I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
One of the problems with regulation is that politicians "understand" complex systems like computers or software or "the platforms" almost entirely by way of analogy. Yet at the point of actually introducing rules about (for example) tracking or what happens to your data, you need to throw away analogy entirely and start talking and thinking (and implementing) not an analogy but what the thing _actually_ is. Rarely do they resolve down to this last stage where you move from analogy to how things really work, or might work. I see this everywhere I have touched government and regulation over many years.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
When we let the market bubble-up protective conditions through buyer behavior, we advantage innovation at the cost of accepting more harms, because the market response is always reactive instead of proactive, and the reaction can sometimes take decades or more (like GHG emissions and global warming).
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
I like this post. I was recently talking to a friend about using surveillance to improve recycling rates. The purpose of the discussion was not to advocate for more state-sponsored surveillance, but rather to imagine beneficial uses of surveillance. More to your point "more regulations is bad or less regulations is bad": Holy shit: Look at environmental protection laws. Consider the developed world in 1960 to today. The environment is night and day. It is so much cleaner and safer than ever. And, yes, most of those changes came about from regulations. I don't want to go back to a world where I come home from work in New York City and wipe my face clean in the mirror, and the tissue/towel comes away smudged with black & brown from soot in the air. (That is a true story that my mother told me from living in NYC in the 1970s.)
The challenge with regulation is that its the result of those in charge of a power imbalance being able to decide what is "good" PR "bad."
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
> There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
try untangling the tracking code from the rest of the javascript code which is required for the sites to work - simply unrealistic.
The problems are in the details: why are news organizations exempt from this rule in Europe? You can’t read news websites unless you accept all cookies or pay to read.
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
> You can’t read news websites unless you accept all cookies or pay to read.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
Are you sure they are exempt? I was always under the impression that their practice is pretty obviously illegal. I just did a quick google search and didn't find anything about exemption. So they are as exempt from the GDPR as much as Al Capone was exempt from taxes ;)
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
> why are news organizations exempt from this rule in Europe?
In the main, because the GDPR is an attack on advertising-supported services. You cannot build a business on context-free ads given they pay somewhere between 1/100 and 1/10000 as much as ads that profile.
Thus news orgs basically told regulators that the options were no free news (or realistically, the mess America is in, where real news orgs charge and the free ones are propaganda arms) or being allowed to do consent or pay. Because a paywall complies with all laws but has negative societal effects.
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
That cookie banner needs to be standardized and offered by the browser. It should be like a certificate popup. Why is every website forced into doing a shoddy job ?
They aren't forced, they choose to. They're forced to get user permission before tracking them across websites and sharing info with 3rd parties, but how they do it is left up to the industry. And the industry chose dark patterns, hoping to annoy the users into complaining to the EU about them.
We had a do-not-track header that has been deprecated. Simply enforcing the header legally and having it on by default would suffice and it would be much easier to test, because it's not bespoke from the client side of things.
I assume it's because a business has different ideas about what to collect from their users and users are more or less willing to share some data with some specific businesses. Hence, every business needs their own consent rules. The fact that this is achieved with a cookie banner for 99,9% of all businesses is a side-effect. Could there be a better solution? Probably. But the law and the incentives aligned to cookie banner hell.
I mean, websites don't need to use non-functional cookies in the first place. If they use it, they have to declare it. It's a problem created by website owners themselves.
> But when we talk privacy and personal data there should be no gray zone.
It took me to move to Germany to figure that privacy is a spectrum, and I, despite being a crazy on privacy and security, actually don't want that much.
I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
My colleagues had 3 bikes stolen in a week bc we have no CCTV cameras.
Privacy definitely has costs, and not only for business, but for regular people in daily life. It should, as anything, be balanced against costs of doing business, people security concerns.
Same goes for security: few private cctvs are ok, massive coordinated surveillance and chat control not ok. Everything is on spectrum and is a trade off.
> I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
It sounds interesting but I'm not sure what it means. Could you clarify this?
Related, recently in the UK news. British Transport Police won't even look at CCTV for bike theft at train stations (because of resource constraints, but the presence of CCTV doesn't automatically mean it will be used).
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
I'm 100% on the same page as you. I just wanna point out that apparently, the enforcement of said regulation just failed. There are way too many businesses that don't give you a single "reject all" button and get away with their dark patterns. A regulation that can't be enforced consistently is not desirable and failed to some degree.
I recently registered a complaint with my local data protection authority. This then got routed to their colleagues in North Rhine-Westphalia that are responsible, as the company in question had their business location there.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
Every regulation has some unforeseen consequences. Most of the time it's impacts are worse than the effect we wanted to regulate from the start. Us humans discard the effects we can't predict as benign even over smaller inconveniences we can see.
> Every regulation has some unforeseen consequences.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
Private browsing is equivalent to creating an ephemeral browser profile everytime. It might get rid of more browser storage, but for how tracking works now-a-days, it is useless. It is only for what you want to store on your disk, not for how you want to be seen to remotes.
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
Are you sure cookies get scrapped after you close a tab? Does opening a single session-based web site in multiple tabs work (eg. logged into Amazon in a private browser)? What browser are you using?
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
Are cookies really tracking you? 3rd party cookies don’t work in any browser. Ads are passing session data on the URLs instead. You can alow easily change some settings to stop persistent cookies. You can install privacy extensions like ghostery to block beacons. You can use features like ICloud private relay to prevent IP tracking. Solutions are all there and they aren’t because of any law.
Everything you mentioned is advanced knowledge. An average person, who doesn't deal with all these technicalities simply doesn't know this. It's like Telegram saying that it's the most secure messenger while not offering encrypted chats by default and not allowing to have encrypted group chats. An average person in tis case ends up completely unprepared and unprotected.
Don't mix PII data and cookies (or any other similar tech). There are different regulations in place here.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
There are a bunch of sites that stop working if you tweak privacy related settings. Twitter straight up tells you that if you experience problems, you should disable Firefox's tracking protection.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
Since you asked: I care. I leave sites which insist on tracking me and appreciate that it is now mandatory for said sites to inform me about their intentions. So this is a solution to a problem I actually have.
There are sites which place a "reject all" button above all and make this easy for me. Others try it the sneaky way, by making me turn off every single tracking vendor and then a lot more hidden under legitimate interest. Those are the sites I leave and never come back.
The hurdle in question has a lot of simple solutions. 1, don't use cookies. Github does that AFAIK. 2, be transparent about your tracking intentions and use one of the several premade solutions. 3, design a dark pattern UI that hides the important switches in technical named lists and count on the laziness and confusion of users to use them. That is probably the most expensive way for a 3 person company, as you need devs and UX designers and lawyers to judge if you bended the regulation requirements just enough without breaking them.
Why not accept and let cookie autodelete delete it after closing the site?
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
We had our underground parking and storage units broken into in apartment building. And we couldn't see the CCTV camera, to be on a lookout for the thief and call cops. Only cops could see it. Thieves have higher protection than your property.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
I don't think GDPR is the problem that makes science and technology succeed more elsewhere or fail more in the EU. There are far, far bigger problems, that are at play here. For starters we have a war still ongoing in the east. Economic power houses have had utterly corrupt governments for decades. Standardization of many things is difficult with so many separate nations. Education systems are questionable. All of these will play a larger role than GDPR.
This is why I just bought a Pixel and put GrapheneOS on it. And one with a SIM card that I can take out whenever I want. No AI, limited tracking, and no big tech. This is my personal boycott.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
What kind of a discussion can there be? It's very simple. I don't want any business or individual or whatever to collect any of my personal data if I don't agree to it. Right now companies do everything they can to do the opposite. And there's nothing here that can prove them right.
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
no.
even including a font from a different host is not allowed under the gdpr because you are leaking the users IP to that host.
you are poorly informed on this topic.
That's true. But it's just a small part of overall tracking. And nobody would care if the cookies were used only for auth or purely functional reasons.
There is nothing stopping the industry from standardising on an alternative form of expressing consent, for example on browser installation. GDPR is agnostic to the form the consent takes, as long as it's informed and freely given.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I very much doubt, that the practice of putting hundreds or thousands of partners into the legitimate interest category is legal. I wish this was more challenged and brought in front of the courts. And not just wristslaps dished out. Such practices need to have business threatening punishments attached to them.
I'm sure that happens in some cases. But the EU is building a reputation for handling out fines that actually hurt, and I'm sure that actively lying to consumers about this would warrant a big one, if ever discovered. And in any case, tracking will be a lot less robust without those 388 cookies.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
I'm not understanding, as an European who's been part of multiple startups how's that supposed to boost growth.
There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
In fact the actors that most opposed those laws have always been non Europeans.
Sure, there is an attached cost in having your terms reviewed by a proper lawyer and documenting the entire list of cookie providers, but that's basically where it ends. It's really minimal effort and cost, we talking in the low single digits for the review, and few hours of engineering time.
The biggest issues in European growth are others:
- focus on being an export economy while neglecting the internal market.
- bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
- very conservative and risk-adverse mentality. Young people in college can't wait to graduate and find the best paying lowest effort stable job. That's not a problem if it involves a majority of graduates, I imagine all world is like that, but you do have an immense problem if you have 1% or 3% or 10% of wannabe entrepreneurs.
I would go farther. Privacy laws seem like an excellent way to tighten the internal European market and develop homegrown competitors, which (one might argue) Europe really needs. If Europe is loosening up those laws, does that help Europe? Or does it help Meta and Google and Microsoft?
Europe has a shitload of homegrown competitors. The problem is that users here in Europe either goes for a national service or for an US service. They don't look up what their EU neighbor has to offer. In fact, most don't bother translating their services to appeal to the entire EU market.
If you live in country X, you will only ever learn about services from country X or from the US. No one here knows what goes on in neighboring countries.
It's easy to think the EU is like the USA, but it's not, it is still separate sovereign countries with their own language and culture.
Secondly it forces European companies to all have a 'USP' for high privacy which is useful when selling abroad as well. Becoming a byword for privacy and therefore trust/security is absolutely not a bad thing and comes at very low cost.
Europe has a lot of problems that result in low ambition and growth, privacy law isn't one of them.
IMO the biggest barrier is internal mobility. The European silicon valley never happened, because people don't want to move around. The biggest single barrier is language. I'm Irish, and young Irish people often emigrate (way more than in other countries). When I look at where my college classmates ended up, it's mostly America or the UK. We also emigrate a lot to Australia and New Zealand. In other words, we only really emigrate to English speaking countries.
Almost nobody goes to France, Germany, Spain, Italy, etc. The mainstays of the European economy. Let alone central or eastern Europe. But if you're a young talented engineer in the middle of nowhere usa, you can just easily move to the bay area without any issue. That cultural unity IMO is America's biggest strength, and the lack of it is Europe's biggest weakness.
Note: I've lived in Ireland, the Czech Republic, and France, so I know first hand how hard it is to move inside Europe, and I understand why people don't do it.
> bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
I guess you have been part of software startups and you severely underestimate the bureaucracy that is involved in physical companies nowadays. Farmers, fishermen, factory-owners, and other small to medium size companies all have severe difficulties with ever increasing regulations. By itself the regulations are not always bad, but usually it takes way too long to get through the system which makes it hard to compete with, for example, China.
European starts with a vowel in spelling, but actually phonerically begins with a consonant, /j/, so it doesn't trigger the "an" thing.
Similarly some spellings start with a consonant but have vowels (like acronyms, "an SSRI", the name of the letter S, "ess", begins with a vowel)
More to the point I agree with what you're saying. This seems like lazy attribution of cause that is so common in American business and politics. "Of course deregulation will boost growth!" Why? Because of religious beliefs about deregulation boosting growth.
> European starts with a vowel in spelling, but actually phonerically begins with a consonant
Ah makes sense.
In my head it's never "you"ropean, but "ew" uropean as I'm not a native english speaker and phonetically it's a consonant in english only. In greek, slavic languages, german or latin-derived it's always "ew".
Here's my take, as a Romanian developer (since 2004ish).
One day I got a letter from the national authority regarding personal data where I was asked to reply to 15 questions regarding a personal project of mine, invoking the GDPR. The sanctions for not complying within 5 days was an incremental fine of 600 euros PER DAY, until I complied. This letter was directed to me as a natural person (not even my company).
Another story: I had a publishing website with some ads on it. The moment full GDPR went into effect, some years ago, revenue instantly dropped by 30% because the cookie banner I was using wasn't part of the approved european framework for cookie banners (they created an entire organization for this, called IAB). Most of the "approved" cookie banners are insanely overengineered nonsense and almost all of them cost a lot of money. And they kill your performance metrics. And when I finally gave in and implemented one of those, revenues dropped even more because I was losing readers who just quit without consenting at all.
Third and final anecdote: at one point I was contracted by a Romanian DTH television company who mostly operated with prepaid customers. According to GDPR, they were supposed to anonymize data they no longer needed, but because their clients were seasonal or less predictable, that turned out to be ridiculously hard. Their legal department, together with external contractors such as us ended up spending months to adjust their systems to conform to GDPR, and the result was their losing business and time, while being unable to properly serve older customers because they could no longer identify them.
So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit. On the contrary, the large companies could afford the legal counseling that they needed, but the smaller ones were hit hardest.
Did you consider running non-tracking ads? Of course not because even after the 30% drop, the spyware still pays more, right? But destroying websites with spyware is literally what the law is for - the people have voted to nuke your website from orbit.
> because the cookie banner I was using wasn't part of the approved european framework for cookie banners (they created an entire organization for this, called IAB)
It's in the name: IAB stands for Interactive Advertising Bureau. They couldn't give two shits about your site. All they care is about testing the limits of the law to get their hands on any and all user data.
> So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit.
Translation: shitty businesses made life of everyone harder on the internet and blamed regulations for their own behaviour. From IAB (and OneTrust and Admiral and other scummy greedy leeches') banners to idiots at companies who assume that data on their customers is no longer needed to ... provide services to those same customers.
Yes, it exposed a can of worms. Worms decided its their god-given right to stay.
Sure but the laws are probably relevant for the startups you _haven’t_ been a part of. The ones that never got started.
It’s funny you mention a lack of entrepreneurial spirit but then dismiss something that’s clearly a factor (not saying it’s the main factor but obviously it has some effect).
I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
Of course it's easier to do a bad job of something or to give up and not do it. That has no bearing on whether or not doing it the right way is actually onerous.
Can you share the projects? In most cases it is very, very easy to comply with the *"random laws" (not that GDPR is much different from California's CPRA. Are you blocking Californian users too?)
> I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
GDPR fines scale based on annual turnover so blocking EU users on a non-commercial product is utterly pointless and just being mean.
I think (I'm an American so take with a grain of salt) even the "proper lawyer reviewing terms" part can be deferred quite a while by being conservative with PII (which you should be doing anyway) and using a service like iubenda to deal with terms and cookie warnings when you first start out.
The biggest hurdle Europe has to face is the cultural shift away from the post-soviet era of "Don't take work too seriously, enjoy life".
There is now a full generation of Europeans who grew up in with this mentality, looking down on Americans for their ridiculous work ethic and comparatively meager benefits.
But it's not sustainable, and the strain is already becoming obvious. Young Europeans will have to work longer and harder for less if they want to move Europe away from being totally dependent on American tech, American defense, and Chinese wares.
The data [0] begs to differ: in richer countries workers and fewer hours. The gap not shown here is working hours per capita (instead of worker), but I couldn’t find that data quickly.
Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
IMHO, the US and China’s hurry to expand into every possible corner is unsustainable. Unless we are actually trying to get ready to face an extraterrestrial threat, our endless effort to maximize our tech and become more and more efficient and profitable is unneeded and puts too much stress on earthlings, which is definitely not sustainable. Do you really believe that when we are able to pass production of almost anything to AI and robots and give generous UBI to each and every person, they will be happy and satisfied? It is a dead end, a loss of meaning that we are racing to reach ASAP.
Population collapse cannot be a good enough reason, either. Older people won't be happier if their servants are robots instead of climate migrants.
We could just, like, not give billionaires so much money, and there will be more left for everyone else.
Yeah, if we want to be the world superpower we have to work really hard. But we definitely won't get any of the benefits of being the world superpower - just like Americans don't already - all of it accrues to billionaires. And it'll make the rent really high. So why should we want that? Of course, we don't want anyone else to be a world superpower either, because kings/dictators/emperors are bad.
I know a friend who was building his first website, he asked in our startup group how to handle the GDPR cookie banner, it likely wasted 1 day on that, when he had invested maybe a whole othery day on the project.
At that moment in time the GDPR cookie banner amounted of 50% of the effort.
It killed momentum, it killed willpower with beuracracy.
It should have asked himself how to get users, not how to comply with GDPR for a website that in that moment had 0 users.
The problem was not the cookie banner, but rather that they were doing things that required user consent (most commonly: filling up the website with 3rd-party marketing tools).
You can have a website as big as GitHub without a cookie banner yet still be compliant.
I know from the inside it feels like nothing is wrong, but if you're looking at the EU as a whole from the outside, the economies there have been coming apart for many years. You could even say the wheels have already fallen off. 100% of the economic woes in the EU are conferred by EU membership, and the web of inefficient, bureaucratic laws therein. Geographically speaking, Europe is positioned, perfectly, to be an economic powerhouse. It is close to the Middle East where much of the energy comes from, close to Africa where energy and other resources come from, close to Asia where certain base materials and manufactured components come from, surrounded by oceans everywhere, the Mediterranean has more than 1/5 of the world's coastline, giving ample opportunity to develop commercial ports, etc. The only reason the economies of Europe are in trouble is because of the EU. That is the only reason. The EU is the singular one only single reason. The EU. That is the single reason.
Cookie banners are just one tiny example that illustrates how death from 1000 cuts is a real thing. In the case of cookie banners, you could say it's death from 100 cuts, because, if you live in the EU, you spend probably one percent of your entire life clicking cookie banners. 7.2 minutes a day is all it takes to waste one percent of your productive life (assuming 12 hours of useful time per day). You might scoff at this, "I probably spend 10 seconds", but I spend probably a minute or more dealing with broken cookie banner garbage every day and I am an American. Just from American websites complying with GDPR nonsense, we have to waste some small portion of our lives here as well. Stupid laws written by stupider bureaucrats ruin everything for everyone. This is the description of an idiot by Dostoyevsky, somebody who does things that harm themselves and others.
It's pure ideology that "cutting red tape" will lead to growth. Unfortunately I don't think there's much to understand, perhaps beyond the US giving the EU some kind of kickback for complying.
My hot take is that this is a signal for Trump. We play nice with you, you play nice with us.
Big tech is well connected to the current US administration so if the EU were to make theses changes, then they will appease big tech (a little bit) and therefore by extension Trump.
I (like you) don't think that these regulations are the reason the EU doesn't have home grown hyper-scalers a la AWS or GCP or Azure.
I think the EU just fell asleep at the wheel for too long. It basically outsourced its defense to NATO, its tech needs to the US and its manufacturing to China and for a while it worked perfectly.
However the world is changing and the EU is simply in my opinion not up to the task. It's too slow, bureaucratic and messy to be able to adapt rapidly and it lacks the vision necessary to remedy to its weaknesses.
1. We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
2. Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
3. I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters:
I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
4. EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
5. There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
>There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
As a hacker, I don't care about cookies or what the EU thinks about them. Disable them if you really care. Or at least use a browser that blocks 3P cookies (not Chrome).
True that. I went to a building in SF that dedicated floor space to every adjacent field like robotics, AI, crypto, etc. Zero hacking or even cyber related space.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
Some of that is attributable to raw inflow/outflow differences, where newer cohorts are bigger and therefore the blend would shifts even if no oldsters ever left.
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
>a larger proportion of "chancers", people who are only in tech to "get rich quick"
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
This is such a laughable comment. Being in favour of a regulation - any regulation - is not part of the "hacker spirit". A hacker qua a hacker is interested in a regulation insofar as they can work around it, or exploit it to their ends, not to put one in place to directly achieve something. That's not to say all regulations are bad, or even that the GDPR is, just that HN being for or against it isn't proof of some demographic shift.
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
Facebook is filled with billions of people I have no reason to speak to, ergo its network effects for me are zero, and its value to me is zero. Other services have similar zero or negative value, and hence I don't use them either. As much as some around here would like to believe that network effects are a moat that effectively allow social media to be immortal, experience has shown that not to be the case. Facebook is dying a slow, lingering death. It is not the place you go to find trendsetters and people of import, but, at best, to go check up on grandma. Facebook will die when grandma finally kicks the bucket and there isn't anyone to replace her because they're all on Discord.
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
I'm a hacker type and generally extremely (left) libertarian. But when it comes to megacorps, I have basically zero sympathy. When they are big enough to rival nation-states in economic and political power, they can't complain when said nation-states start to notice.
(I would still prefer the world without either, though.)
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
> What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
The 180 does not surprise me at all. GDPR and associated laws are a perfect example of the old 'Good intentions, unintended consequences'-pattern we see in laws all the time.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways
to keep business as usual while 'complying' with the law.
I think it's ridiculous to say GDPR did "jack shit". I now have the ability to withdraw consent for tracking/marketing cookies on every major companies website I visit. An option that was near non-existent before GDPR.
The thing is that it didn't work for that objective. It didn't seem to have any meaningful impact on all on the Metas and Googles out there. They control the user base and people depend on their products, it was trivial for them to get full consent like they've always done with their Terms & Conditions.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
Oh, but you see, this can impossibly be interpreted as not consenting to our specific tracking. Surely users mostly clicked this accidentally. I mean why would they block our tracking? It's all for a better user experience... /s
_Company goes on to put tutorial about disabling the do-not-track header on their website._
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
I'm convinced there's a psyop on this site when it comes to GDPR, and I'm only half-joking. If people would bother to read those intrusive banners, they'd notice that their info is being harvested and shared with hundreds, even thousands of "partners". In what universe is this something we should be okay with? Why exactly does some random ecommerce site need to harvest my data and share it with a bajillion "partners" of theirs? Why are we okay with that?
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
Sure, ideally we can decouple the provider implementation and use a yubikey-type device if we want, or let the OS Secure Enclave handle it for the 99% of users that don’t care.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
I don't get why people conclude from the cookie hell that "regulations are bad". If those goddamn websites got actual fines for those dark patterns, they wouldn't do it. The EU should just be stricter with the regulations.
Any website can have a button to reject all cookies. Or if you use only functional cookies, you don't even need it! Websites could come together to make it a standard and enable a browser option to avoid bugging you.
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.
I believe the point was the exact opposite: the regulation isn't enforced, which creates these absurd opt-out dialogue trees. If it were to be enforced fully, then anyone without a "reject all" button would be slapped with fines. Maybe even anyone who doesn't abide by the do not track/global privacy control headers.
Again, because those entities ("EU", "governments") are made of many people. It's not one guy who says "this should be illegal, but I will put it on my website too".
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
> This will probably lead to a series of committees about how to scale back the laws [...]
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
Sure and that's why EU now has the weakest tech sector of any service industry and have become absolutely dependent on US and Chinese software instead.
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
Probably using off-the-shelf analytics because rolling your own analytics takes time away from solving the central problems your users are paying you for. No one is _using_ the data. It's often not even really PII except that GDPR's net is incredibly broad.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
Readit News
https://en.wikipedia.org/wiki/Control_theory
This is like arguing if "heater on" or "AC on" is better, which is a pointless argument. That entirely depends on what the temperature is!
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
People bemoan bureaucracy (which is a totally fair criticism) without understanding its deeper meaning:
Bureaucracy is how it works
That's it. Digital government is also bureaucracy. Applying to YC is also bureaucracy.
Of course the meaning drifted with the times, but it still means that
First definition here https://dictionary.cambridge.org/dictionary/english/bureaucr...
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
Deleted Comment
Dead Comment
On one end we have regulations as part of regulatory capture. Opposite effect of regulations that would help say a small business compete fairly.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
you didn't really say anything
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
try untangling the tracking code from the rest of the javascript code which is required for the sites to work - simply unrealistic.
> They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater.
Then large law abiding sites can still do enormous amounts of tracking, and can do lots with my data that they currently are not doing.
You have the immense power of denying them access to your money, which turns out is a very compelling argument :)
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
In the main, because the GDPR is an attack on advertising-supported services. You cannot build a business on context-free ads given they pay somewhere between 1/100 and 1/10000 as much as ads that profile.
Thus news orgs basically told regulators that the options were no free news (or realistically, the mess America is in, where real news orgs charge and the free ones are propaganda arms) or being allowed to do consent or pay. Because a paywall complies with all laws but has negative societal effects.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
That's actually part of these changes. It's mentioned in the linked article about halfway down.
GitHub doesn't have a cookie banner: https://github.blog/news-insights/company-news/no-cookie-for...
That said, looks like what you asked is happening: https://www.macrumors.com/2025/11/19/europe-gdpr-cookie-chan...
It took me to move to Germany to figure that privacy is a spectrum, and I, despite being a crazy on privacy and security, actually don't want that much.
I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
My colleagues had 3 bikes stolen in a week bc we have no CCTV cameras.
Privacy definitely has costs, and not only for business, but for regular people in daily life. It should, as anything, be balanced against costs of doing business, people security concerns.
Same goes for security: few private cctvs are ok, massive coordinated surveillance and chat control not ok. Everything is on spectrum and is a trade off.
It sounds interesting but I'm not sure what it means. Could you clarify this?
Related, recently in the UK news. British Transport Police won't even look at CCTV for bike theft at train stations (because of resource constraints, but the presence of CCTV doesn't automatically mean it will be used).
https://www.bbc.co.uk/news/articles/c8jm3wxvlkjo
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
Well yeah, cause your sentence relies on itself.
_Too many_ regulations is a bad thing.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
The one that Google keeps tracking? https://www.tomsguide.com/news/going-incognito-in-chrome-doe...
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
--- end quote ---
Deleted Comment
Deleted Comment
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
ISPs used to provide email addresses for people, and it was part of the cost.
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
At which point it also counts as PII and is subject to the GDPR rules.
Dead Comment
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
https://adnauseam.io/
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
That's exactly why things are the way they are.
The compliance of the cookie banner regulation has measurable negative externalities - one estimate suggests a EUR 14B/year productivity hit in the EU
Most modern browsers allow you to disable all cookies if you like. You can always use incognito mode if you want to be selective about it.
In an ideal world, the EU could have simply educated their constituents about privacy controls available in their browser.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Thanks Google.
Deleted Comment
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
Chat control is stupid.
There's literally 0 startups I've been part of where data protection laws or even the infamous cookie banners have been anywhere near relevant (unless your business was literally profiling).
In fact the actors that most opposed those laws have always been non Europeans.
Sure, there is an attached cost in having your terms reviewed by a proper lawyer and documenting the entire list of cookie providers, but that's basically where it ends. It's really minimal effort and cost, we talking in the low single digits for the review, and few hours of engineering time.
The biggest issues in European growth are others:
- focus on being an export economy while neglecting the internal market.
- bureaucracy to fight at European level so we still don't have a real unified market, neither in physical goods (our economy's backbone) nor services which doesn't allow national startups to scale at European level
- very conservative and risk-adverse mentality. Young people in college can't wait to graduate and find the best paying lowest effort stable job. That's not a problem if it involves a majority of graduates, I imagine all world is like that, but you do have an immense problem if you have 1% or 3% or 10% of wannabe entrepreneurs.
If you live in country X, you will only ever learn about services from country X or from the US. No one here knows what goes on in neighboring countries.
It's easy to think the EU is like the USA, but it's not, it is still separate sovereign countries with their own language and culture.
Europe has a lot of problems that result in low ambition and growth, privacy law isn't one of them.
Almost nobody goes to France, Germany, Spain, Italy, etc. The mainstays of the European economy. Let alone central or eastern Europe. But if you're a young talented engineer in the middle of nowhere usa, you can just easily move to the bay area without any issue. That cultural unity IMO is America's biggest strength, and the lack of it is Europe's biggest weakness.
Note: I've lived in Ireland, the Czech Republic, and France, so I know first hand how hard it is to move inside Europe, and I understand why people don't do it.
I guess you have been part of software startups and you severely underestimate the bureaucracy that is involved in physical companies nowadays. Farmers, fishermen, factory-owners, and other small to medium size companies all have severe difficulties with ever increasing regulations. By itself the regulations are not always bad, but usually it takes way too long to get through the system which makes it hard to compete with, for example, China.
What exactly is europe competing against china on? Isn't europe's competition the US?
European starts with a vowel in spelling, but actually phonerically begins with a consonant, /j/, so it doesn't trigger the "an" thing.
Similarly some spellings start with a consonant but have vowels (like acronyms, "an SSRI", the name of the letter S, "ess", begins with a vowel)
More to the point I agree with what you're saying. This seems like lazy attribution of cause that is so common in American business and politics. "Of course deregulation will boost growth!" Why? Because of religious beliefs about deregulation boosting growth.
Ah makes sense.
In my head it's never "you"ropean, but "ew" uropean as I'm not a native english speaker and phonetically it's a consonant in english only. In greek, slavic languages, german or latin-derived it's always "ew".
OP already mentioned in his area it's phonetically mostly "ew".
I'd say a lot of germanic areas also do something I'd describe as "oi". That'd also make one inclined to use an "an" when speaking.
This decision is in response to lobbying from these actors (and their new friend in the white house). It is not supposed to benefit you.
One day I got a letter from the national authority regarding personal data where I was asked to reply to 15 questions regarding a personal project of mine, invoking the GDPR. The sanctions for not complying within 5 days was an incremental fine of 600 euros PER DAY, until I complied. This letter was directed to me as a natural person (not even my company).
Another story: I had a publishing website with some ads on it. The moment full GDPR went into effect, some years ago, revenue instantly dropped by 30% because the cookie banner I was using wasn't part of the approved european framework for cookie banners (they created an entire organization for this, called IAB). Most of the "approved" cookie banners are insanely overengineered nonsense and almost all of them cost a lot of money. And they kill your performance metrics. And when I finally gave in and implemented one of those, revenues dropped even more because I was losing readers who just quit without consenting at all.
Third and final anecdote: at one point I was contracted by a Romanian DTH television company who mostly operated with prepaid customers. According to GDPR, they were supposed to anonymize data they no longer needed, but because their clients were seasonal or less predictable, that turned out to be ridiculously hard. Their legal department, together with external contractors such as us ended up spending months to adjust their systems to conform to GDPR, and the result was their losing business and time, while being unable to properly serve older customers because they could no longer identify them.
So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit. On the contrary, the large companies could afford the legal counseling that they needed, but the smaller ones were hit hardest.
There's your mistake. It's not approved. The EU literally sued them for coming up the bullshit banner: https://www.euractiv.com/news/top-eu-court-finds-widely-empl...
It's in the name: IAB stands for Interactive Advertising Bureau. They couldn't give two shits about your site. All they care is about testing the limits of the law to get their hands on any and all user data.
Their banners originally were explicitly illegal: https://noyb.eu/en/where-did-all-reject-buttons-come (this describes mostly OneTrust banners, but IAB's banners were the same) and https://noyb.eu/en/say-no-cookies-yet-see-your-privacy-crumb... (IAB's banner turned your "no to tracking" into "yes to tracking")
> So in my opinion, despite originally being well intended, GDPR opened a huge can of worms, created a lot of issues and made everyone's life harder on the internet, for no real benefit.
Translation: shitty businesses made life of everyone harder on the internet and blamed regulations for their own behaviour. From IAB (and OneTrust and Admiral and other scummy greedy leeches') banners to idiots at companies who assume that data on their customers is no longer needed to ... provide services to those same customers.
Yes, it exposed a can of worms. Worms decided its their god-given right to stay.
It’s funny you mention a lack of entrepreneurial spirit but then dismiss something that’s clearly a factor (not saying it’s the main factor but obviously it has some effect).
I have some side projects that I don’t really care about making money from but some people do use and it’s easier for me to just block all European users than worry about complying with all the random laws and regulations.
Making it harder for foreign companies to compete is actually great for European startups, though
GDPR fines scale based on annual turnover so blocking EU users on a non-commercial product is utterly pointless and just being mean.
There is now a full generation of Europeans who grew up in with this mentality, looking down on Americans for their ridiculous work ethic and comparatively meager benefits.
But it's not sustainable, and the strain is already becoming obvious. Young Europeans will have to work longer and harder for less if they want to move Europe away from being totally dependent on American tech, American defense, and Chinese wares.
Also, even if your claim were true, I wonder if joining the rate race of working harder is worth it.
[0] https://ourworldindata.org/rich-poor-working-hours
Population collapse cannot be a good enough reason, either. Older people won't be happier if their servants are robots instead of climate migrants.
Yeah, if we want to be the world superpower we have to work really hard. But we definitely won't get any of the benefits of being the world superpower - just like Americans don't already - all of it accrues to billionaires. And it'll make the rent really high. So why should we want that? Of course, we don't want anyone else to be a world superpower either, because kings/dictators/emperors are bad.
You can have a website as big as GitHub without a cookie banner yet still be compliant.
Cookie banners are just one tiny example that illustrates how death from 1000 cuts is a real thing. In the case of cookie banners, you could say it's death from 100 cuts, because, if you live in the EU, you spend probably one percent of your entire life clicking cookie banners. 7.2 minutes a day is all it takes to waste one percent of your productive life (assuming 12 hours of useful time per day). You might scoff at this, "I probably spend 10 seconds", but I spend probably a minute or more dealing with broken cookie banner garbage every day and I am an American. Just from American websites complying with GDPR nonsense, we have to waste some small portion of our lives here as well. Stupid laws written by stupider bureaucrats ruin everything for everyone. This is the description of an idiot by Dostoyevsky, somebody who does things that harm themselves and others.
My hot take is that this is a signal for Trump. We play nice with you, you play nice with us.
Big tech is well connected to the current US administration so if the EU were to make theses changes, then they will appease big tech (a little bit) and therefore by extension Trump.
I (like you) don't think that these regulations are the reason the EU doesn't have home grown hyper-scalers a la AWS or GCP or Azure.
I think the EU just fell asleep at the wheel for too long. It basically outsourced its defense to NATO, its tech needs to the US and its manufacturing to China and for a while it worked perfectly.
However the world is changing and the EU is simply in my opinion not up to the task. It's too slow, bureaucratic and messy to be able to adapt rapidly and it lacks the vision necessary to remedy to its weaknesses.
1. We really have no realistic threat on our borders. Russia can't even cope with Ukraine alone in conventional warfare. Who do we have to defend from? And there are way bigger militaries than Ukraine in EU alone, let alone as a coalition, such as Poland.
2. Would like to remind you that article 5 has only been invoked by US and we lost many lives on something that wasn't even relevant to us, let alone the other wars in africa or central asia that we joined. So far, it's been Italian and Polish blood falling to comply with our North American ally, it hasn't been the opposite case for decades.
3. I think the European commission is simply corrupted, and when it comes to this data stuff, please notice how many dozens times Thorn and Palantir and many other US security companies have lobbied EU commission members, and those are just the registered meetings, you don't need to record phone calls or out-of-office encounters:
https://transparency-register.europa.eu/search-register-or-u...
I'm quite convinced Ursula von Der Leyen is corrupt and is selling out Europe and keeps engaging in anti European policies.
4. EU would be fine, if it was able to pursue a coherent foreign policy. Instead you have 20+ countries where the occasional Hungary can veto anything. It should be given more power on many fronts. We shouldn't have 20+ privacy agencies, 20+ ways to register a company, 20+ different legislations on this and that.
5. There are politicians with the right vision, such as Macron, but most politicians have to live election by election, so it's very hard to pursue long term strategies. To be fair though, US is showing the same symptoms with one executive undoing what the previous has done from a bit.
Dead Comment
Thats kind of the point...
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
Doesn't that describe SV in general, and big tech in particular?
Corporations and governments are locking computers down. Secure boot. Hardware remote attestation. Think you can have control by installing your own software? Your device is now banned from everything. We eill be ostracized from digital society. Marginalized. Reduced to second class citizens, if that.
Everything the word "hacker" ever stood for is being destroyed. I predict one day we'll need licenses to program computers.
It's gotten to the point sacrificing ideals for money has started to make sense for me. The future is too bleak. Might as well try to get rich.
https://en.wikipedia.org/wiki/Eternal_September
It made me feel kinda sad for a few days.
I’ve said it before, but the cynicism and weirdness that used to exist here has been gobbled up by a new wave of early stage tech evangelists who are just here to complain about ladders and levels.
It’s honestly been depressing to watch lots of good comments and posts go unnoticed, while the bait comments get all the engagement.
There’s also weirdly (ok, maybe not that weird) amount of casual hate on here now. It’s subtle, but I’ve been seeing a lot of negative karma and rhetorics that never used to exist here. I suppose it’s just “the internet” these days, but I’d wager HN has just grown too much outside the bubble it once was, and now we have a wide open door with lights vs the tiny alley way we once had.
your complaint was Unassailable Hacker® jwz's complaint about HN more than 10 years ago here's a link (many on HN complain that this is NSFW https://cdn.jwz.org/images/2024/hn.png since there are rarely complaints here that anything else is NSFW, I'd suggest people feel insulted by the message)
the thing that has actually changed since jwz's disgust is the site is now flooded by socialism, the antithesis of get-rich enthusiasm
Dead Comment
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
Their track record is pretty good.
(I would still prefer the world without either, though.)
Why? Is META relevant only on merit?
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
Dead Comment
It might surprise you, but success is not always rooted in having done great things for the world
Me too. But losing on merit requires an (at least somewhat) fair marketplace.
I honestly don’t get why so many people jump to the whole "we need the government to save us or we’re doomed" argument. To me, it's simple: put your money where your mouth is. I can’t stand Meta, so I just don’t use their products.
Some industries naturally tend torwards monopolies. In social networks, this effect is very strong.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
The results of the GDPR (and the unrelated Cookie Directive) on my everyday professional life are what made me - an European - from a flag-waving European-Unity-proponent to a heavy critic that dreams of a Dexit. And I know I am not the only one - public opinion is shifting - some because of cookie banners, some because of driving licenses, some because manufactuers have started to neuter their devices when sold to Europe, taking away features available everywhere else in the world, some because of the ridiculous VAT reporting regime that hits European businesses once they hit a 100k gross income mark, some for yet other reasons. And now they are trying hard to get the de-minimis-rule taken away, increasing trouble and cost for anyone who does cross-eu-border trading.
It's only been a matter of time even Brussles remembered that ultimately, their throne is built on sand, and that Europe has a history of getting rid of unreasonable leadership.
At the same time, it was a heavy burden for data-oriented EU startups like mine. I've spent a few hundred hours dealing with GDPR, it felt like it was designed to stick it to the big companies without any thought on how it would affect the rest.
And it's been a low-level but ever present friction for users.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
Even worse, bought Whattsapp.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
[1] James Boasberg; "Meta prevails in historic FTC antitrust case, won’t have to break off WhatsApp, Instagram" https://apnews.com/article/meta-antitrust-ftc-instagram-what...
[2] https://wikileaks.org/podesta-emails/emailid/8190
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
Where can I read more about that phenomenon?
Finally!
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
https://en.wikipedia.org/wiki/Do_Not_Track
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
https://noyb.eu/en/project/cookie-banners (edit: link)
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.
I hate that the psychotic data harvesting assholes behind all these dark patterns emerged victorious by just straight up lying to people and deluding them into thinking GDPR was the issue, and not them and their shitty dark pattern banners
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
Just let Estonia run the programme [1].
[1] https://e-estonia.com/solutions/estonian-e-identity/id-card/
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
It was on its way to get implemented and then Microsoft enabled it by default in IE10, so not making it the choice of a human, and ruined it for everyone.
Good kid mode[0].
[0] https://www.lego.com/en-gb/product/retro-telephone-31174
Guess what: they didn't want that, and some prefer to make cookie banners which are really obnoxious.
I'm all up for incentives for better websites, and penalties for shit ones.
Complaining about regulations as a concept is usually about forgetting those that work and seeing exclusively those that annoy you.
> [...] which will create new rules which will be put in place [...]
> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past
As intended by design.
I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:
1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.
2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.
0. https://news.ycombinator.com/item?id=45970663
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
I cannot even use my official government ID application that is mandatory almost everywhere without signing on to Google or Apple, so much for data privacy and sovereignty.
We tried to get rid of any tracking banners but have been unable to do so.
I have not seen GDPR reduce the amount of data people track. It's just resulted in piles of cash being burned on lawyers' advice to make sure the company has as little GDPR-related liability as possible. Subprocessor agreements, updated Terms and Conditions, etc.
Some good has come out of it, such as less backup retention, and some basic data breach plans, but a lot of it is theater.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.