 50 (say about 10% of the population), have multiple cats (say maybe only three people now in that village, use a Linux based machine - bingo: You found me. And now you have a set of data that falls under the GDPR. Welcome in having to ensure you only use this data in a way that I gave consent to.
See: The law doesn't even just look at marketing or tracking data. Or what happens in an app or a browser. It covers all data that is either pointing ti me as an "ID" - like a cookie ID, or at personal identifiable data - like bei combination in my example.
I mean, websites don't need to use non-functional cookies in the first place. If they use it, they have to declare it. It's a problem created by website owners themselves.
GitHub doesn't have a cookie banner: https://github.blog/news-insights/company-news/no-cookie-for...
That said, looks like what you asked is happening: https://www.macrumors.com/2025/11/19/europe-gdpr-cookie-chan...
How would that even work? The browser has no way to know what a cookie is for.
They are regulating websites anyway, surely they can just invent some standard format to say what function each cookie has. How about requiring that the name of every cookie has to start with one of "Strictly Necessary", "Functional", "Performance", and "Targeting/Advertising"?
It's not the tech that's hard. https://lists.w3.org/Archives/Public/ietf-http-wg/2024JulSep...
I'm 100% on the same page as you. I just wanna point out that apparently, the enforcement of said regulation just failed. There are way too many businesses that don't give you a single "reject all" button and get away with their dark patterns. A regulation that can't be enforced consistently is not desirable and failed to some degree.
I recently registered a complaint with my local data protection authority. This then got routed to their colleagues in North Rhine-Westphalia that are responsible, as the company in question had their business location there.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
> Most of the harsher regulations only come into effect when the company hits a specific size.
That’s very market and country specific. Spain makes more than 1k tweaks to it’s food regulations each year, which would kill lots of restaurants if they were to be in compliance.
The result is that everyone tries to make as much money as they can and build a “inspection fund”, because you’re guaranteed to get a fine if inspected.
Why isn't #1 an import duty sales tax system instead and you need to declare the proper value as part of shipping, or the good is rejected / confiscated?
75,000 is very small for a business.
Actually, online shops that mail stuff to Australian customers who request them to do so don't have to collect or pay any sales tax. The Australian government might stomp their feet and declare otherwise, but they have no legal or jurisdictional authority to do so, nor any real means for enforcement.
This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas.
> This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas
I disagree.
Imagine I ban health potions in my realm. I am running a Darwininistic experiment to make my people the most resilient people of the world and I want them to succeed through survival of the fittest. I tolerate non magical medicine but anything else will pay 1000% duties or be confiscated. A merchant comes by with a delivery of health potions to "Johnathan Man". The guards point to the "Survival of the ssssttttrrroooong" banner, while the merchant throws a fit saying she has a very powerful uncle that just happens to be a known warlord. The guards laugh, close the gates and go back inside for another pushup context. Meanwhile Johnathan and the merchant complain things about jurisdiction to no one in particular.
In fact, "too many" is the exact point at which it becomes excessive. :P
I think this is an excellent point. More is almost always worse, but if there is a genuine need for regulation it should be absolute.
Most baffling thing is that sometimes you can't opt-out from "always active" stuff that still involve hundreds of "partners"; see: https://news.ycombinator.com/item?id=45844691
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
If you want to do business in the EU, just follow the law.
You are not allowed to sell Heroin to anyone in Germany. I don't see you making the argument, that we should - in the same fashion as with digital spyware using companies - not target drug dealers. Becase hey, people can just decide to not buy drugs.
[Edit]: Typo
That’s not how the GDPR and cookie laws work at all
That’s how most news websites work in Europe: accept the cookies, or pay.
Yes, but opt-out tracking data which is not necessary for the operation of the primary use case of the app is not allowed.
It must be opt-in, truly a free choice, and informed consent, and declining must be as easy as accepting.
My search told me that unless you are a gatekeeper, offering a reasonably priced ad-free tier allows to make the ad-monetized version personalized only.
I think it makes sense. Either pay, or consent to effective ads. There's no free lunch
This is why I just bought a Pixel and put GrapheneOS on it. And one with a SIM card that I can take out whenever I want. No AI, limited tracking, and no big tech. This is my personal boycott.
Are cookies really tracking you? 3rd party cookies don’t work in any browser. Ads are passing session data on the URLs instead. You can alow easily change some settings to stop persistent cookies. You can install privacy extensions like ghostery to block beacons. You can use features like ICloud private relay to prevent IP tracking. Solutions are all there and they aren’t because of any law.
Everything you mentioned is advanced knowledge. An average person, who doesn't deal with all these technicalities simply doesn't know this. It's like Telegram saying that it's the most secure messenger while not offering encrypted chats by default and not allowing to have encrypted group chats. An average person in tis case ends up completely unprepared and unprotected.
Don't mix PII data and cookies (or any other similar tech). There are different regulations in place here.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
> Ads are passing session data on the URLs instead
At which point it also counts as PII and is subject to the GDPR rules.
There are a bunch of sites that stop working if you tweak privacy related settings. Twitter straight up tells you that if you experience problems, you should disable Firefox's tracking protection.
And by that they are actually in violation of GDPR. But hey - since when was Musk interested in following regulations. And since when has a governmental or supra-governmental entity been able to curb that tendency of the super rich and biggest cooperations.
Like with meta: They know they mke 7 billion annualy from serving 15 billion scam ads daily. They calculated that they will have at most have to pay about a billion in governmental fines all over the world, if they should one day be regulated for that.
So it is a clear business decision to go on shoing 15 billion+ scam ads per day to their "users". Were some interesting journalistic pieces on that a few days ago.
And exactly those companies are the reason we need stronger protection. And these protections more heavily enforced.
Once they lobbied in "legitimate interest" as the exception to the opt-in requirement, the whole regulation de facto became a farce for the end user.
That cookie thing should a browser's default.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
GDPR allows for essential cookies with no popup.
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
No pop-ups on apple.com!
embedding youtube is enough to be non-cookiebanner-compliant??
Look at what YT loads in terms of tracking, when opening a page with an embedded YT video - even if you do not play that.
Or install something like pi-hole and watch how many analytics calls to Adobe Analytics the Adible app is sending out. Even if just idle in the background. Given the fact that you pay Adobe by the server call, Audible clearly must earn a shitload of money, if they can burn tracking calls like this.
If you are on a Mac, try Little Snitch and see where your data is going while surfing the net. No wonder in the US there are companies, that can sell you a clear image of all relevant data on nearly any person to enable algorithmic wage discrimination [1].
I know, that industry is trying to push EU further and further towards less consumer protections. But we have a great example of what that means for workers, consumers and all of us in the US.
[1]: https://pluralistic.net/2025/11/10/zero-sum-zero-hours/
We went the route inspired by gamingonlinux.com
So anywhere there is a YouTube embed we instead display a static thumbnail with 2 inline buttons underneath. 1 button to accept cookies and then load the embed and 1 button to view the video directly on YouTube in a new tab.
It works nicely and also pushed us to switch most of our videos to being first party hosted instead of YouTube.
That would be fine, if there was a law that forced every browser to have this setting and every company to respect the setting.
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
The browser setting already exists (DNT), so I don't know what you want to conlude.
My conclusion would be that under the current GDPR that if someone had the browser setting on, if a company did not respect that setting and kept private data, that they could be reported for GDPR violations and then the issue could be adjudicated, i.e that the courts would then decide if in fact GDPR violations occur by not following that browser setting.
Secondary conclusion - it might be more beneficial if one just contacted the EDPB and said since this browser setting exists and nobody is using it please issue a ruling if the browser setting must be followed, set it to go into effect by this date giving people time to implement it, and if they agreed the browser setting would be adequate to represent your GDPR wishes they might also conclude that it would be an onerous process to make you go through a GDPR acceptance if it were turned on, howe ver as this article is saying that they are "scaling back" the GDPR that would seem to be dead in the water, which is why I said under "the current GDPR".
In the absence of any explicit consent, no-consent is always assumed by the GDPR. The absence of a DNT header definitely doesn't count as consent, so that header is kind of useless, since the GDPR basically requires every request to be handled as if it has a DNT header.
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
> GDPR that would seem to be dead in the water
I agree, and I don't like that.
If there were any companies that provided value for tracking people would turn on a track me header, but there are none. so I agree.
I mean I run Debian, and voluntarily enabled popularity-contest, so is not like these examples don't exist.
Like Do Not Track?
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
Private browsing is equivalent to creating an ephemeral browser profile everytime. It might get rid of more browser storage, but for how tracking works now-a-days, it is useless. It is only for what you want to store on your disk, not for how you want to be seen to remotes.
Are you sure cookies get scrapped after you close a tab? Does opening a single session-based web site in multiple tabs work (eg. logged into Amazon in a private browser)? What browser are you using?
In Chrome and Firefox, all the private windows share a session that gets scrapped when you close them all. Safari keeps them separate.
> You can do this trivially in modern browsers: private browsing.
The one that Google keeps tracking? https://www.tomsguide.com/news/going-incognito-in-chrome-doe...
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
--- end quote ---
Yeah idk why there's a law trying to poorly enforce this instead
Because the law isn't about cookies, but about tracking? You know, the kind that doesn't stop even if you open the "ignorant mode" in your browser: https://www.tomsguide.com/news/going-incognito-in-chrome-doe...
The problem is paternalism and assuming the user is too dumb to take control their privacy preferences.
The compliance of the cookie banner regulation has measurable negative externalities - one estimate suggests a EUR 14B/year productivity hit in the EU
Most modern browsers allow you to disable all cookies if you like. You can always use incognito mode if you want to be selective about it.
In an ideal world, the EU could have simply educated their constituents about privacy controls available in their browser.
GDPR is not a cookie regulation it is a tracking regulation.
It's broader, it's about users data. For example, you can store my address so you can send the item I ordered to me. You can't, without permission, use that to send me marketing stuff.
> Business never respects anything, but profits
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
Realistically speaking, how much are people willing to pay for email, communications, cloud backups, social media? This is the hard question.
They already do as part of their internet subscription at home and data plans on mobile.
ISPs used to provide email addresses for people, and it was part of the cost.
Every regulation has some unforeseen consequences. Most of the time it's impacts are worse than the effect we wanted to regulate from the start. Us humans discard the effects we can't predict as benign even over smaller inconveniences we can see.
> Every regulation has some unforeseen consequences.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
Since you asked: I care. I leave sites which insist on tracking me and appreciate that it is now mandatory for said sites to inform me about their intentions. So this is a solution to a problem I actually have. There are sites which place a "reject all" button above all and make this easy for me. Others try it the sneaky way, by making me turn off every single tracking vendor and then a lot more hidden under legitimate interest. Those are the sites I leave and never come back. The hurdle in question has a lot of simple solutions. 1, don't use cookies. Github does that AFAIK. 2, be transparent about your tracking intentions and use one of the several premade solutions. 3, design a dark pattern UI that hides the important switches in technical named lists and count on the laziness and confusion of users to use them. That is probably the most expensive way for a 3 person company, as you need devs and UX designers and lawyers to judge if you bended the regulation requirements just enough without breaking them.
The banner isn't required. They could just not do the things the banner would ask consent for.
People don't know whether they are or are not doing things that require consent under the law. That's because, if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs. Notably missing from that list is "lawyers who can be bothered to research the question".
People put the banners up because they see other people doing it and it seems safest. That all of this would be so should have been perfectly obviously to whoever contemplated bringing the regulation into existence. Therefore they are either imperceptive or malign.
> if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs.
Those are the people who should know best what is meant by "ask visitors for consent before you track them.".
Lawyers and more work is needed if you want to track anyway and look for ways to make people accidentally consent. "Let's ask the question, but hide the unwanted answer as deeply as possibly without breaking the law."
You may blame EU bureaucrats, I blame the unwillingness of the companies to fulfill the spirit of the law and putting all the work into pretending.
> People don't know whether they are or are not doing things that require consent under the law.
This knowledge is taught in school and we also had one lecture in university and I am not even studying CS or anything computer adjacent. You can very much rely on CS graduates to know this, and even if they don't, the company could organize a training day, like they do for all the other stuff. This is really a dumb excuse for a company.
Is that what really happens though? EU countries usually don't immediately punish violations unless they're particularly egregious. You're more likely to get a warning and a grace period to meet the requirements. So the rational approach would be to not bother with consent banners, GDPR and whatnot until you attract the attention of the regulators, at which point you should definitely hire a legal team that can tell you what exactly you need to do to comply.
"Just sign the contract, we'll never use that clause!"
Any company that can hire teams of software developers can afford to hire a lawyer to tell them whether they need to irritate all their customers. And frankly, they'd be dumb not to hire a lawyer if they think they need some legal cover to determine whether that cover is sufficient.
Good god. I certainly wasn't suggesting this situation would be improved by software teams hiring lawyers to advise on their software! You appear to have completely lost perspective.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
I'm guessing that in many cases, it's not one software developer who decides. Most people are told what to do, and for many websites I'm guessing that it's just some kind of Wordpress add-on.
Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".
Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".
That's why we need to realize, that decisions in the small constitute what happens in the large. If some person comes and tells me to implement dark patterns into the consent popup, I'll tell them that this is illegal. I'll also tell people, when their current consent is manufactured or when their cookie/consent popup does not conform with GDPR. Been there, done that. Only unfortunate, that it was not my role to deal with that. It was simply that most people didn't care (I must assume frontend developer knew better, otherwise they were utterly uninformed about their job), some people who should have known better didn't (everyone else in the engineering team), some people wanted dark patterns to be in there (project management and marketing/sales, as usual), and I was the only one pointing out the tiny problem with the law. Of course no one ever thanked me for that.
I have been in that situation in a startup. The boss would come to me and ask for some dark pattern (not cookies, I don't remember exactly what it was). I said I wouldn't do it. They literally asked a guy in the adjacent room, and he took it as a new task and did it.
He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.
Both understandable and good that you stood up to it!
Sometimes though bosses need some contradiction, for the business to be successful. It is not the best approach to have no opinions or ethics.
It's not that people who implement those things don't care, per se. It's that they care about getting their paycheck more (or, in the current climate, retaining their job). And they are also acutely aware that if they refuse to do it, a replacement that won't is easy to find.
Your moral integrity is tested, when your paycheck depends on it, not when it doesn't have repercussions to you.
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
But that's a great example of why we might not need to turn into professionally licensed experts: the risk of messing the implementation of GDPR up is nowhere near messing a bridge or even a single family home up.
Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
It might be hard in some places, with especially toxic higher ups. A good start is pointing out the law a few times. If that doesn't get them to stop, what you can do is ask them to give you a signed piece of paper, where it says, that against your objection and warning about this being illegal, they want you to still do that. Usually at that point they will find someone else, or stop trying to do it.
I agree with everything you say, except
> Usually at that point they will find someone else
is not really something a lot of people can afford to risk
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
Lucky you. In my experience it ends up with talks to HR, where they will explain that "you are being difficult to work with" and "things are going to have to change" or "we are going to have to look for alternative avenues"
Maybe you could still program a website. But you might not be able to do it professionally.
But yes, more people should tell other people that they won't do that.
Should contributing code to open source software require professional licensure?
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
How much incompetence do we accept or tolerate, before we deem it negligence? If someone adds a consent popup or similar thing to a website, usually knowing, that there is a reason why this must be done, and that this reason is GDPR, it seems quite incompetent to not know the first bit about what is required, and not doing their due diligence to read up on it when not one doesn't know.
Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.
Why not accept and let cookie autodelete delete it after closing the site?
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
https://adnauseam.io/
I think we better remove the problem itself that come up with more and more ways to mitigate it.
It's not just about cookies but any kind of tracking, including fingerprinting.
Nothing is ever black and white.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
What kind of a discussion can there be? It's very simple. I don't want any business or individual or whatever to collect any of my personal data if I don't agree to it. Right now companies do everything they can to do the opposite. And there's nothing here that can prove them right.
What a funny comment. “You see, you just don’t understand trade-offs, here let me explain to you…”
Perhaps if you had some engineers write the laws they’d work better
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
And when they use our data to profit, we don't get a royalty cut.
> I get that too many regulations is a bad thing
Well yeah, cause your sentence relies on itself.
_Too many_ regulations is a bad thing.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
And that's probably the same for 99% of websites.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
> It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
Advertisements, among other things, for political views, influencing voter behavior. Which lots of interest groups care about
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
Selling drugs causes harm.
Targeting political ads? Debatable - whether AI is somehow involved or not.
I would consider making people to vote for a criminal dictator to be more harmful than selling drugs, the former is destroying way more lives than the latter. And I am someone who would vote for more enforcement and regulation of bans on drugs.
No matter your political opinions, the ability to target political advertisements hardly seems like the nightmare you all act like it was.
Multiple people keep talking about selling hard drugs in the comments. Seems a tad dramatic.
that just shallow and one sided argument that never respect another side of coin
It's also true.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
what do you mean illegal???
tell that to Ads advertising business that bringing billions every year, and its legal btw
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Nobody like it in the same way that nobody likes paying for groceries or gas. Wouldn't it be great if they were free??
Of course it'd be awesome if the world had no ads, but most people prefer free with ads to paid without ads.
Uh, no, not in the same way. You have absolutely zero proof that you NEED to fuck users up the ass to make the service work.
Many services worked without the ass fucking. We did it for a very long time.
> but most people prefer free with ads to paid without ads.
No, you can't actually say this, because part of the deal is that nobody actually knows HOW or WHAT they are giving up for this free service.
Things like GPDR or consent, again, do not outlaw the actual thing. Ads are still legal, personalized ads are still legal, tracking is still legal. It just forces you to ask consumers. If what you're saying is true, then GPDR is fantastic!! All the users should click 'accept all cookies', because that's what they actually want right?
Unless, wait, you think... maybe that's not what they want? And they're only agreeing to the current situation because they don't know what they're agreeing to? Hmm... what a conundrum!
Okay. So would you prefer to pay a subscription for every site you use or pay with your eyeballs by looking at ads?
this is a false dichotomy. You don't need to track your users to show ads.
Contextual advertising works fine for many sites, especially those with a specific targeted audience (for example a gaming website can show ads for gaming related products).
so you want people cant earn livelihood by your saying?????
for some people and I mean some people in this are entire industry that working with directly and indirectly. this is the only way to earn a living for them and you saying this people cant do that????
"If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for."
well. you are free to choose not to?????? what we even doing here? life its about choice and you are free to not sign up service that scummy
it literally totally difference case that worth another article/post for that
> this is the only way to earn a living for them
Who are those people who literally can't earn a living in any way other than working on personalized ads?
So, so many glaring problems here:
1. Consumers can't just 'not use something' because of network effects, and you know that. Don't play stupid with me.
2. The service is scummy because they lie. That's the scummy part. Sit back and read what I wrote. I'm not saying services CAN'T commit crimes against humanity. They can! I'm saying they must DO IT HONESTLY.
If this is about choice, and you want users to choose what they want, then you have to be on my side. It's not optional. IF what you're saying is true, and consumers have the choice "not sign up service that scummy", THEN they must know if the service is scummy. Necessarily!
You are literally agreeing with me!
You are making it like they are doing human crime level hitler or some shit
No, the competing solution/alternative its not better
if there are better ways to do this, it would be born already
> if there are better ways to do this, it would be born already
That's not how it works in capitalism. If there are more profitable ways to do this, then it would have been adopted. But better is subjective - better for whom? For the users? The businesses don't give a fuck about the users, only about their money.
They should feel ashamed for collecting your personal data in the first place.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
no. even including a font from a different host is not allowed under the gdpr because you are leaking the users IP to that host. you are poorly informed on this topic.
Everything that happens under Ursula Von der Leyen leaves a bitter taste.
There are lots of uses for cookies that have absolutely nothing to do with collecting data about you.
That's true. But it's just a small part of overall tracking. And nobody would care if the cookies were used only for auth or purely functional reasons.
And you don't need user consent for most of those cookies.
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
I don't think GDPR is the problem that makes science and technology succeed more elsewhere or fail more in the EU. There are far, far bigger problems, that are at play here. For starters we have a war still ongoing in the east. Economic power houses have had utterly corrupt governments for decades. Standardization of many things is difficult with so many separate nations. Education systems are questionable. All of these will play a larger role than GDPR.
I wish we standardized on Do Not Track headers. Cookie banners are a plague. Thanks Europe.
There is nothing stopping the industry from standardising on an alternative form of expressing consent, for example on browser installation. GDPR is agnostic to the form the consent takes, as long as it's informed and freely given.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Thanks Google.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I very much doubt, that the practice of putting hundreds or thousands of partners into the legitimate interest category is legal. I wish this was more challenged and brought in front of the courts. And not just wristslaps dished out. Such practices need to have business threatening punishments attached to them.
I'm sure that happens in some cases. But the EU is building a reputation for handling out fines that actually hurt, and I'm sure that actively lying to consumers about this would warrant a big one, if ever discovered. And in any case, tracking will be a lot less robust without those 388 cookies.
I think I should be able to collect whatever publicly available data I can find.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Chat control is stupid.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
The "hacker spirit" is dying.
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
I might get worried when mainstream computers won't be able to run Linux. Until then.. I'm not worried.
Seems there are efforts to bring openness to platforms that inherently have an interest to resist it and while the progress is slow.. there is progress
> we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick".
Doesn't that describe SV in general, and big tech in particular?
> Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
This sounds too much like a 'good old days' argument, which is actually in the HN guidelines (something like, 'don't say HN is becoming Reddit').
No. It's reflecting on an overall culture that embraces taking chances. Even if 50% of those chances lead to failure it still beats the paralyzing fear of moving forward.
As a hacker, I don't care about cookies or what the EU thinks about them. Disable them if you really care. Or at least use a browser that blocks 3P cookies (not Chrome).
people still insist on using a browser built by a company that makes money off of ads and act surprised when said company purposefully compromises their privacy and data on said browser.
What about when the lack of cookies makes everything break and you cannot work around it because it's too much JS to reverse-engineer, and/or it's a copyright-felony in your country to develop workarounds?
"I'll use my l33t hacker skillz to avoid it on my own" is a losing strategy in the long run.
A similar thing happens with the proliferation of cameras and license-plate readers.
You can keep them enabled and clear at end of session. I'm not saying this makes you untrackable; that is a losing strategy due to all the non-cookie tracking, but also the cookie popup isn't helping there.
As this is the message board of a VC fund it's not that surprising that it doesn't only attract hackers in the original sense?
Hackers should know the government is never on your side.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
In addition, hackers should know government is inevitable. Even in anarchy, governments spontaneously begin to form.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
That may be one of them, but there isn't a singular anarchist school of thought.
> there isn't a singular anarchist school of thought
Would be oxymoronic if there were one.
Isn’t that like saying there must be as many universes as theoretical physicists can think up? Slight maybe but it could also just be one.
> Isn’t that like saying there must be as many universes as theoretical physicists can think up?
Schools of thought are theories. It’s saying there can be as many theoretical universes as theoretical physicists can think up.
This is true for any social construct, of course. But anarchy’s nature means you get less alignment.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
An entity, that invents rules, that are not enforced by anybody is a useless waste of energy.
The thing that anarchists have a problem with is hierarchy, of which states are a manifestation. Most anarchists aren't just "okay" with some kind of government, but believe it to be necessary.
i guess I can see how it might work in a single person's life or small group, but on a large scale doomed to failure because the neighboring country/cit-state/etc will be organized, with and organized army. That group will eventually desire something the anarchist community has and will destroy it.
That is indeed the sticky question, but, again, anarchists aren't opposed to organizing either, even at scale - only that such organizing should be fundamentally egalitarian, not forced.
You can argue that hierarchical organization is fundamentally more efficient, but by the same logic authoritarian governments ought to always outcompete democracies militarily, yet it's clearly not as simple as that.
One could also argue that in a world where anarchist modes of organization are the norm, an attempt by some group to organize for the purpose of conquering neighbors would be treated as a fundamental threat by basically all other groups and treated as an imminent threat that warrants legitimate community self-defense. Of course, then the question is how you get to that state of affairs from the world of nation-states.
I don't have answers to these questions, but it should also be noted that it's not a binary. Look at Rojava for an example of a society that, while not anarchist, is much closer to that, yet has shown itself quite capable of organizing specifically for the purpose of war (they were largely responsible for crushing ISIS, and are still holding against Turkey).
Nozick's libertarianism is not really an anarchist school of thought.
oh no, the dreaded "it's complicated" counter-argument!
making it complex helps nobody - everyone has to have a default
and default of "do not trust the glowies. EVER" is the better one
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
No, the naive position is to assume that the state is on your side because you occasionally gain something from it.
The reasonable position is that the state exists to propagate and protect itself, which is made up of it's citizens, you included. This is just like any organism or organization works.
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
> But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
Not really. The goal is to prevent people from being unhappy enough that they revolt. But so long as that is not a real possibility, the company - or the state - is quite willing to make the population less happy if that means more productivity that can be extracted.
The example you gave - free education - is precisely about that. The point of schools is not to make the people happy, it's to make the people productive. But, also, ideally to brainwash them into being "good citizens" (meaning compliant and not causing problems). It can even mean "happy", but that is not necessarily the desirable state of affairs from the citizens' perspective, either - e.g. in USSR under Stalin, the cult of personality was strong enough that many people were genuinely happy to participate in it, and genuinely sad when the guy finally died; but it wasn't actually good for them!
No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
The reasonable position then is to demand governance that is actually in the interests of those governed. And one can reasonably argue that the resulting entity is not a state.
> No, the fundamental problem with state is exactly that: it exists to propagate and protect itself, but you, the citizen, are not included. You are a resource, and your well-being and happiness is only incidental, not the actual goal.
Beliefs like that are self-fulfilling prophecies. People who believe in that often give up trying to influence the state and exclude themselves from its interests. If too many people do that, the state will not care about them.
There is a trade-off based on the size of the state. Small states are easier to influence and more likely care about their citizens. Politicians stay more in touch with other citizens, and the average citizen is more likely to know some politicians in their everyday life. But small states often make amateurish mistakes, because they are governed by amateurs without access to sufficient expertise on various topics.
Large states have an easier time finding the expertise they need. But they tend to develop a political class out of touch with ordinary citizens. Political leaders become powerful and important people who mostly associate with other elites.
I believe the ideal size of a state is in single-digit millions, or maybe up to 10 or 20 million. Like most European countries and US states.
If you were to put a name on your ideological position, what would it be?
It can't be liberalism, since that tradition considers the state separate from society, and the state's purpose to provide liberty to the latter.
Communists of the 'tankie' variety (i.e. 'authoritarian' rather than 'libertarian' or anarchist) believe the state is or ought to be made up of its citizens, but they are aiming for scientific industrial administration and would never describe the state as an organism.
The tendency that does describe the state in that way, is fascism.
If the state inherently wanted all that for its citizens, why have people formed unions and militant organisations and struggled to achieve things like common education and so on?
"Hackers should understand governments are complex, dynamic and occasionally chaotic systems"
No. Hackers should understand that government is force. This is the definition of government.
And force is the antithesis of the hacker ethos.
Growth hackers aim for regulatory capture.
In a democracy, the government is its citizen. It sucks when you disagree with the majority of the voters, of course. But it's wrong to say that the government is against the majority of the voters: it was elected by them.
A government or president can definitely be against its voters interests.
Then that president should not be re-elected. Or it's the voters' fault.
So the people should talk to their representative. A government becomes authoritarian not only because of an authoritarian leader, but also because of the enablers, people like the spineless Mike Johnson.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
That's the 1%. It's the hair on the back of the elephant.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
That is an absolute nonsense.
At minimum, government will be useful as defence against worse government.
I know that some anarchist had dream of a stateless world, but it is not viable.
And while I am not going to say that any government is ideal, many are better than USSR, Third Reich or Cambodia under Pol Pot.
Government != state.
And the enemy of your enemy is not your friend. It can be a temporary ally, but you always have to be wary of it becoming strong enough because you can become its enemy tomorrow.
Couldn’t agree more.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
Some of that is attributable to raw inflow/outflow differences, where newer cohorts are bigger and therefore the blend would shifts even if no oldsters ever left.
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
It made me feel kinda sad for a few days.
It always had a lot of that, I would say 2-3% of articles were about SEO in the early days of HN. It was never slashdot.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
> A future where everyone has a personal computer was exciting and seemed strictly beneficial
I like to frame it in terms of capital goods, even if I didn't think of it at that time: The personal computer's promise was that everyone would own their own digital foundry and factory, creating value for them, controlled by them, and operating according to their own best interests.
Nowadays, you're just renting whatever-it-is from BigCorp, with massive lock-in. A tool for enacting other people's decisions at you.
I find it really hard to classify myself. I've always called myself a "libertarian" - I believe the best strategy to Civilization is to maximise freedom for anyone. As freedom enables enlightenment an enlightenment drives progress. To actually achieve that, in the real world, means that you have to distribute and limit power. That means limiting not only government power but also corporate power. That means regulation, strong regulators (breaking monopolies), policies to keep prices down (including rent/housing!) and to enable free market competition and innovation. And provide an economic system where risks can be taken, enabled by a social let (and social healthcare).
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
This isn't actually unusual in the grand scheme of things, just at the moment. "Libertarian" was originally a word that anarchists came up with to describe themselves for a good reason. Lysander Spooner is famous in right-wing libertarian circles, but the guy also promoted mutualism and was the member of the First International. Today, what you describe goes under the label of "libertarian free-market socialism".
Regarding regulation, I do have to note that in many cases when you try to root-cause corporate power, it turns out that it hinges on active government regulation in practice. For example, consider the fundamentals of capitalism, namely, accumulation of capital. Why do we get those huge monopolies in the first place? Well, because more capital means more way to generate wealth (or, more precisely, to appropriate wealth generated by your workers), which can be invested into more capital etc - there is a natural positive feedback loop here. So at a first glance it feels like you need government to actively do something to prevent companies from becoming too large. But consider: what does it mean for a company to own something? It's not a person, so it can't really have physical possession of things. It's all abstract property rights, and the only reason why that works is because the society as a whole acknowledges those rights and legitimate, and, crucially, because there is a state providing infrastructure (police, courts etc) to enforce them. Now imagine what would happen if, for example, the state simply refused to acknowledge property rights past a certain limit and simply wouldn't enforce them on behalf of the property owners.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
The truly "eternal" September.
https://en.wikipedia.org/wiki/Eternal_September
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
My rule for a sane HN experience: avoid and flag any articles related to Trump, Elon, <current culture war topic>, American politics, and anything tangential that summons them.
That's getting pretty hard these days. I did a query on Clickhouse and this year a full 1% of all comments on this site mention Trump.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
precisely this. cool detachment or disinterested curiosity around political events is the privilege of those comfortable enough to believe current politics won't affect them. These same people are also usually ultimately responsible for the apathy/failure to act and stop meaningful regime change before it's too late.
I'd love to live in a world where one can neatly compartmentalize reality and view life-altering political shifts with "a lens of curiosity", but that isn't how the world works.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
Facebook is still running strong on Marketplace and Groups. They have almost no competition on those.
....and I don't care because I don't use either of those. All the network effects in the world mean nothing if that network has no value to me.
Yes, but then it's about you. A significant portion of society is using Facebook marketplace and group so it won't die with "grandma"
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
You might have convinced 2 people to install Signal, but the real test is whether they will still be using it a year from now. My own experience from going Signal-first for a while was that it doesn't stick for most.
Social connections can be a large sacrifice.
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
I think you might have a different definition of "merit" than OP. "Merit" to me means how much value the company brings to society. If I'm reading correctly about your point of it being legal, to you it seems like "merit" means how much value they bring to their investors.
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
Where can I read more about this? Quick search turns up nothing for me
https://www.theverge.com/news/823191/meta-ftc-antitrust-tria...
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
Wasn't the case here really weak to begin with? I remember reading the FTC's initial filings and they just sounded absurd. The very premise that Meta didn't face meaningful competition from TikTok was a farce.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
> The very premise that Meta didn't face meaningful competition from TikTok was a farce.
The original claim was centered around the timeline of purchasing Instagram and Whatsapp. TikTok came much, much later.
If this is true, the case then becomes "Meta was a monopoly from start_date-tiktok_date" which isn't a very meaningful claim since they are not arguing it is a monopoly to be broken up.
Anyways, I disagree - this is not the case. If you read the filings and their slides, the FTC argues Meta is a monopoly in the personal networking space.
They essentially carve a market out of thin air to selectively exclude Snapchat, TikTok, and Shorts. The judge has understandably called this for what it is.
It was a phenomenally poorly litigated case, most experts at the time doubted it would succeed, but it did wonders for Lina Khan's popularity. Seems to have served her well with NYC and all.
Just to be clear, when you Khan "killed our remaining low cost airline carrier", are you referring to when the DOJ blocked the JetBlue-Spirit Airlines merger? Not arguing, I just want to understand.
Correct, yeah.
https://arstechnica.com/tech-policy/2025/11/meta-wins-monopo...
This is a proposal from the EC. Whether the EU accept it is not clear.
Yeah I really hope they don't. It's ridiculous to throw out all the great work they've been doing.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
Why? Is META relevant only on merit?
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
The loudmouths do not necessarily represent a majority of HN users. They're just loud. Some of us find the social-media-bashing threads boring and just go back to our social media.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
I would strongly encourage everyone to read HN with `showdead` enabled (it's in your profile page). There aren't actually all that many downvoted comments, and while mosts are low-level trolling, even with `showdead` you see them at the end of the parent thread and they are greyed out, so it's not all that distracting. But being able to see some of the things that get downvoted / killed unjustly (and then vouch & upvote them) is how you get a better HN.
You can upvote dead comments? I can't maybe you need to have some amount of karma.
Yeah, you can sense how strong libertarianism is in the US.
Europeans here steer more in the "we can, but should we?" category, while Americans are in the "move fast and break things" category.
I literally see upvotes during the day (Europe) and then downvotes during the night. Mostly. But the trend is there.
I think there is plenty of diversity of comments, substantially less diversity in voting and flagging.
You can say lots of things, many that go against the hive mind will just get you more or less instantly grayed or even flagged
> substantially less diversity in voting and flagging
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
> What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
To many (especially younger) people, giving up Meta products would make them a social outcast.
Some industries naturally tend torwards monopolies. In social networks, this effect is very strong.
The thing is that it didn't work for that objective. It didn't seem to have any meaningful impact on all on the Metas and Googles out there. They control the user base and people depend on their products, it was trivial for them to get full consent like they've always done with their Terms & Conditions.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
so what it like working at meta?
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
Look at what happened to iRobot vs. Roborock though.
can someone explain what happened? how is it relevant to EU laws?
I live in EU. I am totally in support to force Meta down through government's big stick.
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
Then I propose you should support https://noyb.eu/
Their track record is pretty good.
If you support them (I do, they do great work), please set up a yearly subscription. Predictable revenue is very valuable for organizations.
Do we have anything like this in the U.S.?
I'm a hacker type and generally extremely (left) libertarian. But when it comes to megacorps, I have basically zero sympathy. When they are big enough to rival nation-states in economic and political power, they can't complain when said nation-states start to notice.
(I would still prefer the world without either, though.)
Yeah, I think states need to release that entities as large as them become their competitors. Now we have entities way larger than them.
Yeah, seconded, and I also live in the EU.
I wonder what kind of people downvote you. They must have interesting priorities.
Can contract killers become irrelevant on merit, or does it take government intervention?
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
Meta's only merit is having a lot of users and keeping them hooked at any cost.
It might surprise you, but success is not always rooted in having done great things for the world
The 180 does not surprise me at all. GDPR and associated laws are a perfect example of the old 'Good intentions, unintended consequences'-pattern we see in laws all the time.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
can you please explain the driving licenses part?
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> ...more about protecting European ad firms, many of which are even shadier than big tech.
Where can I read more about that phenomenon?
There are lots of companies like this:
https://zeotap.com/wp-content/uploads/2025/06/Zeotap_-Time-t...
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
That wasn't even the GPDR and it did even less for user privacy.
what was it then? why it did less for user privacy?
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
?? He bought instagram in 2012 when it was tiny. They all moved in 2016.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
What about hp, dell, ibm, compaq, sun? Companies are temporary.
> sers dropped from Facebook like flies and moved to Instagram.
Even worse, bought Whattsapp.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
[1] James Boasberg; "Meta prevails in historic FTC antitrust case, won’t have to break off WhatsApp, Instagram" https://apnews.com/article/meta-antitrust-ftc-instagram-what...
[2] https://wikileaks.org/podesta-emails/emailid/8190
I like what Kagi does which is just using the nuclear option of "Look - if you fill your website with crap we're not going to index you"
That said, Google stripped away +must +include +terms from their searches so I do blame them some and not just SEO
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
So “smart rules” only means “more rules”?
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Right, but it's obviously not overreaching, because user's data is taken:
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
The answer is to force them to adhere to rules. Not to loosen the rules.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
And the answer should be self-served, ideally, with an automated authoritative self-served approval. It could have a lag time of a few days or even a week for a person to approve.
Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.
These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.
I keep hearing that, but do we actually have stories about small European companies being ruined?
I bet we don't, unless they ruined themselves due to being very negligent or unwilling to implement even after being reported and found out.
The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.
Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.
But uncertainty in compliance and time spent navigating compliance is nearly pure waste.
To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
I'm not sure.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
Easy to not play the card game, by only collecting the data needed for your service.
Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation."
I totally agree with this view!
I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.
But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?
I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.
IP addresses are PII. This has long been determined.
This is a perfect example of uncertainty causing compliance overhead.
You say IP addresses are PII and this has long been determined.
Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:
> > logging an IP address.... > Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement. > Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so. > More on that: https://missinfogeek.net/gdpr-consent/
So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.
European startups will not profit if this deregulation goes through. US and Chinese corporations will.
While everyone talks about souvereign data processing in the EU, both the commission as well as the governments of its member states completely failed in pampering a domestic cloud industry during the last 15 years. Mercy killing.
You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.
Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
The real issue with regulation isn’t the rules themselves; it’s who ends up writing them. And it’s almost always one of two groups:
Politicians, who usually aren’t experts in the field.
Industry leaders, who have every incentive to make the rules tougher for everyone.
Small company and business should be treated differently than big corp. And the fine and punishment should be adjusted accordingly.
While I generally agree, just differentiating the fines is not sufficient.
Small businesses in particular do not have staff or the capacity to to deal with a large amount of compliance overhead. The biggest help for small businesses (and large businesses alike) would probably be if the GDPR would be less vague on the rules surrounding typically collected data
I agree in theory but in practise, this just results in even more regulations. There are very few or no real world examples of stricter regulations being written in clearer terms. The reasons are numerous, but a big one is that people often have a financial incentive to circumvent these regulations. They attack the edge cases and the ambiguity between each word. If the regulations are not written sufficiently prescriptively, courts are swamped with cases and eventually a precedent is set which nullifies much or most of the intended purpose of the regulations. So regulators go to painstaking lengths to write clear and verbose regulations, but ensuring compliance with tens of thousands of pages of regulations are expensive, and this results in an economies of scale barrier for small businesses.
There are workarounds like exemptions for small businesses, but this creates all kinds of new issues like a regulatory ceiling, which results in enormous new costs on some arbitrary day for a business once it crosses some kind of user or revenue threshold. Ramp-ups are difficult or impossible to legislate in this context. Further, two or multi-tiered regulatory systems are highly inefficient and arguably unfair. They're very difficult for everyone to navigate. Generally speaking, from countless examples around the world, rules should apply to everyone.
Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
> Ultimately this means fewer regulations generally are good for startups - and larger businesses.
Yeah, forcing companies to write food ingredients on the package is bad for business. And I don't care about business more than about the well-being of society and myself. Same with tracking.
I think that when I wrote that fewer regulations help small businesses, but that there are costs for this, you read, "all regulations are bad and I think they should all be removed." Since you didn't read my whole comment, I'm going to paste the important sentence again now:
> Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.
A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered. Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle. They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I keep hearing this argument that it stifles small businesses, but how is that exactly? I've worked for a variety of small startups in NL and GDPR has never, not once, been a real issue or blocker.
Yes, it forced these small businesses to think about how they're handling personal data, but that should be the fucking point, I don't care if a company is Facebook or if it's a 2 person startup, neither should be collecting and redistributing personal data and tracking people.
There is no certification to pass or anything. You just have to keep it in mind when creating your business. It's too easy to just abuse data and then claim that it's too late to fix.
I've been through several startups after GDPR went into effect, it's really not a problem.
Browser level consent primitives would be a significant improvement on the status quo.
I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners"). While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
Do Not Track was a spectacular failure.
You can still turn cookies off in your user agent though.
It was a spectacular failure because the people who thought of it didn't stick to it.
I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.
In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.
Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.
> Advertisers said they would ignore it for this reason
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
But they weren't prepped to take action yet.
Microsoft made the user expressed intent and the user expressed no opinion look the same.
That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same.
Microsoft made the default be, well, the default preference - what most users would set this setting to if they had to look. That's a good and sensible default.
The only reason why the advertisers were so unhappy about it is because what they do is neither good nor sensible by most people's standards.
I'm sorry but the word is "consent" not "intent" and that's literally how consent works.
If I (a complete stranger to you) walk up to you and kiss you on the lips, it doesn't make a difference whether you're wearing a t-shirt informing everyone you don't want strangers to kiss you on the lips or not - I don't have any basis on which I can presume to have obtained your consent so I'd still be violating your rights.
This is very much a "tech bros don't understand consent" case: if you do something without consent, you better have a damn good reason other than "but it's good for meeee" (or "good for my bottom line"). "My business model depends on it" also isn't a good justification - there are plenty of business models that depend on things that are unquestionably illegal, we just refer to them as "criminal enterprises" rather than "disruptive startups".
DNT headers are equivalent to those email signatures that pretend to be a legal document. You're just spamming the server with extra crap that does nothing and means nothing.
Actually it's worse, DNT headers are like posting a wall of text on facebook saying you do not consent to them using your images or posts for some purpose.
Track doesn't have a consistent definition across contexts, to regulate this you would have to fix it to something - what are your suggestions? DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
If you have a better write on regulation lets hear it.
DNT headers are not by themselves legally binding. However they can rightfully be considered an indication of a user's preferences (kind like how the OS language settings can be an indication of what language a user wants a website to use).
What most people miss about the GDPR is that most of it (as well as the ePrivacy Directive covering more technical aspects like cookies) really only exists because of the one big thing at its core most people are either not aware of or intentionally omitting:
The GDPR establishes a user's right to ownership and control of their personally identifiable information as an inalienable and irrevocable fundamental human right. This is what makes all the rest of it necessary: it's not about "cookie banners", it's about requiring others to obtain consent for what they want to do with that information; it's not about writing "privacy policies", it's about explaining what you do with that information and how you guarantee their rights are respected by you and disclosing who you're passing it on to and how you're ensuring they too respect those rights.
The alternative to consent dialogs (whether as "pop-ups" or via confirmations when prompting for relevant information) would be requiring every website to have a written contract with each user. Consent is only valid if it is demonstrably informed (and non-coerced but that's a different story) and it must be specific and revocable. You can't have users blanket opt-in to everything you'd like - they wouldn't even know what consent they'd need to withdraw later if they reconsider.
By the way, courts recently seem to have started ruling that the way many AIs work the companies training them are in violation of copyright laws by using intellectual property as training data without permission and in order for contracts to be legally binding, anything given by one party has to be given consideration by the other (i.e. anything of value given by one party has to be balanced out with something of value given by the other party) - so I wouldn't be too quick to ridicule the idea that using Facebook means Facebook can do with your data whatever its terms of service say they can do, even if posting on Facebook can probably not be considered an effective way of informing Meta about your disagreement.
> DNT and the "deny optional" that foamed its way out of the GDPR aren't quite the same thing, and even if they are, it will take many court cases and years of time to figure that out.
Or it will take one clear message from the regulators saying they're equivalent.
What actual innovation is stifled by data protection laws? What small business is unable to operate because of the GDPR?
Compliance costs almost nothing. If you collect data, explain why and what for. If people ask you to delete it, do that. If you want to share data with others, ask first (or just, you know, don't).
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
> The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
So either you're lying or your lawyers are lying to you.
In 9 years you could've finally read and understood the rather small law yourself.
I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
Before you get to a judge you will get plenty of warnings and anple time to fix whatever it is you're doing wrong.
For the absolute vast majority of companies GDPR compliance is trivial.
For the absolute vast majority of remaining companies GDPR compliance is simple.
There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).
I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy
No wonder you have "trouble complying with GDPR".
I never said we were having trouble complying. I said it cost time and money.
It costs money not earned by illegal selling of people's personal data, indeed.
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Schrems? - if you think that this legislation is easy to comply with why did all of that happen? The EU can't even agree with itself on how to interpret its own law or what it does.
How the hell do you expect everyone else to?
Ughhh here we go again.
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
As with many laws people think its what is sold as.
There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.
Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:
https://ico.org.uk/for-organisations/advice-for-small-organi...
Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.
I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?
Imagine you're asked with building, say, a train network within your country. Domestic regulations demand that, because other countries are not certified up to your country's safety standards, you're not allowed to import any foreign technology from outside your country.
So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.
You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.
So you start by asking me to assume the EU can't create IT technology and then give no further argument, much wow! That's was even less persuasive than I expected. BRB, gonna go tell tell Open Office and KDE they don't exist because Europe can't create software.
> but will continue to go back and forth if GDPR remains as-is.
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.
I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Etc. Etc.
You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
Literally everything.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Here's a good primer: https://trustarc.com/resource/schrems-ii-decision-changed-pr...
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
> If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation
There are only two possible interpretations of this sentence:
1. You have just confessed to a crime. Do your engineers store user data in Notion?
2. You have just confessed to not having even a single clue about GDPR and what it entails. Your engineers using Notion will not make your company liable for GDPR unless bullet point 1.
> This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Ah yes. Your shitty company selling user data left and right to "our privacy-preserving partners" is the same as "access to US intelligence in the context of Russia-Ukraine"
Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them. Doesn’t help to undermine my point that this has become a topic of religious dogma here.
No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion (and is against HN guidelines).
So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?
> However, this generation is beginning to learn
"This generation" lol. I'm 45.
What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".
> clearer safe harbors for small actors
Different rules for different people huh?
Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.
Not different rules for different people.
You would be subject to one rule for your small company and another rule as it grows.
This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.
This is different for different people said differently. Why would small companies have access to things not allowed to big companies?
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
Corporations are not people. This is not different rules for different people.
In the traditionally implied sense of different rules for different social classes.
Because their conditions and abilities are different.
But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?
Because quantity is a quality of its own.
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
>Different rules for different people huh?
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair.
In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I wish you were right though.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.
https://www.independent.co.uk/news/world/americas/asa-baker-...
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
> home owner
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation.
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
> Different rules for different people huh?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
Why did you use an LLM to write a comment?
In my case it is rarely that I use LLM to write comments but rather I frequently use an LLM on my finished comment to fix things I miss as a non native speaker.
The content of the comment is my unique opinion and my unique writing and I mostly also make sure to remove stupid things like directional quotation marks.
But yes, it is possible to be very much human but also trigger certain peoples AI detectors.
What makes you think it's LLM generated?
colons and directional quotation marks scare folks who don't know how to use them properly
Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y"
The structure of what it wrote, and the banality of the point.
The double quotes perhaps?
AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.
HAHAHAHA good joke. Oh wait. You're serious. Oh god please no.
We're already at the point where lawyers are submitting AI-generated videos as court evidence, so...
But 60% of the time, it works every time.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Finally!
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
Those “cookie banners” are nonsense aimed at getting this outcome.
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
See this article by GitHub about how they removed cookie banners: https://github.blog/news-insights/company-news/no-cookie-for...
When I open this link I'm greeted with the cookies banner
"We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services listed above will be used. You may change your selection on which cookies to accept by clicking "Manage Cookies" at the bottom of the page to change your selection. This selection is maintained for 180 days. Please review your selections regularly. "
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
The EU's own government websites are polluted with cookie banners. They couldn't even figure out how to comply with their own laws except to just spam the user with cookie consent forms.
The eu's maybe but for my government i have no banners.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
> billion trackers ... dark patterns
Straw man argument.
The rule equally applies to sites with just one tracker and no dark patterns.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
> Besides, you seem to be confusing something.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> Within the context of the discussion of if its malicious compliance or a natural consequence of the law.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
[1] https://techgdpr.com/blog/data-protection-digest-3062025-the...
> Why would EU governments use cookie banners
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
you CAN use analytics! Just need to use first party analytics... it is not so hard to set up, there are many opensource self-hosted options.
I hate how everyone and their mother ships all my data to google and others just because they can.
Let's not deceive ourselves -- first-party analytics are much, much harder to set up, and a lot less people are trained on other analytics platforms.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Can you actually do meaningful analytics without the banner at all? You need to identify the endpoint to deduplicate web page interactions and this isn't covered under essential use afaik. I think this means you need consent though I don't know if this covered under GDPR or ePrivacy or one of the other myriad of regulations on this.
> You need to identify the endpoint to deduplicate web page
You can deduplicate but you cannot store or transmit this identity information. The derived stats are fine as long as it’s aggregated in such a way that preserves anonymity
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
No, those companies do not follow GDPR. They are testing how far they can go without triggering mass complaints etc.
See https://noyb.eu/en/where-did-all-reject-buttons-come
By not setting a cookie until the user does something active when I then tell them (say on “log in” or “add to basket”.
You don't need a cookie banner for authentication/shopping basket cookies, since these are essential.
However, you are still required to provide a list of essential cookies and their usage somewhere on the website.
This. I don't know why there's a heavy overlap between the "GDPR didn't go far enough" people and not actually reading the GRPR. I'd think they would overlap a lot with people who actually read it.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> But I'm making the point that its not malicious compliance.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
Don’t track your site visitors.
No tracking, no banner.
Or respect the now deprecated DNT flag, no banner necessary.
Now we get DNT 2.0 and the website owner will once again maliciously comply.
OK sounds great.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
Again, great. Didn't happen and isn't required by GDPR though.
Malicious compliance are those dark patterns where it takes on click to accept all but multiple clicks to reject all.
I remember the early day cookie banners of Tumbler accept all or deselect 200 tracking cookies by clicking each checkbox.
I could just as easily say don't send data you don't want tracked.
Can we get the do-not-track header instead?
https://en.wikipedia.org/wiki/Do_Not_Track
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
Or a new, opt-in "Do-Track" that means consent to tracking, and anything else means tracking is not allowed. Why should it opt-out?
As long as there is Do-Not-Track as well, and companies must follow BOTH, this would be ok by me.
But this one alone opens the door to behavior similar to tracking cookies, where accepting all was easy and not accepting was hard af.
Instead of what? Instead of the central browser controls?
>Instead of what?
Instead of a different cookie pop-up on every single site you visit
>Instead of the central browser controls?
This is the central browser control. The header is how the browser communicates it to the websites.
This very article is about how we're getting a central browser control, and your comment was "can we finally get a central browser control instead?".
Well, it's a minor details hidden in the middle of the article, I also missed it.
But the person weberer replied to was quoting the exact place.
whoops, didn't read the entire quote ...
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
So they finally admit that it was a mistake.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
> Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at.
Server logs can provide this information.
Only in very simple ways.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
Not for the amount of stuff on the web now that is client-side rendered.
Client side rendering means in practice clicking a product retrieves JSON and images instead of HTML and images. This can be logged.
Okay, and why do you need to share whatever info you collect with thousands of random data "partners" if it's just for you to keep track of whatever made up thing you say you need to track? Because in reality that's what GDPR exposed, that random ecomm website selling socks or whatever is sharing everything they know about you with a billion random companies for some unknowable reason.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
50 is not even close.
Those banners often list up to 3000 ”partners”.
The cookie law made this worse.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
uBlock blocks most of those for me lately.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... does a similar thing.
I use the first of those extensions, its the cookie whitelist one that no longer works for me.
There could be an extension to block the banners, too. I think uBO has a feature to block certain CSS classes?
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
You can just set your browser not to send whichever cookies you don't want to.
Cookies are a client-side technology.
Why does the government need to be involved?
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
You could try and read the law yourself. After all, it's only been 9 years.
It covers all data processing whether automatic or manual.
The law literally doesn't talk about cookies. Or any other ways of tracking. (well, it does. In the preamble. The regulation itself is tech agnostic)
It doesn't have to contain the word "cookies" to describe the way they operate.
Again. You could literally try and read the law. After all, it's only been around for 9 years.
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
--- end quote ---
etc.
Not really, it disallows tracking even if you aren't storing anything (eg via fingerprinting):
https://gdpr.eu/cookies/
That link seems to say the opposite:
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
> Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
> Why would you store the language preference client site anyhow?
You're not storing the language preference in the cookie, you're storing a cookie that identifies the user so that the server can remember their language preference.
Consider the two possible ways that this can work: 1) if the cookie identifies the user then using it for anything outside of the "strictly necessary" category requires the cookie banner, or 2) if the cookie is used for any strictly necessary purpose then you can set the cookie even if you're also using it for other purposes, in which case anyone can set a strictly necessary cookie and then also use the same cookie to do as much tracking as they want without your consent.
Both of these are asinine because if it's the first one they're putting things like remembering your language preference outside of the strictly necessary category and requiring the dumb cookie banner for that, but if it's the second one the law is totally pointless.
> The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
But one row before it mentions "such as accessing secure areas of the site.". If the secure cookie has 12 months validity, this is basically a different way to implement "remember username/password".
Besides, all my browsers (Firefox, Chrome) remember the users and passwords for all the site I access, so are we even talking about this? Is Safari that bad that it doesn't remember your user/password (no experience with that one)?
> You're not storing the language preference in the cookie, you're storing a cookie that identifies the user
Ok, I agree that for sites without username / password that will not work. On the other hand, personally I rarely end up on any site that is not in a language that I can read and on top the browser has a language preference : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/l... . So, in practice, I think there are extremely few cases for sites require a language cookie for a not authenticated user.
> But one row before it mentions "such as accessing secure areas of the site."
Which could be read as allowing session cookies but not ones that allow you to save your login if you come back later. But it's also kind of confusing/ambiguous, which is another problem -- if people don't know what to do then what are they going to do? Cookie banners everywhere, because it's safer.
> Ok, I agree that for sites without username / password that will not work.
How would it work differently for sites with a username and password? The login cookie would still identify the user and would still be used to remember the language preference.
> allow you to save your login if you come back later.
Again, is there any browser nowadays that doesn't save the login? I don't know any, personally but I do not know all of them. And if they are, how much market share they have? (If I myself build tomorrow a browser without the functionality, that can't be an argument that the legislation is wrong...)
> How would it work differently for sites with a username and password?
Generally for sites where you use a username, the site will load from the server several information to display (ex: your full name to write "Hello Mister X", etc.). In the same request you can have the user preferences (theme/language/etc.), and the local javascript uses them to do whatever it needs to do. Even with a cookie, there needs to be some javascript to do some actions, so no difference.
Or you could just redirect via a URL that has the user preferences once he logged in (ex: after site knows you are the correct user it will redirect you to https://mysite.com?lang=en&theme=dark)
There are many technical solutions, not sure why everybody is so crazy about cookie (oh, maybe they think of the food! Yummy)
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Which is presumably the reason nobody uses Midori
I liked it. The reason I don't use it is because it doesn't support modern JS heavy websites.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
Cookies that keep you logged in or maintain a session don’t need consent
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
Of course, let ME decide if I want to keep fdfhfiudva=dsaafndsafndsoai and remove cindijcasndiuv=fwíáqfewjfoi. I know best what those cookies do!
Because it's not about cookies. Ad trackers shouldn't store my precise geolocation for 12 years for example: https://x.com/dmitriid/status/1817122117093056541
Cookie banners are made obtrusive by the people running CMPs as they want to make it as hard as possible to stop collecting the data
Funny thing is that I often will go out of my way to find the least permissive settings if the banner is obnoxious or has a dark pattern.
every accusation is a confession you see...
> if you don't do anything "bad" then you don't need the banners.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
worst implementation ever. I bet it is the reason that most people are now taking anti depressants.
Related ongoing thread:
Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)
The cookie thing sounds good at first but then it shows that they rant to reduce cookiewalls by making more things ok without asking :(
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
No it doesn't. A website's own preferences fall under the 'necessary for site functionality" exception.
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I'll keep blocking all ads and tracking anyway.
No, preferences are not strictly necessary, check https://gdpr.eu/cookies/
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
the issue was never the law.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
https://noyb.eu/en/project/cookie-banners (edit: link)
The issue is the lack of enforcement of the law. And instead of strengthening the enforcement, they are diluting the law now.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
A cookie is something that is sent to the server, by design - that's their whole point! So if the only part of your code that needs them lives on the client, cookies are the wrong mechanism for that - use localStorage instead.
> lets you set font size and dark/bright theme,
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
That's not true. You can use those cookies, you just need to explain them somewhere on the site. No opt in required.
I talked with our then national information law official (funny fact, same person is currently president of our country), rule of thumb is if you're not using your users' personal data to pay for other people's services (e.g Google analytics) or putting actual personal data in them, you're generally fine without the banner.
Further, if you're a small shop or individual acting in good faith and somehow still violated the law, they will issue a warning first so you can fix the issue. Only the blatant violations by people who should've known better will get a fine instantly (that is the practice here, anyway, I assumed that was the agreement between EU information officers)
I'm not sure why this is being downvoted?
The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.
That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
0. https://guides.libraries.psu.edu/european-union/official-ser...
1. https://www.europarl.europa.eu/portal/en
2. https://www.consilium.europa.eu/en/
3. https://european-union.europa.eu/index_en
That is unfortunate, EU could well present itself as an example of how things can be done right. Unfortunately incompetence and/or indifference, plus lack of IT talent willing to work for the public sector is also a thing in politics. It's an opportunity lost for sure.
> "lawbreaking" (as defined by you)
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
> law wasn't poorly written, most websites just don't follow the law
I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.
Most websites in the EU also aren't following the law.
people intentionally made the banners annoying or tried to make the reject button smaller / more awkward so that they could keep tracking.
Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either
I'd settle for companies obeying the letter of the law. They don't do that either.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
A lot of people at HN work in industries that track, or are the ones choosing to use the banners in the first place.
> Most websites do. not. need. cookies.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
Functional cookies are fine. Even analytics is fine if you're using your own (though said own analytics must also company with GDPR personal data retention rules).
What is not fine is giving away your users' personal data to pay for your analytics bill.
Non-risk cookies never required a banner.
I'm convinced there's a psyop on this site when it comes to GDPR, and I'm only half-joking. If people would bother to read those intrusive banners, they'd notice that their info is being harvested and shared with hundreds, even thousands of "partners". In what universe is this something we should be okay with? Why exactly does some random ecommerce site need to harvest my data and share it with a bajillion "partners" of theirs? Why are we okay with that?
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
jokes on them i never followed the law anyway
That's the real news. There's no U turn, no weakening of GDPR. This article is propaganda.
I will believe this when I see it.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
> Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
Just let Estonia run the programme [1].
[1] https://e-estonia.com/solutions/estonian-e-identity/id-card/
Sure, ideally we can decouple the provider implementation and use a yubikey-type device if we want, or let the OS Secure Enclave handle it for the 99% of users that don’t care.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Good kid mode[0].
[0] https://www.lego.com/en-gb/product/retro-telephone-31174
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.
I love how you can think about any of these ideas in a really basic way like a 5 year old and you'll know intuitively that it'll all fail, particularly if you invert it:
for example:
- bureaucracy creates less bureaucracy
- price controls create more supply
- adding more rules creates more freedom
- government is good at understanding technology
- the more people you have the better your decisions will be
- the further someone is from a problem, the better they can solve it
etc
Generally agree, except for point three.
- adding more rules creates more freedom. Imagine the US without a constitution. It’d be madness. In a lawless country, people would be less free to do things they actually want to do because they’re so occupied with just surviving.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
I don't want an internet designed by lawyers and politicians. And I'm afraid that's what this level of regulation and enforcement would create.
Right, because an internet designed by profit motive is going great
I kind of like it. I mean here we all are on it. And sites like HN can just be written by one person and put up by one person with no permissions. The alternative if the government controlled it would be something like the Apple app store where you have to pay a fee to maybe be allowed to do something.
No it would not. We're already in some alternative where the government says that you can't make a website to sell CSAM, for instance. And we all agree that this is a good thing.
The goal of regulations is to prevent undesirable behaviours by making it "too costly" to do. The goal is not to take 30% on every app sale.
The post I replied to was on an internet designed with a "profit motive". What you describe is still basically profit motive with laws to stop bad things. I'm not quite sure what you get if you removed the profit motive. Maybe the app store wasn't a good example. Maybe something like the BBC?
If it wasn't, you would see illegal adds all over the place. I mean you already do, but the "soft" ones.
Complaining about regulations as a concept is usually about forgetting those that work and seeing exclusively those that annoy you.
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I don't want an internet designed by businessmen and advertisers, yet here we are.
"I don't want a society regulated by rules"
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
Yes, that's what I meant.
Also businesses are not people. People may not do illegal things "just because they are illegal" or because they want to be "good" (e.g. I agree that we should not litter, I wouldn't even need a regulation for that).
Businesses are profit-maximising machines. If it it profitable to litter, a business will do it. The framework in which businesses maximise is set by regulations, which represent what society wants. That's how capitalism works.
The limit of capitalism is when businesses are more powerful than the entities in charge of enforcing the regulations. If "enforcing a regulation" means having lawyers work on it, but the businesses themselves have orders of magnitudes more lawyers trying to prevent those entities from doing their jobs, then we have a problem. That's a limit of capitalism, IMO.
The EU's own government websites are littered with cookie consent banners. They want the data too.
Again, because those entities ("EU", "governments") are made of many people. It's not one guy who says "this should be illegal, but I will put it on my website too".
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
0. https://news.ycombinator.com/item?id=45970663
I know the HN rules say the title should not be changed, so its the article's fault, but the EU is NOT Europe.
They had enough time to push browser vendors to implement an API which allows the user to specify the preferences, so that the page queries the API, instead of the user.
This is a step back. All these years of clicking those banners is now for nothing.
As someone who had to implement GDPR, it would be really frustrating if all people thought it was was the banners (which I’m not even sure was GDPR).
While our company was very good at handling customer data already, it forced us to up even our game.
Other companies, however, were absolutely miserable at it.
GDPR has improved user privacy for the billion+ Internet users across the board, whether they are EU citizens or not, and most won’t even know about it.
Maybe that's just media consumption and reporting bias, but I feel like data leaks have been a lot rarer and less impactful in Europe in recent years compared to the US and based on that the scam/identity theft activity also less intense.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
What were they doing with user data?
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
How do I stop you from tracking this information about me?
Do not consent when asked or, better yet, do not use websites that implement these techniques.
So can’t abuse people’s data without their consent is being strangled?
Is that like I’m strangled with my start up of “cheapdvds.com” because I can’t sell someone else’s data?
You have a funny definition of the word “abuse,” and “sell.”
“25% of our users that arrived from the newest ad came from Facebook and 85% of those were mobile users.”
So abusive. So much selling.
And when someone visits your website, you don't tell anyone about their visit, right?
RIGHT?!
That's an egregiously poor faith interpretation of what they said.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
> What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
Why do things that are important to the advertiser trump what's important to the user? I don't care how hard it is for you to track the performance of your ad sources, I just want you to stop tracking me.
Because without ads we're not profitable so there would be no service?
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
It does work, I have seen enormous and well designed tests to show it.
> GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
Good! I don't want ads to be a thing in the first place. It's a good thing that industry is being strangled by regulation.
Essentially all modern advertising is evil.
They are strangled by rules in using personal data on algorithmic advertismenet?
GOOD!
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
This is pretty much untrue. Look at India, Africa, South America, Japan, Singapore, UK, Israel, the Arab world, Turkey, Russia, Ukraine, Norway, Switzerland, or Australia and compared to them the EU is doing just fine
You’re comparing the tech sector of the EU to that of Africa?
No
Nice edit
Bad troll!
Sure but since the EU has destroyed it's own innovation so much soon you'll get no choice in the matter.
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
Europe should make business registration a single one page one step operation first.
There are dozens of stories how registering a business alone can take several months and tons of paperwork.
Well, yes, Europe is after all a collection of 44 countries, with 27 of them being in the EU, and three EFTA countries. So you're dealing with that many different sets of laws.
Some countries are extremely strict, others are more lax. Where I live (Norway), starting a business is pretty easy and straightforward. Other countries, like Germany, are notoriously difficult from what I've read.
And again, some countries have very strict laws and guidelines you need to follow, once you've started a certain type of business. Where I live it is relatively easy to start a LLC, but you'll need to put some money into it, and you can easily get fined - or even face jail - if you don't follow the laws for accounting/auditing. It becomes problematic, quite fast, if there's no unified codes for these things, if everyone's going to be able to operate cross borders.
Not to mention all the other laws (consumer laws, etc.)
How is Europe, much less the EU, supposed to do that?
Registering a business in Estonia is famously relatively straightforward, while it is an absolute pain here in Germany. But business registration is the responsibility of the countries themselves and it should remain that way
There's the idea of creating a so-called 28th regime under which a streamlined registration process would allow the creation of business entities in all EU countries. See: https://www.eu-inc.org/ - https://en.wikipedia.org/wiki/28th_regime
how realistic is it that it will be implemented? Sounds more like wishful thinking at the moment.
In Sweden and Netherlands it is quite easy and straightforward to register a business, speaking from personal experience. Tax filing is quite straightforward as well, especially for personal income tax.
Starting a company in Sweden requires (uploaded PDF from Bolagsverket to ChatGPT who summarized):
1. Prepare the foundation deed and the articles of association. 2. Identify the beneficial owner(s). 3. Pay the share capital and obtain the bank certificate or auditor’s statement. 4. Submit the registration application for the limited company to the Swedish Companies Registration Office (Bolagsverket) and wait for approval. 5. If applicable: submit a certified copy of your passport (non-Swedish citizens). 6. Apply for F-tax approval and VAT registration and wait for the decision. 7. Register as an employer if you will pay salaries. 8. Keep continuous bookkeeping and prepare the annual accounts each financial year. 9. Submit the annual report to Bolagsverket every year.
Optional:
1. Obtain business and personal insurance. 2. Register trademarks or protect other intellectual property. 3. Choose an auditor if you want one or when the company later reaches the required thresholds. 4. Register a cash register if you accept cash or card payments. 5. Meet requirements for import/export and obtain an EORI number. 6. Follow rules for buying/selling goods or services within or outside the EU. 7. Keep a staff ledger if required for your industry. 8. Follow reverse-charge VAT rules if you operate in construction. 9. Apply for permits if your specific business activity requires them.
This is not what I'd call a straightforward process, personally. Also speaking from personal experience. Sorry for the formatting.
Are you implying that there is a country somewhere you don't have to "keep bookkeeping and prepare annual accounts"? Sounds like bog standard things.
No, that's not what I'm implying. I'm saying that it's needlessly complicated.
> This is not what I'd call a straightforward process, personally.
It's a (check)list....what could be more straightforward?
I guess it depends what we mean with straightforward. If we mean something along the lines of "no ambiguity" then yes. If we mean something along the lines of "simple, easy to do" then no. Almost anything can be accomplished with a sufficiently long checklist. I just feel like the entire process could be streamlined and simplified.
> There are dozens of stories how registering a business alone can take several months and tons of paperwork.
What does this even mean? You have examples from ALL of Europe? Each country has its own process, and at least in "my" country it is very easy.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
> to blocking self-driving cars.
This part seems mis-informed.
https://www.arenaev.com/mercedes_gets_level_3_autonomous_dri...
https://www.arenaev.com/bmw_ix3_gets_handsoff_motorway_assis...
European cars from almost every brand, already have emergency braking, adaptive cruise control, lane keeping, lane switching, etc., which get us 70% of the way there in terms of road safety.
I don't want to be experimented on by companies like Tesla:
Let them kill US citizens and keep lying and hiding things:
https://www.arenaev.com/tesla_robotaxi_troubles_grow_with_se...
> Understanding exactly whose fault these crashes are is tricky because of how Tesla fills out its forms. Automakers must send reports to the National Highway Traffic Safety Administration (NHTSA). Most companies explain the crash in a written section called the narrative. This narrative tells the public whether another driver ran a red light or if the computer made a mistake.
> Tesla chooses to block out this information and redacts the narrative section entirely. This prevents the public from knowing the truth, but it is entirely legal, even if it frustrates data analysts. Without the story, nobody knows if the Robotaxi caused the crash or if it was a victim. Fans of the brand often argue that other drivers cause these wrecks. That might be true. But since the company hides the proof, nobody can say for sure. Other autonomous companies like Waymo share these details openly.
Poor Europe - lobbyists make sure that Europe stays weak.
That statement includes Ursula by the way.
Lobbyists make sure that ~~Europe~~ the world stays weak.
They need more strict financial regulation than politicians do!
The current situation of having enough rules and regulations that all the AI companies set up in other countries is going great eh?
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
The GDPR is about protecting personal data, what personal data could you possibly need to train an AI model?
Let's turn that around. What personal data wouldn't help train an AI model?
> The proposal now heads to the European Parliament and the EU’s 27 member states — where it will need a qualified majority — for approval...
Not a done deal.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
They seem to be reporting on two drafts that were leaked by Netzpolitik.
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
https://ec.europa.eu/transparency/documents-register/detail?...
https://ec.europa.eu/transparency/documents-register/detail?...
They can be downloaded here: https://digital-strategy.ec.europa.eu/en/library/digital-omn...
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
What exactly did you see about cucumbers?
They scrapped it actually but this law used to be the main example for overbearing EU bureaucracy
https://www.theguardian.com/lifeandstyle/wordofmouth/2008/no...
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
So they've missed the innovation train due to regulation, and now they are likely to axe the side-effect benefit of said regulation.
Of all the things to yield on, the GDPR really isn't it. The cookie banner problem is one caused by site owners consistently preferring using dark patterns over just not doing the stuff that makes you need a banner. If anything, the EU should have put the hammer down and enforced its regulations on those cookie banners consistently having 'accept all' being the default option and the alternative be more difficult to access.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.
I'd love for them to be made illegal, but I imagine certain groups of people wouldn't take kindly to that, so we need to do the dance and have people be tracked under nominal consent.
They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.
I have mixed feelings about this one. While I was never too excited about some of the unintended consequences of GDPR. That said, I do see benefit of the EU being the world's regulator on these types of things. I don't have confidence that anyone else would do it if the EU didn't. Even for those of us that don't live in the EU (I am in the US myself), I do feel like the EU plays the role of keeping things in check for the rest of us even if we are directly impacted by their regulations.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
> All consuming vague regulations like GDPR increase the cost of a startup by 500%.
Source?
I would say it's a lot more than 500%. If your business is based on doing things that are illegal under GDPR then the cost of doing that startup is close to infinite. But that's kinda the point of GDPR.
This. Sure, it's X% more difficult to do Y in Europe, because Europe doesn't want you to do Y, either at all, or unless you clean up after yourself so the costs aren't just eaten up by the environment or whatever, or unless you do it without causing harm. That's not a problem. That's the system working as intended.
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
Europe having its own Microsoft might be better than Europe having to use the US one and sending it like $100/user/yr in whatever subscription they've tricked them into.
Europe doesn't have to use the US one. It's been the easier choice historically, but there's little beyond inertia forcing Europe to stick to Microsoft. Not that that inertia isn't nothing though.
Europe does have Microsoft. Actually, it has Microsoft in almost every single respect except the primary beneficial ones: taxes, employment and oversight.
Yes, and I wish we'd give them the boot for not following the relevant regulations.
> That's not a problem. That's the system working as intended.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
> You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
I mean Europe doesn't really get to make the choices when it comes to the USA because of their hilarious practice of hamstringing themselves. If that was the goal it definitely worked.
I think what they mean is that what EU in general kinda knows that for various they won't be able to make their version of money machine big tech. So why not to try different path? The individual laws will always be flawed because there is huge pressure to make them flawed by corps and lobby that want's to exploit them.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
Is this one of the initiatives to start syncing with the new 28th regime?
https://en.wikipedia.org/wiki/28th_regime
> Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
For 'central browser control', what is technically mechanism behind this? Is it something like an entirely new request header sent by the browser? Or re-using some existing RFC? Also curious if the regulation will compel browsers to implement this or something.
Managing cookie permissions at the browser level always made the most sense, but implementing it with regulation is what seems hard.
Europe is also introducing Chat Control so that might be why they are moving back.
Wasn't that put on hold?
Here's a story about how the mere perception of "regulations exist and are strict" is dragging down my european AI start-up:
Our product makes it easy to capture and share knowledge on the factory floor, which is very important when many of your workers about to retire. Interest is enormous. It is a simple SaaS. You'd think selling would be easy. And it is: In the USA. In Europe the mere existence of the regulations (not what's in them) delays us by 6 months at least per deal.
No european executive really understands what is in the GDPR, and eventhough we are 100% compliant, there is nothing we can do to take away this fear. This means that when we talk to European companies, IT and Legal departments always have to be closely involved, leading to all sorts of political games; each department conjures up non-existing risk by talking vaguely about data privacy, just so they appear important. Half a year later when the dust has settled, the executive buys the product, or their mind has moved to other things.
My point is this: What is in the laws is not important to me. What is important is that current perception of laws turn companies into slugs. I want us to mentally move back to 2018 where we could "just buy SaaS" without worrying endlessly about data privacy. I understand hesitency when it comes to cyber security, but that is not what is slowing us down.
One of our workarounds currently is simply never to mention we use AI.
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
I don't see how training an LLM has anything to do with privacy laws.
It is perfectly possible to not train them on personal information, to remove or rewrite names, to remove IP addresses, etc.
> Training a large language model and privacy law as it's written today cannot coexist
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
It's gonna take a decade to roll down all those cookie banners.
What data are cookies providing that browser fingerprinting can't?
From what I can tell, we have to click all these pop ups for no reason at all.
The llm answer to this was clarifying. Thanks for bringing up the q.
I wish there was a link to the source of this information in the article! I'd like to read the updated version of these laws (if they're public).
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
Are cookie banners going away anytime soon? There is no law more ‘European’ than this one.
It's perhaps worth linking to the official EC page on this proposal: https://digital-strategy.ec.europa.eu/en/faqs/digital-packag...
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
What constitutes data about people?
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
You're being deceptively dense.
PII has a very clear definition. Posts on a public forum are not part of it.
> PII has a very clear definition.
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
I wonder if Apple holding back features helped the EU realize that hey, maybe the regulations are getting too onerous. I like to think so.
So no more cookie banners taking up half the screen of every website I load?! Great!
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
> The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant
It absolutely isn't. I set up a blog for a friend where she shows her art and publishes an appearances itinerary/schedule. It doesn't collect ANY info from visitors, therefore requires no cookie banner at all. Simple as that.
HTTP logs are retained for 7 days for security analysis and then wiped. No analytics available, although my understanding is that a self-hosted Matomo instance set to anonymize the last 2 IP bytes of every logline it ingests would still be considered exempt from a banner.
Is this related to the upcoming EU-Inc initiatives next year?
What about GDPR is "scaling back"?
Related:
Europe's cookie nightmare is crumbling. EC wants preference at browser level
https://news.ycombinator.com/item?id=45979527
> European Commission wants browsers to manage cookie preferences instead of pop-ups on every website.
Better late than never, but it's insane it took them almost a decade to figure this out.
People here act as if GDPR was some kind of big reason why all the digital tech is from US. But come on it's not like the game hasn't been rigged forever. To be more specific it's been part of the deal with europe being close US ally. None of the european digital tech is ever supposed to be relevant. And in case some european digital tech is relevant it has to be absorbed by US or at least made to look irrelevant so nobody sees or cares about it.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
The cookie banner is the superficial part. The meat of it is how user data is collected or not and stored or not. Rolling this back would be a catastrophic defeat. Perhaps if there were an automatic cookie preference browser API that could automate the user experience it would be better for users.
Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
You should probably look into pseudononymization in your case, not actual anonymization. Look into C‑413/23 P in more detail to see if it's applicable in your situation, it's essentially the first case law around it. You probably do need some extra controls (like contract that the data is not shared) just in case to avoid the data coming in hands of someone else who could identify the people depending on how detailed the data is.
But that extra click to read any webpage was keeping me safe
Remember that at its core GDPR was to harmonize privacy laws around the EU to ease the transfer of data between those countries.
This sounds interesting and all but I'd like a more technically informed source than The Verge to judge whether the headline is accurate:
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
That's nonsensical. The GDPR doesn't require "cookie banners and pop-ups". Obtaining consent for things you can't do without consent does - if you insist on handling it that way. And "'non-risk' cookies", i.e. technical cookies required to fulfil the functionality requested by the user (e.g. maintain a login session) definitionally don't require consent and thus no "pop-up" or "banner". So what is the actual change here?
Does this mean fewer less-annoying cookie pop ups?
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
Can you point to any of these guides?
In our case we were working on a Dutch project so we used this; AVG is the GDPR implementation for the Netherlands:
https://ictrecht.shop/en/products/handboek-avg-compliance-in...
Imagine the useful, user friendly, well designed features when business had a big incentive to push privacy
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
Big players don't want this either, we rely on open source software and frequently contribute back
This is just another dumb EU reg that hurts everyone
The GDPR somehow had the power to make (almost) everyone comply with it, even outside of the EU. If only they had specified that instead of banners, companies had to actually respect the Do Not Track header, even if set by default on a browser, and everything that could be rejected would be rejected if that were sent.
Previously:
European Commission plans “digital omnibus” package to simplify its tech laws
https://news.ycombinator.com/item?id=45878311
EU introduces Chat Control, then scales back GDPR, what's left? Digital ID and digital currency (with no possibility of paying by cash)?
Yes. This is their public roadmap.
The CBDC, the “Digital Euro”, will be nail in the coffin.
In Italy they’re pretty advanced with the Digital ID, for example.
Let me steelman the new proposal a little bit:
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
> The new proposal which suggests that pseudonymized data is not always PII is a different thing.
This actually is already the case, see the recent CJEU C‑413/23 P. Currently the main question is if the recipient has a way to unmask the user. In case of IP address the answer is almost always yes since the recipient could ask competent authority to unmask the IP address if there is crime involved. That was the exact reasoning provided in the Breyer case.
In C‑413/23 P the recipient didn't have any reasonable way to map the opinion to real person so it was determined that it's not PII from recipient's POV but it was from the data controller's.
One of the issues in the new proposal is that it lowers the standard quite a bit compared to C‑413/23 P.
There are lots of principled arguments about privacy versus growth versus monopoly here. But the reality is: for 95% of people in the EU (or the UK), their only direct experience of GDPR is the cookie banner. They aren't going to understand your subtle arguments about whose fault it is; they know that GDPR came along and they had to click on cookie banners. And they (and I) absolutely hate it.
The issue isn’t too much regulation. It’s that an organization such as eu cannot adapt
Big mistake
...the companies will be very pleased.
> if the development of the GDPR and AI Act are anything to go by, a political and lobbying firestorm is on its way.
No doubt that now the flood gates are open, powerful interests will do everything they can to water down the protections even more. This is already bad enough as it is.
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything 'Cause the corridors of power, they're an ocean away"
https://www.youtube.com/watch?v=Xpo2-nVc27I
Cowards.
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
Is that why most of the EU governmental websites have the same cookie pop up banners?
Lack of product ownership and cargo cult developers.
Legislation can’t change culture.
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
This is what infuriates me with people that knock GDPR. They simply don't understand it's prime purpose: creation of a legally enforceable audit chain of data ownership. This is a prerequisite if you want to enforce how people's data is used and shared amongst private entities.
Far less than 1% of people would care about either.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
But far more than 1% are harmed by it.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Most people don't care about these things. Who are you to say that the harm is severe to people who don't care?
Many of the people who "don't care" don't know. Once you inform people about how much data meta has on them, for example, many of them do in fact care and they are in fact disturbed by it.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
It is a government who says that…
They are quite unwise to do so.
EU's citizens are ripe for the taking. GAFAM, Palantir & co are going for the kill (we hope not like in Gaza)
The AI bubble is so big at this point that this just feels like coercion/bribery induced.
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
I'm sure capitulation will teach the surveillance racket a strong lesson.
Hold the line. Don't make the same mistake we did in the US. Your data is your data.
That is too bad, I had hope in this case regular people would win and get privacy we deserve. But as always big money wins, it just takes time.
The changes to the GDPR are completely irrelevant compared to what the EU is planning with chat control.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
Is EU suffering from FOMO?
As an EU citizen, this is shameful and even kind of pathetic to read.
Will we start outsourcing all our IT needs to USA again?
Start?
I stand corrected. :D
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
> We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy.
That's an odd way to say EU regulations....
Shameful decision, caving to foreign capital interests.
Do better, EU.
The EU should pass a Foreign Lobbying Ban Act.
For example, if you are a french company with american shareholders, you can't lobby the EU.
I see the tech bros finally figured out who they needed to bribe.
the consequences of their laws is pushing their hands
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
That was already the case for the majority of domains.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
I for one like it to be able to post stuff on my website without the risk of someone sending me pizza or swat teams to my home address...
Given that they were largely ignored anyways, who cares? Laws have become almost meaningless, in a world where power lies within companies and not governments or the public, which anyways has been trained to either act against their own interest or disillusioned enough to largely don't care.
The only space where there's still laws from people is in the social media world, where the outcome are laws that don't change the life of anything but make you feel good. Eg. minorities, women, etc. still have low income, bad life outlook, etc., but hey now you need to clearly state that the programmer job is also for women and trans people. Assholes can be assholes as long as they use the right pronoun, whole industries thriving on lowering the baseline (delivery, etc.) of what humane treatment at a workplace is celebrate and pinkwashing. Everyone is "happy".
Also on the ecological side. Laws that that would change something fail, but everything that can be exploited in terms of taxation passes - seriously look at summaries on voting on directives. It's completely split at this line, and all the "liberals" celebrate how great they are for driving essentially tax funded electric cars.
It's no surprise that companies reacted by making the most obnoxious cookie banners instead of removing the need to having those in first place (fun fact: you do NOT need those for cookies at all). Whenever you read a "We care about your privacy" that is an outright lie. If they even remotely did there would be no need to have such banners. Even for much of the more shady stuff you don't need to. And still most companies don't even adhere to the GDPR. They just have a meeting do pick some pieces and forget about it.
Democracies sadly have become a real farce. I think the world has over-optimized for it, companies have "min-maxed" for the current set of laws and now well intended laws are effectively meaningless, cause smart people came up with nice hacks to not really have to care about it. It's just like a video game, where people realize that your skill set is nice, but you can just max out DPS and bring along a tank, where you realize and realize that the debuff on your armor doesn't matter if it doesn't hit you and where the penalty on item costs is meaningless because you don't know where to put your money anyways.
And honestly, finding such strategies to optimize for "just not breaking the law" or getting around it entirely is extremely fun, compared to all the boring work at a job.
What people used to call "honest work" just doesn't work outside of very localized and small scale setting, and even there it's hard. To compare with video games again, it's like all the "soloing is possible" and yeah sure, sometimes it works, but if the big guys decide to crush you they will. So best to join up with them which is exactly what is happening.
We also see that in other laws. Monopolies are forbidden? Well either keep at least one competitor alive (iOS vs Android, AMD and Intel, etc.) or make a cartel, even a completely passive one where you just do "market analysis" to have a similar price. If your competitor raises prices, it is your job to adapt your prices to increase profits. If your competitors use cheaper materials, etc. it's the same. You never ever need to interact with your competitors.
Working together in one way or another is what made humans really productive, it works well for companies, yet somehow there is that believe that magically this won't happen and instead it's all fierce competition, which is ridiculous when the biggest threat to large successful companies is literally the market changing. So they just take safe bets and buy all the smaller largely already working products and call it innovation on their side.
It's a good, smart, reasonable strategy. But it's also very obviously not as intended.
The thing is that big surprise, it's the same for privacy protection laws. Companies don't care about your privacy at all and most people are in fact ordered to store data just to have it. They make sure it's annoying so both to make you accept them and to complain about the law. It's a real farce to think that somehow people, governments, etc. think that companies (at large) are nice and just want you, the world and everyone to be good and happy. It is baffling that people really believe that and somehow always think their favorite brand is magically different, because they met a nice lad working there in marketing.
Well, that's a bummer.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
Yet again, European countries are showing who their leaders are: US Big Tech
No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens
GDPR was never about privacy, but to legitimise data trade. It was two step process - first train people to Agree to anything by introducing "harmless" Cookie Law, then once people just click Agree to anything, create legal basis for data trade, where it is no longer a grey area as most users give consent. With Chat Controls coming back, never assume EU is doing anything for the benefit of general public. What is particularly bad, is that they are not honest about it, just keep gaslighting.
This is kind of my take. I can't believe the outcome where most people just click "agree" to explicitly opt in to tracking was some kind of unforseen mistake.
GDPR doesn't really work as you describe. Under GDPR data is a liability.
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
The EU is a great example of a spineless paper tiger to Big Tech and is the reason why AI startups run to the US.
Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.
> The EU folds under Big Tech’s pressure.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
>acutely feeling the pain of having no big tech companies
That's good, there should be no big tech companies like FAANG at all. These monstrosities wield to much power and need to be brought in line.
> due in part to burdensome privacy regulations.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
I think this is a very rosy framing.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
If I sign up your company I can opt into that personalisation at signup time.
You have no business stealing my personal data until we enter an equal agreement.
This notion that tech companies or even internet companies somehow fundamentally rely on PII is false and just an indicator of how normalized we've let unbounded and needless data collection become.
There are tons of business that can run without collecting any or extremely minimal PII. We already let the big companies take this data unnecessarily, let's not also let them brainwash us all into thinking unfettered surveillance is somehow essential to building a software business.
The EU is not folding. The article is two facts surrounded by a huge ball of propaganda.
europe got stuck in the old world, they will never have tech companies.
This is criminal.
How so? Like, figuratively, as-in outrageous?
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I assume you mean the AI related stuff?
It was never required to show a pop-up for essential cookies.
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
I used to live and work in EU, get out of EU before it is too late.
like UK, you mean? boy that did really work out well for them!
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
The UK was known for bureaucracy even before they joined the EU. The idea that the red tape would vanish was always silly.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[1] Western, Educated, Industrialized, Rich, Democratic
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
Watch out for French government bonds (10yr), France will be the next before 2030.
I did the opposite, I moved to the EU before it is too late.
It's the only power left that stands for rule of law.
Wow. Powerful statement. I suppose other places are probably scaling back GDPR and relaxing AI laws, unlike the glorious EU?
I disagree with this move. However, I disagree with moves made in other places even more. Especially the US has been moving away from rule of law at a rapid pace.
Europe learn the hard way that you cant have a cake and eat it too
EU citizens: WE DEMAND XYZ PROTECTIONS
EU: WE SHALL BUILD XYZ FOR EVERYONE
(years pass)
EU citizens: WE HATE XYZ PROTECTIONS
Who demanded cookie banners?
The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy. It is a moralising and irresponsible attitude that older people can afford to adopt, but like so many other things, it hits younger generations mercilessly hard.
This is a general approach applied also to the population.
In Europe there is a particular concept of freedom.