I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
With many "cookie" banners you're agreeing to much more than session state being stored locally on your device. You're agreeing to your device being fingerprinted and that information stored on the company's servers, shared with others, and connected with other data others might have about you, creating a fairly complete picture of your online life, including what you do in private mode.
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
> Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
The reasonable position is that the state exists to propagate and protect itself, which is made up of it's citizens, you included. This is just like any organism or organization works.
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
In a democracy, the government is its citizen. It sucks when you disagree with the majority of the voters, of course. But it's wrong to say that the government is against the majority of the voters: it was elected by them.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
That's the 1%. It's the hair on the back of the elephant.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
I find it really hard to classify myself. I've always called myself a "libertarian" - I believe the best strategy to Civilization is to maximise freedom for anyone. As freedom enables enlightenment an enlightenment drives progress. To actually achieve that, in the real world, means that you have to distribute and limit power. That means limiting not only government power but also corporate power. That means regulation, strong regulators (breaking monopolies), policies to keep prices down (including rent/housing!) and to enable free market competition and innovation. And provide an economic system where risks can be taken, enabled by a social let (and social healthcare).
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
My rule for a sane HN experience: avoid and flag any articles related to Trump, Elon, <current culture war topic>, American politics, and anything tangential that summons them.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
I think you might have a different definition of "merit" than OP. "Merit" to me means how much value the company brings to society. If I'm reading correctly about your point of it being legal, to you it seems like "merit" means how much value they bring to their investors.
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
Wasn't the case here really weak to begin with? I remember reading the FTC's initial filings and they just sounded absurd. The very premise that Meta didn't face meaningful competition from TikTok was a farce.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
Just to be clear, when you Khan "killed our remaining low cost airline carrier", are you referring to when the DOJ blocked the JetBlue-Spirit Airlines merger? Not arguing, I just want to understand.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
The loudmouths do not necessarily represent a majority of HN users. They're just loud. Some of us find the social-media-bashing threads boring and just go back to our social media.
> substantially less diversity in voting and flagging
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways
to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Right, but it's obviously not overreaching, because user's data is taken:
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.
Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered.
Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle.
They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.
I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners").
While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.
In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.
Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.
> Advertisers said they would ignore it for this reason
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?
> but will continue to go back and forth if GDPR remains as-is.
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.
I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
The EU's own government websites are polluted with cookie banners. They couldn't even figure out how to comply with their own laws except to just spam the user with cookie consent forms.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> Within the context of the discussion of if its malicious compliance or a natural consequence of the law.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
Let's not deceive ourselves -- first-party analytics are much, much harder to set up, and a lot less people are trained on other analytics platforms.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Can you actually do meaningful analytics without the banner at all? You need to identify the endpoint to deduplicate web page interactions and this isn't covered under essential use afaik. I think this means you need consent though I don't know if this covered under GDPR or ePrivacy or one of the other myriad of regulations on this.
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
This. I don't know why there's a heavy overlap between the "GDPR didn't go far enough" people and not actually reading the GRPR. I'd think they would overlap a lot with people who actually read it.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> But I'm making the point that its not malicious compliance.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
No it doesn't. A website's own preferences fall under the 'necessary for site functionality" exception.
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
> What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
Why do things that are important to the advertiser trump what's important to the user? I don't care how hard it is for you to track the performance of your ad sources, I just want you to stop tracking me.
Because without ads we're not profitable so there would be no service?
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
This is pretty much untrue. Look at India, Africa, South America, Japan, Singapore, UK, Israel, the Arab world, Turkey, Russia, Ukraine, Norway, Switzerland, or Australia and compared to them the EU is doing just fine
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
Of all the things to yield on, the GDPR really isn't it. The cookie banner problem is one caused by site owners consistently preferring using dark patterns over just not doing the stuff that makes you need a banner. If anything, the EU should have put the hammer down and enforced its regulations on those cookie banners consistently having 'accept all' being the default option and the alternative be more difficult to access.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.
I'd love for them to be made illegal, but I imagine certain groups of people wouldn't take kindly to that, so we need to do the dance and have people be tracked under nominal consent.
They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
I would say it's a lot more than 500%. If your business is based on doing things that are illegal under GDPR then the cost of doing that startup is close to infinite. But that's kinda the point of GDPR.
This. Sure, it's X% more difficult to do Y in Europe, because Europe doesn't want you to do Y, either at all, or unless you clean up after yourself so the costs aren't just eaten up by the environment or whatever, or unless you do it without causing harm. That's not a problem. That's the system working as intended.
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
> That's not a problem. That's the system working as intended.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
> You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
I mean Europe doesn't really get to make the choices when it comes to the USA because of their hilarious practice of hamstringing themselves. If that was the goal it definitely worked.
I think what they mean is that what EU in general kinda knows that for various they won't be able to make their version of money machine big tech. So why not to try different path? The individual laws will always be flawed because there is huge pressure to make them flawed by corps and lobby that want's to exploit them.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
> Training a large language model and privacy law as it's written today cannot coexist
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
People here act as if GDPR was some kind of big reason why all the digital tech is from US. But come on it's not like the game hasn't been rigged forever. To be more specific it's been part of the deal with europe being close US ally. None of the european digital tech is ever supposed to be relevant. And in case some european digital tech is relevant it has to be absorbed by US or at least made to look irrelevant so nobody sees or cares about it.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
The GDPR somehow had the power to make (almost) everyone comply with it, even outside of the EU. If only they had specified that instead of banners, companies had to actually respect the Do Not Track header, even if set by default on a browser, and everything that could be rejected would be rejected if that were sent.
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything
'Cause the corridors of power, they're an ocean away"
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
The changes to the GDPR are completely irrelevant compared to what the EU is planning with chat control.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
GDPR was never about privacy, but to legitimise data trade. It was two step process - first train people to Agree to anything by introducing "harmless" Cookie Law, then once people just click Agree to anything, create legal basis for data trade, where it is no longer a grey area as most users give consent.
With Chat Controls coming back, never assume EU is doing anything for the benefit of general public.
What is particularly bad, is that they are not honest about it, just keep gaslighting.
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
I disagree with this move. However, I disagree with moves made in other places even more. Especially the US has been moving away from rule of law at a rapid pace.
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy. It is a moralising and irresponsible attitude that older people can afford to adopt, but like so many other things, it hits younger generations mercilessly hard.
I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
I strongly agree with this position. This is basically the foundation of Control Theory!
https://en.wikipedia.org/wiki/Control_theory
This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
If the law is code, then law enforcement is a JITter
(joke)
A jitter is like a lawyer on retainer. Law enforcement is more like the OS that segfaults you when you fail to follow the lawyers advice.
Optimised compiler makes sense though.
Unenforceable laws go unenforced, undefined behaviour is undefined and varies based on compiler (law enforcement agency or officer).
And lines of code is like the mass of an airplane.
In general you want as few as possible of both.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
[dead]
that's right. This is the reason all my code looks like an entry to PerlGolf. /s
The world's complicated. "Every complex problem has a solution which is simple, direct, and wrong"
Simplicity is a laudable goal, but it's not always the one thing to optimize for.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
The logical extreme there is legalizing murder for hire, human trafficking, and a bunch of other crazy stuff.
Privacy is in a different category altogether, but there's more to think about than just how much things cost companies.
I’m not saying the following regarding Draghi’s report or particular regulation in mind:
If an unethical business gets started due to underregulation and it generates revenue and contributes to GDP, is that a good thing?
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Source: https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-...
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
The number of regulations is not as important as the quality of those regulations.
Shame we can’t regulate the quality of regulations.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
> more regulations is bad
Only a bootlicker would think like this. "No, I don't want any protections, I enjoy being crushed."
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
The regulation good/bad dichotomy has been very effective reducing the thinking of the constituents of modern neolibs in the US.
On one end we have regulations as part of regulatory capture. Opposite effect of regulations that would help say a small business compete fairly.
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
>Unfortunately politics has become the religion of modernity.
religion was classically politics. Moses's tablets were Law. the circle of life.
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
Hear hear.
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
Heres the full text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
> 87 pages and nearly every edge case is carved out. Takes 20 minutes to read.
That's some serious speed reading! :-)
20 minutes to “read” 87 dense pages of legalese? Perhaps you meant to say “skim over.”
Perhaps they meant 200 minutes.
Or perhaps they also never read the law they are chiding others for not reading.
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
I would call this the religious zeal response, it's been parroted so many times here that it's become fact, even though this is false.
The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/#:~:tex...
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
you didn't really say anything
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
Well he is saying something here, because as pointed out, many people approach this from an ideological place.
https://en.wikipedia.org/wiki/False_equivalence
false equivalence describes a false equivalence. the equivalence that I pointed out was true. he didn't say anything.
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
In fact, "too many" is the exact point at which it becomes excessive. :P
I think this is an excellent point. More is almost always worse, but if there is a genuine need for regulation it should be absolute.
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
With many "cookie" banners you're agreeing to much more than session state being stored locally on your device. You're agreeing to your device being fingerprinted and that information stored on the company's servers, shared with others, and connected with other data others might have about you, creating a fairly complete picture of your online life, including what you do in private mode.
Most modern browsers (not made by ad companies) have strong protections against fingerprinting, especially on standard hardware/mobile.
Most baffling thing is that sometimes you can't opt-out from "always active" stuff that still involve hundreds of "partners"; see: https://news.ycombinator.com/item?id=45844691
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
That cookie thing should a browser's default.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
GDPR allows for essential cookies with no popup.
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
That would be fine, if there was a law that forced every browser to have this setting and every company to respect the setting.
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
The browser setting already exists (DNT), so I don't know what you want to conlude.
Like Do Not Track?
Realistically speaking, how much are people willing to pay for email, communications, cloud backups, social media? This is the hard question.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
The banner isn't required. They could just not do the things the banner would ask consent for.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
I wish we standardized on Do Not Track headers. Cookie banners are a plague. Thanks Europe.
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
that just shallow and one sided argument that never respect another side of coin
It's also true.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
what do you mean illegal???
tell that to Ads advertising business that bringing billions every year, and its legal btw
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
And that's probably the same for 99% of websites.
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
Selling drugs causes harm.
Targeting political ads? Debatable - whether AI is somehow involved or not.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
> It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
Advertisements, among other things, for political views, influencing voter behavior. Which lots of interest groups care about
They should feel ashamed for collecting your personal data in the first place.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
There are lots of uses for cookies that have absolutely nothing to do with collecting data about you.
And you don't need user consent for most of those cookies.
> I get that too many regulations is a bad thing
Well yeah, cause your sentence relies on itself.
_Too many_ regulations is a bad thing.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I think I should be able to collect whatever publicly available data I can find.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Chat control is stupid.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
> we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick".
Doesn't that describe SV in general, and big tech in particular?
> Doesn't that describe SV in general, and big tech in particular?
Absolutely! It's just that the hopeful hacker/nerd culture used to be more dominant here (slashdot had the more cynical types).
Now there are a generation who don't know anything but Javascript but think that they're God's gift to programming. I can understand it as ZIRP resulted in the bar being dropped to the floor for jobs which paid SV salaries. Imagine earning that kind of money straight out of school and all you had to be able to do was implement Fizzbuzz.
The hackers ARE still here as are some really amazing people but this always seems to happen with communities. The only constant is change. And without change communities die.
As this is the message board of a VC fund it's not that surprising that it doesn't only attract hackers in the original sense?
Hackers should know the government is never on your side.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
In addition, hackers should know government is inevitable. Even in anarchy, governments spontaneously begin to form.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
That may be one of them, but there isn't a singular anarchist school of thought.
> there isn't a singular anarchist school of thought
Would be oxymoronic if there were one.
Isn’t that like saying there must be as many universes as theoretical physicists can think up? Slight maybe but it could also just be one.
> Isn’t that like saying there must be as many universes as theoretical physicists can think up?
Schools of thought are theories. It’s saying there can be as many theoretical universes as theoretical physicists can think up.
This is true for any social construct, of course. But anarchy’s nature means you get less alignment.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
Nozick's libertarianism is not really an anarchist school of thought.
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
No, the naive position is to assume that the state is on your side because you occasionally gain something from it.
The reasonable position is that the state exists to propagate and protect itself, which is made up of it's citizens, you included. This is just like any organism or organization works.
Like a company, that doesn't mean they will always make decisions that coincide with what you want or what you think is best. But, it DOES mean they have some goal to keep their people, on the whole, happy, because otherwise they no longer exist.
For example, yes the US government sucks in a lot of ways. The US government ALSO wants you to get an education, and they give it away for free. Because more educated people means a stronger economy, which is good for everyone. You might take this for granted, but: there are many countries where the population, as a whole, cannot read or write. Your literacy is the result of hundreds of years of work and has, essentially, been GIVEN to you. That's not something you just have by nature of being human.
"Hackers should understand governments are complex, dynamic and occasionally chaotic systems"
No. Hackers should understand that government is force. This is the definition of government.
And force is the antithesis of the hacker ethos.
Growth hackers aim for regulatory capture.
In a democracy, the government is its citizen. It sucks when you disagree with the majority of the voters, of course. But it's wrong to say that the government is against the majority of the voters: it was elected by them.
A government or president can definitely be against its voters interests.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
That's the 1%. It's the hair on the back of the elephant.
Their capabilities will fall further and further behind models that need a billion dollars to train, and a supercomputer to run. You're making a faustian bargain.
That is an absolute nonsense.
At minimum, government will be useful as defence against worse government.
I know that some anarchist had dream of a stateless world, but it is not viable.
And while I am not going to say that any government is ideal, many are better than USSR, Third Reich or Cambodia under Pol Pot.
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
It made me feel kinda sad for a few days.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
I find it really hard to classify myself. I've always called myself a "libertarian" - I believe the best strategy to Civilization is to maximise freedom for anyone. As freedom enables enlightenment an enlightenment drives progress. To actually achieve that, in the real world, means that you have to distribute and limit power. That means limiting not only government power but also corporate power. That means regulation, strong regulators (breaking monopolies), policies to keep prices down (including rent/housing!) and to enable free market competition and innovation. And provide an economic system where risks can be taken, enabled by a social let (and social healthcare).
I felt that that was more common here 15 years ago before Big Tech pivoted into the cynical extractive and, in the case of the socials, net economic drag industry that it is now.
The really weird thing is that my views are considered both very right-wing (free markets, globalisation are great, maximal freedom, maximal responsibility, freedom of religion) and very left wing (strong regulation, policy to minimise rent/house prices, strong social net, progressive taxation and wealth limits, freedom to be LGBTQ+ etc).
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: an endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
The truly "eternal" September.
https://en.wikipedia.org/wiki/Eternal_September
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
My rule for a sane HN experience: avoid and flag any articles related to Trump, Elon, <current culture war topic>, American politics, and anything tangential that summons them.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
[dead]
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
I think you might have a different definition of "merit" than OP. "Merit" to me means how much value the company brings to society. If I'm reading correctly about your point of it being legal, to you it seems like "merit" means how much value they bring to their investors.
Social media companies becoming more consolidated and influential might be legal and good for their stakeholders but it doesn't mean it's a net positive for the rest of the world. And unfortunately, as much as so many people like to believe otherwise, being a net negative to society absolutely does not lead to a company becoming irrelevant.
Where can I read more about this? Quick search turns up nothing for me
https://www.theverge.com/news/823191/meta-ftc-antitrust-tria...
It is actually a monumental case ruling, and for some reason it wasnt reported or discussed here. Lina Khan's FTC has lost both their marquee cases now (Google, Meta)
> Meta won a landmark antitrust battle with the Federal Trade Commission on Tuesday after a federal judge ruled it has not monopolized the social media market at the center of the case.
Wasn't the case here really weak to begin with? I remember reading the FTC's initial filings and they just sounded absurd. The very premise that Meta didn't face meaningful competition from TikTok was a farce.
I'm not very happy with Lina Khan after she killed our only remaining low cost airline carrier. And killed iRobot to let Roborock, a a Chinese company, take over.
She "stood up" to big tech, failed, and her remaining legacy is destroying American businesses that people actually relied on. Literally no value was added, but a bunch was subtracted. I never understood the hype for her.
Just to be clear, when you Khan "killed our remaining low cost airline carrier", are you referring to when the DOJ blocked the JetBlue-Spirit Airlines merger? Not arguing, I just want to understand.
> The very premise that Meta didn't face meaningful competition from TikTok was a farce.
The original claim was centered around the timeline of purchasing Instagram and Whatsapp. TikTok came much, much later.
https://arstechnica.com/tech-policy/2025/11/meta-wins-monopo...
This is a proposal from the EC. Whether the EU accept it is not clear.
Yeah I really hope they don't. It's ridiculous to throw out all the great work they've been doing.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
Social connections can be a large sacrifice.
> What I really want to see is Meta getting irrelevant ON MERIT.
Why? Is META relevant only on merit?
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
The loudmouths do not necessarily represent a majority of HN users. They're just loud. Some of us find the social-media-bashing threads boring and just go back to our social media.
I think there is plenty of diversity of comments, substantially less diversity in voting and flagging.
You can say lots of things, many that go against the hive mind will just get you more or less instantly grayed or even flagged
> substantially less diversity in voting and flagging
I don't think this is true either. I've seen comments swing wildly from one end to the other and back. It's more that comments show a distribution, while voting squashes that distribution into a single result.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
[dead]
Can contract killers become irrelevant on merit, or does it take government intervention?
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
Look at what happened to iRobot vs. Roborock though.
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
I live in EU. I am totally in support to force Meta down through government's big stick.
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
Then I propose you should support https://noyb.eu/
Their track record is pretty good.
If you support them (I do, they do great work), please set up a yearly subscription. Predictable revenue is very valuable for organizations.
Do we have anything like this in the U.S.?
Yeah, seconded, and I also live in the EU.
I wonder what kind of people downvote you. They must have interesting priorities.
Meta's only merit is having a lot of users and keeping them hooked at any cost.
It might surprise you, but success is not always rooted in having done great things for the world
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> ...more about protecting European ad firms, many of which are even shadier than big tech.
Where can I read more about that phenomenon?
There are lots of companies like this:
https://zeotap.com/wp-content/uploads/2025/06/Zeotap_-Time-t...
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
That wasn't even the GPDR and it did even less for user privacy.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
?? He bought instagram in 2012 when it was tiny. They all moved in 2016.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
What about hp, dell, ibm, compaq, sun? Companies are temporary.
> sers dropped from Facebook like flies and moved to Instagram.
Even worse, bought Whattsapp.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
[1] James Boasberg; "Meta prevails in historic FTC antitrust case, won’t have to break off WhatsApp, Instagram" https://apnews.com/article/meta-antitrust-ftc-instagram-what...
[2] https://wikileaks.org/podesta-emails/emailid/8190
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
So “smart rules” only means “more rules”?
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Right, but it's obviously not overreaching, because user's data is taken:
1. Without their consent,
2. Without their knowledge and,
3. Cannot be taken back or denied in a simple way.
There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.
So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.
A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.
The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.
It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.
I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.
Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.
But uncertainty in compliance and time spent navigating compliance is nearly pure waste.
To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.
The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.
I'm not sure.
Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).
Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.
Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation."
You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.
Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.
So it's not everyone, is it even most people? I'm not sure.
I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.
I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.
Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.
A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered. Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle. They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.
HAHAHAHA good joke. Oh wait. You're serious. Oh god please no.
But 60% of the time, it works every time.
Browser level consent primitives would be a significant improvement on the status quo.
I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners"). While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).
But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.
Do Not Track was a spectacular failure.
You can still turn cookies off in your user agent though.
It was a spectacular failure because the people who thought of it didn't stick to it.
I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.
In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.
Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.
> Advertisers said they would ignore it for this reason
That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.
But they weren't prepped to take action yet.
Microsoft made the user expressed intent and the user expressed no opinion look the same.
That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Ughhh here we go again.
Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.
I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.
Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.
My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.
And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."
I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?
> but will continue to go back and forth if GDPR remains as-is.
Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.
The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.
I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.
However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.
Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.
Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.
Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.
Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.
Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.
Etc. Etc.
You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.
What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.
Literally everything.
The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.
Here's a good primer: https://trustarc.com/resource/schrems-ii-decision-changed-pr...
Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.
If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).
This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
> The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
So either you're lying or your lawyers are lying to you.
In 9 years you could've finally read and understood the rather small law yourself.
I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.
> clearer safe harbors for small actors
Different rules for different people huh?
Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.
Not different rules for different people.
You would be subject to one rule for your small company and another rule as it grows.
This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.
This is different for different people said differently. Why would small companies have access to things not allowed to big companies?
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
Corporations are not people. This is not different rules for different people.
In the traditionally implied sense of different rules for different social classes.
Because their conditions and abilities are different.
But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?
Because quantity is a quality of its own.
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
>Different rules for different people huh?
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair.
In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I wish you were right though.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.
https://www.independent.co.uk/news/world/americas/asa-baker-...
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
> home owner
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation.
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
> Different rules for different people huh?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
Why did you use an LLM to write a comment?
What makes you think it's LLM generated?
Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y"
colons and directional quotation marks scare folks who don't know how to use them properly
The structure of what it wrote, and the banality of the point.
The double quotes perhaps?
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Finally!
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
Those “cookie banners” are nonsense aimed at getting this outcome.
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
The EU's own government websites are polluted with cookie banners. They couldn't even figure out how to comply with their own laws except to just spam the user with cookie consent forms.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
> Besides, you seem to be confusing something.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> Within the context of the discussion of if its malicious compliance or a natural consequence of the law.
You ignored I said don't use dark patterns answered the question you meant to ask.
> Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies?
We were discussing trackers. Not cookies.
> I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
I will not think of it using an unnecessary and incorrect analogy. And writing things like Scary Dark Pattern is childish and shows bad faith.
> Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
The malicious compliance is the dark patterns you ignored. Rejecting cookies was much more complicated than accepting them. Users were pressured to consent by constantly repeating banners. The “optimal user experience” and “accept and close” labels were misleading. These were ruled not compliance in fact.[1] But the companies knew it was malicious and thought it was compliance.
Ignoring Do Not Track or Global Privacy Control and presenting a cookie banner is a dark pattern as well.
[1] https://techgdpr.com/blog/data-protection-digest-3062025-the...
> billion trackers ... dark patterns
Straw man argument.
The rule equally applies to sites with just one tracker and no dark patterns.
> Why would EU governments use cookie banners
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
you CAN use analytics! Just need to use first party analytics... it is not so hard to set up, there are many opensource self-hosted options.
I hate how everyone and their mother ships all my data to google and others just because they can.
Let's not deceive ourselves -- first-party analytics are much, much harder to set up, and a lot less people are trained on other analytics platforms.
They're also inherently less trustworthy when it comes to valuations and due diligence, since you could falsify historical data yourself, which you can't do with Google.
Can you actually do meaningful analytics without the banner at all? You need to identify the endpoint to deduplicate web page interactions and this isn't covered under essential use afaik. I think this means you need consent though I don't know if this covered under GDPR or ePrivacy or one of the other myriad of regulations on this.
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
No, those companies do not follow GDPR. They are testing how far they can go without triggering mass complaints etc.
See https://noyb.eu/en/where-did-all-reject-buttons-come
By not setting a cookie until the user does something active when I then tell them (say on “log in” or “add to basket”.
You don't need a cookie banner for authentication/shopping basket cookies, since these are essential.
However, you are still required to provide a list of essential cookies and their usage somewhere on the website.
This. I don't know why there's a heavy overlap between the "GDPR didn't go far enough" people and not actually reading the GRPR. I'd think they would overlap a lot with people who actually read it.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> But I'm making the point that its not malicious compliance.
It’s totally technically feasible to have a non-blocking opt-in box.
But sites effectively make a legally mandated opt-in dialog into an opt-out dialog by making it block the site. Blocking the page loading until the banner is dismissed is definitely malicious, and arguably not compliant at all.
And lets not get started on all the sites where the banner is just non-functional smoke screen.
Don’t track your site visitors.
No tracking, no banner.
Or respect the now deprecated DNT flag, no banner necessary.
Now we get DNT 2.0 and the website owner will once again maliciously comply.
OK sounds great.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
Again, great. Didn't happen and isn't required by GDPR though.
Malicious compliance are those dark patterns where it takes on click to accept all but multiple clicks to reject all.
I remember the early day cookie banners of Tumbler accept all or deselect 200 tracking cookies by clicking each checkbox.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
Can we get the do-not-track header instead?
https://en.wikipedia.org/wiki/Do_Not_Track
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
Or a new, opt-in "Do-Track" that means consent to tracking, and anything else means tracking is not allowed. Why should it opt-out?
As long as there is Do-Not-Track as well, and companies must follow BOTH, this would be ok by me.
But this one alone opens the door to behavior similar to tracking cookies, where accepting all was easy and not accepting was hard af.
Instead of what? Instead of the central browser controls?
>Instead of what?
Instead of a different cookie pop-up on every single site you visit
>Instead of the central browser controls?
This is the central browser control. The header is how the browser communicates it to the websites.
This very article is about how we're getting a central browser control, and your comment was "can we finally get a central browser control instead?".
Well, it's a minor details hidden in the middle of the article, I also missed it.
But the person weberer replied to was quoting the exact place.
whoops, didn't read the entire quote ...
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
So they finally admit that it was a mistake.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
> Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at.
Server logs can provide this information.
Only in very simple ways.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
Not for the amount of stuff on the web now that is client-side rendered.
Client side rendering means in practice clicking a product retrieves JSON and images instead of HTML and images. This can be logged.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
50 is not even close.
Those banners often list up to 3000 ”partners”.
The cookie law made this worse.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
uBlock blocks most of those for me lately.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... does a similar thing.
I use the first of those extensions, its the cookie whitelist one that no longer works for me.
There could be an extension to block the banners, too. I think uBO has a feature to block certain CSS classes?
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
You can just set your browser not to send whichever cookies you don't want to.
Cookies are a client-side technology.
Why does the government need to be involved?
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
Not really, it disallows tracking even if you aren't storing anything (eg via fingerprinting):
https://gdpr.eu/cookies/
That link seems to say the opposite:
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
Cookies that keep you logged in or maintain a session don’t need consent
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
Of course, let ME decide if I want to keep fdfhfiudva=dsaafndsafndsoai and remove cindijcasndiuv=fwíáqfewjfoi. I know best what those cookies do!
Because it's not about cookies. Ad trackers shouldn't store my precise geolocation for 12 years for example: https://x.com/dmitriid/status/1817122117093056541
Cookie banners are made obtrusive by the people running CMPs as they want to make it as hard as possible to stop collecting the data
Funny thing is that I often will go out of my way to find the least permissive settings if the banner is obnoxious or has a dark pattern.
every accusation is a confession you see...
worst implementation ever. I bet it is the reason that most people are now taking anti depressants.
> if you don't do anything "bad" then you don't need the banners.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
Related ongoing thread:
Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)
The cookie thing sounds good at first but then it shows that they rant to reduce cookiewalls by making more things ok without asking :(
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
No it doesn't. A website's own preferences fall under the 'necessary for site functionality" exception.
Besides how many sites actually have this as the only reason for cookies? Every time I get a new cookie banner I check it and there's always lots of data shared with "trusted partners". Even sites of companies that purely make money off their own products and services and shouldn't need to sell data. Businesses are just addicted to it.
The only provision I like is that they may only ask once every 6 months. However personally I wish that they'd make it a requirement to honour the do not track flag and never ask anything in that case. The common argument that browsers turn it on by default doesn't matter in the EU because tracking should be opt-in here anyway so this is expected behaviour. The browsers would quickly bring the flag back if it actually serves a purpose.
I'll keep blocking all ads and tracking anyway.
No, preferences are not strictly necessary, check https://gdpr.eu/cookies/
I would on the other hand ask if I should really set my "preferred language" on every device I log in ?! Why not store it server side (not to mention, why not use the browser language selection to start with).
I do agree with you that most of the cookies we talk about are not at all "preference cookie"...
the issue was never the law.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
https://noyb.eu/en/project/cookie-banners (edit: link)
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
> lets you set font size and dark/bright theme,
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
The issue is the lack of enforcement of the law. And instead of strengthening the enforcement, they are diluting the law now.
> Most websites do. not. need. cookies.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
I'm not sure why this is being downvoted?
The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.
That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
0. https://guides.libraries.psu.edu/european-union/official-ser...
1. https://www.europarl.europa.eu/portal/en
2. https://www.consilium.europa.eu/en/
3. https://european-union.europa.eu/index_en
> "lawbreaking" (as defined by you)
What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.
> law wasn't poorly written, most websites just don't follow the law
I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.
Most websites in the EU also aren't following the law.
people intentionally made the banners annoying or tried to make the reject button smaller / more awkward so that they could keep tracking.
Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either
I'd settle for companies obeying the letter of the law. They don't do that either.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
A lot of people at HN work in industries that track, or are the ones choosing to use the banners in the first place.
Non-risk cookies never required a banner.
jokes on them i never followed the law anyway
That's the real news. There's no U turn, no weakening of GDPR. This article is propaganda.
I will believe this when I see it.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
Just let Estonia run the programme [1].
[1] https://e-estonia.com/solutions/estonian-e-identity/id-card/
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Good kid mode[0].
[0] https://www.lego.com/en-gb/product/retro-telephone-31174
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
I don't want an internet designed by lawyers and politicians. And I'm afraid that's what this level of regulation and enforcement would create.
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I don't want an internet designed by businessmen and advertisers, yet here we are.
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
The EU's own government websites are littered with cookie consent banners. They want the data too.
> The proposal now heads to the European Parliament and the EU’s 27 member states — where it will need a qualified majority — for approval...
Not a done deal.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
What were they doing with user data?
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
How do I stop you from tracking this information about me?
Do not consent when asked or, better yet, do not use websites that implement these techniques.
So can’t abuse people’s data without their consent is being strangled?
Is that like I’m strangled with my start up of “cheapdvds.com” because I can’t sell someone else’s data?
You have a funny definition of the word “abuse,” and “sell.”
“25% of our users that arrived from the newest ad came from Facebook and 85% of those were mobile users.”
So abusive. So much selling.
That's an egregiously poor faith interpretation of what they said.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
> What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
This still requires tracking to follow the user through the whole flow, which is required unless you want to be defrauded with fake users at the very least, but also very important to track the actual performance of each ad source.
Why do things that are important to the advertiser trump what's important to the user? I don't care how hard it is for you to track the performance of your ad sources, I just want you to stop tracking me.
Because without ads we're not profitable so there would be no service?
You can't just buy a domain, put your service out there, and expect it to gain traction. Advertising that you actually exist is essential for any service, but especially so for smaller businesses and startups.
> GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
Good! I don't want ads to be a thing in the first place. It's a good thing that industry is being strangled by regulation.
Essentially all modern advertising is evil.
They are strangled by rules in using personal data on algorithmic advertismenet?
GOOD!
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
This is pretty much untrue. Look at India, Africa, South America, Japan, Singapore, UK, Israel, the Arab world, Turkey, Russia, Ukraine, Norway, Switzerland, or Australia and compared to them the EU is doing just fine
You’re comparing the tech sector of the EU to that of Africa?
No
Nice edit
Bad troll!
Sure but since the EU has destroyed it's own innovation so much soon you'll get no choice in the matter.
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
Poor Europe - lobbyists make sure that Europe stays weak.
That statement includes Ursula by the way.
Lobbyists make sure that ~~Europe~~ the world stays weak.
They need more strict financial regulation than politicians do!
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
The GDPR is about protecting personal data, what personal data could you possibly need to train an AI model?
Let's turn that around. What personal data wouldn't help train an AI model?
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
0. https://news.ycombinator.com/item?id=45970663
Of all the things to yield on, the GDPR really isn't it. The cookie banner problem is one caused by site owners consistently preferring using dark patterns over just not doing the stuff that makes you need a banner. If anything, the EU should have put the hammer down and enforced its regulations on those cookie banners consistently having 'accept all' being the default option and the alternative be more difficult to access.
The central browser controls they mention will hopefully be a more sucessful version of the 'do-not-track' header. An equivalent of that will be fine (although an opt-in version would be better), but it still needs to have legal enforcement behind it to work, which the old one didn't, and the cookie banners aren't feeling.
What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.
I'd love for them to be made illegal, but I imagine certain groups of people wouldn't take kindly to that, so we need to do the dance and have people be tracked under nominal consent.
They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
They seem to be reporting on two drafts that were leaked by Netzpolitik.
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
https://ec.europa.eu/transparency/documents-register/detail?...
https://ec.europa.eu/transparency/documents-register/detail?...
They can be downloaded here: https://digital-strategy.ec.europa.eu/en/library/digital-omn...
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
What exactly did you see about cucumbers?
They scrapped it actually but this law used to be the main example for overbearing EU bureaucracy
https://www.theguardian.com/lifeandstyle/wordofmouth/2008/no...
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
> All consuming vague regulations like GDPR increase the cost of a startup by 500%.
Source?
I would say it's a lot more than 500%. If your business is based on doing things that are illegal under GDPR then the cost of doing that startup is close to infinite. But that's kinda the point of GDPR.
This. Sure, it's X% more difficult to do Y in Europe, because Europe doesn't want you to do Y, either at all, or unless you clean up after yourself so the costs aren't just eaten up by the environment or whatever, or unless you do it without causing harm. That's not a problem. That's the system working as intended.
Sure, Europe doesn't have it's own Microsoft, probably because of regulations like this, but I don't want Europe to have its own Microsoft, because Microsoft, for the most part, sucks.
> That's not a problem. That's the system working as intended.
You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
> You really think that supra-national legislators regulating the fine-print of unfathomably complex systems manage to have everything working "as intended"?
For values of, yes. Things obviously aren't perfect, but I at-least generally prefer them over their proposed alternatives. I find they have made things better.
> Why do Draghi or the EC want to roll back this mess then, other than the evident loss of competitiveness respective of the blocs who did not do this? Was that intended or foreseen?
From the article:
> Under intense pressure from industry and the US government,
I think that says what needs to be said. And my opinion is that they shouldn't yield to US government and industry interests, since they clearly aren't the same as European interests.
I mean Europe doesn't really get to make the choices when it comes to the USA because of their hilarious practice of hamstringing themselves. If that was the goal it definitely worked.
I think what they mean is that what EU in general kinda knows that for various they won't be able to make their version of money machine big tech. So why not to try different path? The individual laws will always be flawed because there is huge pressure to make them flawed by corps and lobby that want's to exploit them.
But if you ask anyone in europe on the street they have no sympathy for big tech. If anything they want stronger GDPR and more of it.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
I wish there was a link to the source of this information in the article! I'd like to read the updated version of these laws (if they're public).
It's perhaps worth linking to the official EC page on this proposal: https://digital-strategy.ec.europa.eu/en/faqs/digital-packag...
EU's citizens are ripe for the taking. GAFAM, Palantir & co are going for the kill (we hope not like in Gaza)
It's gonna take a decade to roll down all those cookie banners.
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
What constitutes data about people?
If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?
You're being deceptively dense.
PII has a very clear definition. Posts on a public forum are not part of it.
> PII has a very clear definition.
It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud.
Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads.
There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules.
But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf?
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
I don't see how training an LLM has anything to do with privacy laws.
It is perfectly possible to not train them on personal information, to remove or rewrite names, to remove IP addresses, etc.
> Training a large language model and privacy law as it's written today cannot coexist
If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.
There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.
I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.
People here act as if GDPR was some kind of big reason why all the digital tech is from US. But come on it's not like the game hasn't been rigged forever. To be more specific it's been part of the deal with europe being close US ally. None of the european digital tech is ever supposed to be relevant. And in case some european digital tech is relevant it has to be absorbed by US or at least made to look irrelevant so nobody sees or cares about it.
If anything this recent lobby and political pressure to remove GDPR/AI laws is there to help US in time when it needs it. To allow some US big tech software to sweep in exploit what they can and help to keep the line up as much as possible.
But if you really look at digital tech in europe... it's doing fine. Why? Because making software and compute is cheaper every year to a point of nothing. It's hard keep insane growth in that environment. Sure if you make some unique breakthrough (like AGI) then tech keep going again. But what if not? Then you just have to squeeze everyone more including your allies, especially your allies.
Let me steelman the new proposal a little bit:
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!
Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.
> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).
This was okay even before. Given this information (and your shirt size), you couldn't be identified.
I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.
What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.
The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.
The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.
Related:
Europe's cookie nightmare is crumbling. EC wants preference at browser level
https://news.ycombinator.com/item?id=45979527
> European Commission wants browsers to manage cookie preferences instead of pop-ups on every website.
Better late than never, but it's insane it took them almost a decade to figure this out.
But that extra click to read any webpage was keeping me safe
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
And this is just one of its contradictions. The more you dive, the more convoluted it gets. Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
The issue isn’t too much regulation. It’s that an organization such as eu cannot adapt
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
Can you point to any of these guides?
In our case we were working on a Dutch project so we used this; AVG is the GDPR implementation for the Netherlands:
https://ictrecht.shop/en/products/handboek-avg-compliance-in...
I'm sure capitulation will teach the surveillance racket a strong lesson.
Hold the line. Don't make the same mistake we did in the US. Your data is your data.
The GDPR somehow had the power to make (almost) everyone comply with it, even outside of the EU. If only they had specified that instead of banners, companies had to actually respect the Do Not Track header, even if set by default on a browser, and everything that could be rejected would be rejected if that were sent.
Europe learn the hard way that you cant have a cake and eat it too
EU citizens: WE DEMAND XYZ PROTECTIONS
EU: WE SHALL BUILD XYZ FOR EVERYONE
(years pass)
EU citizens: WE HATE XYZ PROTECTIONS
Cowards.
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
Far less than 1% of people would care about either.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
But far more than 1% are harmed by it.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Most people don't care about these things. Who are you to say that the harm is severe to people who don't care?
It is a government who says that…
They are quite unwise to do so.
Does this mean fewer less-annoying cookie pop ups?
Previously:
European Commission plans “digital omnibus” package to simplify its tech laws
https://news.ycombinator.com/item?id=45878311
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
That is too bad, I had hope in this case regular people would win and get privacy we deserve. But as always big money wins, it just takes time.
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything 'Cause the corridors of power, they're an ocean away"
https://www.youtube.com/watch?v=Xpo2-nVc27I
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
Is that why most of the EU governmental websites have the same cookie pop up banners?
Lack of product ownership and cargo cult developers.
Legislation can’t change culture.
> The EU folds under Big Tech’s pressure.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
> due in part to burdensome privacy regulations.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
I think this is a very rosy framing.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
If I sign up your company I can opt into that personalisation at signup time.
You have no business stealing my personal data until we enter an equal agreement.
The EU is not folding. The article is two facts surrounded by a huge ball of propaganda.
europe got stuck in the old world, they will never have tech companies.
The changes to the GDPR are completely irrelevant compared to what the EU is planning with chat control.
The Commission is completely out of control, pushing through (or at least trying to) vast amounts of awful legislation, while the democratic processes are totally failing.
What this bloc desperately needs is leadership, which represents collective economic interests on a global stage, not some more pieces of legislation trying to control the Internet or putting the entirety of EU citizens under suspicion of raping children.
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
I see the tech bros finally figured out who they needed to bribe.
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
Big players don't want this either, we rely on open source software and frequently contribute back
This is just another dumb EU reg that hurts everyone
EU introduces Chat Control, then scales back GDPR, what's left? Digital ID and digital currency (with no possibility of paying by cash)?
Is EU suffering from FOMO?
As an EU citizen, this is shameful and even kind of pathetic to read.
Will we start outsourcing all our IT needs to USA again?
Start?
I stand corrected. :D
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
> We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy.
That's an odd way to say EU regulations....
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
That was already the case for the majority of domains.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
I for one like it to be able to post stuff on my website without the risk of someone sending me pizza or swat teams to my home address...
Shameful decision, caving to foreign capital interests.
Do better, EU.
the consequences of their laws is pushing their hands
Yet again, European countries are showing who their leaders are: US Big Tech
No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens
Well, that's a bummer.
Despite the sentiment on this forum that EU regulations are hindering tech progress, Europe is one of the few places in the world that actually tries to keep tech companies on a leash. We need much more of that, not less. The GDPR and the AI Act are far too weak, IMO. We've seen that fines when companies step out of line are simply the cost of doing business for them. Tech oligarchs should be getting jail time for every infraction instead.
I'm not too concerned for myself, since I don't trust any of these companies with my data anyway. But this is bad news for the majority of people who aren't tech savvy, or simply have "nothing to hide".
We know what happens when we let CEOs run a country. The last thing Europe needs is to follow USA's lead.
GDPR was never about privacy, but to legitimise data trade. It was two step process - first train people to Agree to anything by introducing "harmless" Cookie Law, then once people just click Agree to anything, create legal basis for data trade, where it is no longer a grey area as most users give consent. With Chat Controls coming back, never assume EU is doing anything for the benefit of general public. What is particularly bad, is that they are not honest about it, just keep gaslighting.
[flagged]
The EU is a great example of a spineless paper tiger to Big Tech and is the reason why AI startups run to the US.
Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.
I used to live and work in EU, get out of EU before it is too late.
like UK, you mean? boy that did really work out well for them!
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
The UK was known for bureaucracy even before they joined the EU. The idea that the red tape would vanish was always silly.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[1] Western, Educated, Industrialized, Rich, Democratic
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
Watch out for French government bonds (10yr), France will be the next before 2030.
I did the opposite, I moved to the EU before it is too late.
It's the only power left that stands for rule of law.
Wow. Powerful statement. I suppose other places are probably scaling back GDPR and relaxing AI laws, unlike the glorious EU?
I disagree with this move. However, I disagree with moves made in other places even more. Especially the US has been moving away from rule of law at a rapid pace.
This is criminal.
How so? Like, figuratively, as-in outrageous?
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I assume you mean the AI related stuff?
It was never required to show a pop-up for essential cookies.
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
The fundamental problem in Europe is the perception that companies are inherently ill-intentioned, requiring micro-management through massive bureaucracy. It is a moralising and irresponsible attitude that older people can afford to adopt, but like so many other things, it hits younger generations mercilessly hard.