I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, and usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: and endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer, or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways
to keep business as usual while 'complying' with the law.
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
The article's 2nd sentence said intense pressure from industry and the US government.
> Besides, you seem to be confusing something.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who could just pay the fines and go ahead with violating everyone's privacy.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason of "law enforcement is just weak" that you bring up just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything
'Cause the corridors of power, they're an ocean away"
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
This is infuriating. Running a startup myself, I don't have GDPR banners on my website, nor do I engage with any of the red tape associated with storing GDPR-regulated data. Why? Despite the flagrant misinformation being sown, GDPR doesn't apply for normal, useful-to-developers data collection. It is perfectly fine to use functional cookies like session storage and collect basic anonymous telemetry about how your site is being used, so long as there is absolutely nothing that ties it to a specific individual. Like the vast majority of businesses, I don't handle payment processing myself, so I have no need for any identifying information to ever grace my database.
> The GDPR is concerned with the following types of data:
> Personal data: If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address. The GDPR considers even encoded information (also known as "pseudonymous" information) to be personal data. If the encoded data can be linked to an individual, the data is considered personal, regardless of how obscure or technical the data is.
> Sensitive personal data: This data adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.
So when articles like this say "regulations are strangling small businesses", they aren't talking about the cost of compliance with unnecessary overhead, nor about being "forced" to have an unnecessary cookie banner. They're talking about being required to get consent before collecting and selling your personally identifying information. That is the regulation that's "strangling" them, and what they're aiming to change. If you don't engage in that behaviour, your small business probably isn't regulated by the GDPR in the first place. If it so happens that your business does have a legitimate purpose for collecting personal data, there are already exemptions in the GDPR from some of the red tape around it for small businesses.
It is particularly frustrating to see this proposed change coming after the EU finally started cracking down on consent banner abuse in court this year. It is now being legally enforced that, if you do have a consent banner, you must have a "reject" button that is equally as prominent as the accept button, not hidden away in a sub-menu. There are still many sites that aren't compliant, but this has been a markedly huge improvement to the web experience. It was disastrously long overdue, and that was a failure on the EU's part, but it vexes me to see people frustrated with consent banners cheering on the death of GDPR to automate data collection without consent when the actual solution was simply for the existing law to be enforced properly.
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business
Protecting users in the bargains we strike with big tech is a worthwhile and noble effort, but privacy law has generally woefully failed to do this.
Millions upon millions have been spent on cookie banners -- people are still arguing about them in this thread -- but there is almost zero benefit to this expense.
The main thing that's good about this, IMO, is that fundamentally training a large language model and privacy law as it's written today cannot coexist. They are incompatible. And allowing someone to break the law forever (as is happening today) is not a good long-term solution.
I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.
So “smart rules” only means “more rules”?
Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.
Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.
Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, and usually the uncertainty about your being in compliance or not.
That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...
Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.
But uncertainty in compliance and time spent navigating compliance is nearly pure waste.
Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.
Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”
Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.
I always felt applying the same rules to everyone was a big problem with GDPR.
Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.
Its not just cookies and websites, its any personal information stored electronically.
I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?
I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).
I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.
Browser level consent primitives would be a significant improvement on the status quo.
Do Not Track was a spectacular failure.
You can still turn cookies off in your user agent though.
It was a spectacular failure because the people who thought of it didn't stick to it.
Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).
This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.
I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.
Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.
AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.
It's just… lazy. “Slap AI on it”-level policy. Ugh.
Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.
Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.
> I don't see anything about GDPR that would harm innovation or long-term success for europe.
It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.
There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.
You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.
> clearer safe harbors for small actors
Different rules for different people huh?
Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.
Not different rules for different people.
You would be subject to one rule for your small company and another rule as it grows.
This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.
This is different for different people said differently. Why would small companies have access to things not allowed to big companies?
Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.
A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.
Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.
Corporations are not people. This is not different rules for different people.
In the traditionally implied sense of different rules for different social classes.
Because quantity is a quality of its own.
Because their conditions and abilities are different.
The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.
For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.
Such ideas often have regressive effects.
However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.
Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)
Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.
Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair.
>Different rules for different people huh?
That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.
> Different rules for different people huh?
Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.
I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.
But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?
In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious.
In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.
I wish you were right though.
I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.
Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.
> home owner
But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?
Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation.
It could, however, be good policy independent of personal preference.
I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.
Why did you use an LLM to write a comment?
What makes you think it's LLM generated?
Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y"
colons and directional quotation marks scare folks who don't know how to use them properly
The double quotes perhaps?
Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).
Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site
There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.
Hackers should know the government is never on your side.
> Hackers should know the government is never on your side
Never is naive. Hackers should understand governments are complex, dynamic and occasionally chaotic systems. Those systems can be influenced and sometimes controlled by various means. And those levers are generally available to anyone with a modicum of intelligence and motivation.
In addition, hackers should know government is inevitable. Even in anarchy, governments spontaneously begin to form.
If I am not mistaken, the anarchist school of thought is okay with governance and even governments, but not with the concept of the state - an entity that exists to enforce governance with violence. For example, https://en.wikipedia.org/wiki/Anarchy,_State,_and_Utopia
I’m not 100% sure though.
edit - a (vs. the) school of thought is more accurate.
That may be one of them, but there isn't a singular anarchist school of thought.
> there isn't a singular anarchist school of thought
Would be oxymoronic if there were one.
Isn’t that like saying there must be as many universes as theoretical physicists can think up? Slight maybe but it could also just be one.
The ideal of self-governance as opposed to alienated state or institutional governance is quite common in anarchist thought. Some would probably consider it foundational for the tendency.
I think of anarchy as a theoretical end state, where power is perfectly distributed among each individual, but that this is less of an actually achievable condition and more of a direction to head in (and away from monarchy, where power is completely centralized).
Nozick's libertarianism is not really an anarchist school of thought.
Yep. The FBI swings from lawful good to lawful evil on a case by case basis. Trusting them is dangerous, but a world where they can be ignored is more dangerous.
"Hackers should understand governments are complex, dynamic and occasionally chaotic systems"
No. Hackers should understand that government is force. This is the definition of government.
And force is the antithesis of the hacker ethos.
No, the naive position is to assume that the state is on your side because you occasionally gain something from it.
That is an absolute nonsense.
At minimum, government will be useful as defence against worse government.
I know that some anarchist had dream of a stateless world, but it is not viable.
And while I am not going to say that any government is ideal, many are better than USSR, Third Reich or Cambodia under Pol Pot.
A hacker should probably know that it's usually trade offs and blanket statements are very useless. Certain tools are good for certain tasks and situations, but bad for others. No free lunch and all that.
If you make that blanket statement, you're definitely not a hacker (or just a novice). But you'd make a heck of a politician or tech bro salesman
Growth hackers aim for regulatory capture.
Neither are the billionaires and their deputies who both own and run all the megacorps.
99% of the current AI push is entirely anti-hacker ethos. It is a race to consolidate control of the world's computing and its economic surplus to ~5 organizations.
A few people do interesting stuff on the edges of this, but the rest of the work in it is anathema to hacker values.
The client ai push has also enabled people to run local llama models and build products without those companies. Presumably there'll be more of this to come
The truly "eternal" September.
https://en.wikipedia.org/wiki/Eternal_September
I don't know if it's a changing of the audience or a change in how people behave generally, but this place has been insufferable lately whenever anything remotely related to Donald Trump's administration comes up.
One of the things that made this place special relative to other online communities is the ethos to interrogate through a lens of curiosity. Now, there's a lot of vitriol that's indistinguishable from any other comment section.
Yeah I still remember my first interaction with a supporter back in 2016. It was startling, and the first hint I had that politics was about to shift abruptly.
It’s a difference in values. To some, the ends justify the means and human life has no inherent value and the world is zero sum, and to some, a lying malignant narcissist deciding who lives and who dies is a personification of evil.
To some people, it’s literally a choice between that “lens of curiosity” and their families lives. But people for whom politics has never directly impacted them past a few % up or down in their paychecks can’t understand that, or feel safe in the idea that “they won’t come for me”.
The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
> There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.
That "AI slop replies" excuse you mentioned would only apply to the past 3 years at most (aka ChatGPT 3.5 release on Nov 30th 2022). While the grandparent comment's take felt true to my perception for at least the past 10-15 years, way before "AI slop replies" were even a remote concern.
Am I the victim of the algorithm? Because all I see on HN these days is people pessimistic about tech and society. The tenor here is overwhelmingly negative.
Where are you seeing anyone defend big tech, tech bros, or any tech in general?
In the last few years I think sentiment on hacker news has shifted from libertarian leaning to much mored left leaning. The same happened on Reddit a few years before. Anyway, just my gut feeling, nothing scientific.
Keen observation both you and OP. We've gone from a sense of techno optimism to tech blaming.
Valid criticism is OK (I stand by crypto being a scam) but bring up any topic that is neutral to popular(VR, Autonomous Driving, LLM) and people are first to be luddites come out.
> We've gone from a sense of techno optimism to tech blaming.
IMO this is simply because the tech industry isn't what it was 20+ years ago. We didn't have the monopolistic mammoths we have today, such ruthless focus on profiteering, or key figures so disconnected from the layperson.
People hated on Microsoft and they were taken to court for practices that nowadays seem to be commonplace with any of the other big tech companies. A future where everyone has a personal computer was exciting and seemed strictly beneficial; but with time these "futures" the tech industry wants us to imagine have just gotten either less credible, or more dystopic.
A future where everyone is on Facebook for example sounds dystopic, knowing the power that lays on personal data collection, the company's track record, or just what the product actually gives us: and endless feed of low-quality content. Even things that don't seem dystopic like VR seem kinda unnecessary when compared to the very tanginble benefit the personal computer, or the internet brought about.
There are more tangible reasons to not be optimistic nowadays.
What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.
The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).
Didnt the judge rule literally yesterday that this wasnt illegal. This was one of Lina Khan's signature lawsuits, and judge didnt agree even a single one of FTC's arguments.
Just because something is not illegal does not make it a good thing. Judges have political ties and if the people in power dont want any monopoly laws, then there wont be any monopoly laws.
Where can I read more about this? Quick search turns up nothing for me
This is a proposal from the EC. Whether the EU accept it is not clear.
Yeah I really hope they don't. It's ridiculous to throw out all the great work they've been doing.
Nothing's been official published though, so this is largely a kite-flying exercise.
You don't need a pop-up to use cookies on your site. You (quite rightly) need to get consent in some form if you're to track my (or your) behavior and sell that to rando third-parties.
> What I really want to see is Meta getting irrelevant ON MERIT.
That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.
I uninstalled WhatsApp last year after I sent a message to my most important contacts that I'm switching to Signal. In the mean time, I convinced a grand total of 2 people to install Signal so we can talk. Also, I realized that actually not being part in some of the WhatsApp groups that I left behind has quite a lot of advantages!
Yes, the network effects are very strong, but each of us has the possibility of making a small sacrifice for this thing to change.
> What I really want to see is Meta getting irrelevant ON MERIT.
Why? Is META relevant only on merit?
> HN was cheering on as EU went after Big Tech companies
HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.
On top of that, one thing that always gets support is complaining about the status quo, and those comments have been the most upvoted, on either side of the debate
This is accurate, however if you look at any thread you can see an overwhelming consensus of opinion. The diversity of views are not equal - in the sense that there isnt equal number of for and against comments.
In most of the threads I have observed about EU action on Big Tech, the overwhelming majority of thoughts are 'for', with perhaps few dissenting thoughts.
It depends what time of the day you log in too. I'm in the GMT time zone, I can literally see a comment go from +20 upvotes in the morning to negative numbers when Americans start waking up. It really shifts your perspective of the site too, because comments move down or even disappear based on the number of votes.
Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways to keep business as usual while 'complying' with the law.
It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.
Look at what happened to iRobot vs. Roborock though.
I live in EU. I am totally in support to force Meta down through government's big stick.
While they are at it, I hope they do it to the other big techs too.
Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.
Then I propose you should support https://noyb.eu/
Their track record is pretty good.
If you support them (I do, they do great work), please set up a yearly subscription. Predictable revenue is very valuable for organizations.
Yeah, seconded, and I also live in the EU.
I wonder what kind of people downvote you. They must have interesting priorities.
Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.
Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.
> ...more about protecting European ad firms, many of which are even shadier than big tech.
Where can I read more about that phenomenon?
> What I really want to see is Meta getting irrelevant ON MERIT.
That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.
Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.
So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.
?? He bought instagram in 2012 when it was tiny. They all moved in 2016.
His response was 4 years back in time because he can see the future?
They moved from meta to meta.
> sers dropped from Facebook like flies and moved to Instagram.
Even worse, bought Whattsapp.
What about hp, dell, ibm, compaq, sun? Companies are temporary.
> The Obama DOJ waved through what was obviously a blatantly illegal merger.
Speaking of buying Instagram[1], it's plain to see that the horrible judges that Obama appointed simply don't believe that antitrust should exist.
Exactly what you would expect from the guy who let Citigroup appoint his cabinet[2]. The powers that be at the Democratic party thought that Hillary Clinton was too independent for corporate elites, and she makes a fairly good case that they fixed the primary because they thought he was their best chance to "save capitalism" after the crash. They were right. She even sabotaged her next campaign with her desperate need to show bankers that she was a safe choice (e.g. the secret speech.)
> Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition.
And search was only successful for 5 minutes, until SEO broke PageRank. Since that one fragile (but smart) algorithm, and the innovation of buying Doubleclick, everything else has been taking advantage of the fact that we don't have a government that functions when it comes to preserving competition in the market. The West loves corporate concentration; it's better when your bribes come from fewer sources, and those sources aren't opposed to each other.
[1] James Boasberg; "Meta prevails in historic FTC antitrust case, won’t have to break off WhatsApp, Instagram" https://apnews.com/article/meta-antitrust-ftc-instagram-what...
[2] https://wikileaks.org/podesta-emails/emailid/8190
I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.
Prior to 2020, FTC would have had a much stronger case. But too little too late.
> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Finally!
Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.
Those “cookie banners” are nonsense aimed at getting this outcome.
This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.
How can you comply with the current requirements without cookie banners? Why would EU governments use cookie banners if they are just nonsense meant to degrade approval of GDPR?
By not tracking and setting any third party cookies. Just using strictly functional cookies is fine, just put a disclaimer somewhere in the footer and explain as those are already allowed and cannot be disabled anyway.
By not setting a cookie until the user does something active when I then tell them (say on “log in” or “add to basket”.
I dont think you actually need a cookie for that, technically. But I take your point.
What about trackers which they want to set immediately on page load? Just separate prompts for each seems worse than 1 condensed view. You might say "but trackers suck - I don't care about supporting a good UX for them" and it would be hard to disagree. But I'm making the point that its not malicious compliance. It would be great if people didn't use trackers but that is the status quo and GDPR didn't make theme illegal. Simply operating as normal plus new GDPR compliance clearly isnt malicious. The reality is cookie banners everywhere was an inevitable consequence of GDPR.
> Why would EU governments use cookie banners
They generally don't, because you don't need banners to store cookies that you need to store to have a working site.
In other words, if you see cookie banner, somebody is asking to store/track stuff about you that's not really needed.
Cookie banners were invented by the market as a loophole to continue dark patterns and bad practices. EU is catching flak because its extremely hard to legislate against explicit bad actors abusing loopholes in new technology.
But yeah, blame EU.
And before you go all "but my analytics is needed to get 1% more conversion on my webshop": if you have to convince me to buy your product by making the BUY button 10% larger and pulsate rainbow colors because your A/B test told you so, I will happily include that in the category "dark patterns".
In terms of whether or not the ubiquity of cookie banners is malicious compliance or if it was an inevitable consequence of GDPR, it doesnt matter if trackers are good or necessary. GDPR doesn't ban them. So having them and getting consent is just a normal consequence.
We can say, "Wouldn't it have been nice if the bad UX of all these cookies organically led to the death of trackers," but it didn't. And now proponents of GDPR are blaming companies for following GDPR. This comes from confusing the actual law with a desired side effect that didn't materialize.
you CAN use analytics! Just need to use first party analytics... it is not so hard to set up, there are many opensource self-hosted options.
I hate how everyone and their mother ships all my data to google and others just because they can.
By not putting a billion trackers on your site and also by not using dark patterns. The idea was a simple yes or no. It became: "yes or click through these 1000 trackers" or "yes or pay". The problem is that it became normal to just collect and hoard data about everyone.
Again, then why does the EU do this? Clearly its not simply about erroding confidence in GDPR if the EU is literally doing it themselves.
Besides, you seem to be confusing something.
GDPR requires explicit explanation of each cookie, including these 1000s of trackers. It in no way bans these. This is just GDPR working as intended - some people want to have 1000s of trackers and GDPR makes them explain each one with a permission.
Maybe it would be nice to not have so many trackers. Maybe the EU should ban trackers. Maybe consumers should care about granular cookie permissions and stop using websites that have 1000s of them because its annoying as fuck. But some companies do prefer to have these trackers and it is required by GDPR to confront the user with the details and a control.
> Again, then why does the EU do this?
The article's 2nd sentence said intense pressure from industry and the US government.
> Besides, you seem to be confusing something.
No. You asked How can you comply with the current requirements without cookie banners? Not How can you have trackers and comply with the current requirements without cookie banners? And don't use dark patterns would have answered this question as well.
>No. You asked How can you comply with the current requirements without cookie banners?
Within the context of the discussion of if its malicious compliance or a natural consequence of the law. Obviously you could have a website with 0 cookies but thats not the world we live in. Maybe you were hoping GDPR would have the side effect of people using less cookies? It in no way requires that though.
I mean just think of it this way. Company A uses Scary Dark Pattern. EU makes regulation requiring information and consent from user for companies that use Scary Dark Pattern. Company A adds information and consent about Scary Dark Pattern.
Where is the malicious compliance? The EU never made tracker cookies or cookies over some amount illegal.
> billion trackers ... dark patterns
Straw man argument.
The rule equally applies to sites with just one tracker and no dark patterns.
Don’t track your site visitors.
No tracking, no banner.
Or respect the now deprecated DNT flag, no banner necessary.
Now we get DNT 2.0 and the website owner will once again maliciously comply.
OK sounds great.
But some companies prefer to have trackers. They are required by GDPR to explain each cookie and offer a control for permissions. They probably had trackers before GDPR too. So how is that malicious compliance? They are just operating how they did before except now they are observing GDPR.
It sounds like maybe you just want them to ban trackers. Or for people to care more about trackers and stop using websites with trackers (thereby driving down trackers) Great. Those are all great. But none of them happened and none of that is dictated by GDPR.
You can have first party trackers. That is not so hard. Every site onto itself is a first party tracker, but if your developers can't do it there are opensource solutions available to host.
There's the confusion about whether ePD (which is all cookies even functional ones) was superseded by GDPR or whether it wasn't and both rules apply. Personally I think common sense is that GDPR replaced ePD or at least its cookie banner rule, but I'm also not a company with billions of euros to sue.
Can we get the do-not-track header instead?
https://en.wikipedia.org/wiki/Do_Not_Track
Because that made more sense than the cookie banner ever did.
Edit: it looks like there is a legal alternative now: Global Privacy Control.
Or a new, opt-in "Do-Track" that means consent to tracking, and anything else means tracking is not allowed. Why should it opt-out?
As long as there is Do-Not-Track as well, and companies must follow BOTH, this would be ok by me.
But this one alone opens the door to behavior similar to tracking cookies, where accepting all was easy and not accepting was hard af.
Instead of what? Instead of the central browser controls?
>Instead of what?
Instead of a different cookie pop-up on every single site you visit
>Instead of the central browser controls?
This is the central browser control. The header is how the browser communicates it to the websites.
This very article is about how we're getting a central browser control, and your comment was "can we finally get a central browser control instead?".
Related ongoing thread:
Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)
The cookie thing sounds good at first but then it shows that they rant to reduce cookiewalls by making more things ok without asking :(
Yes. I don't think you should have to show a popup to track the user's language preferences, whether they want a header toggled on or off, or other such harmless preferences. Yet, the EU ePrivacy directive (separately from the GDPR) really does require popups to inform users of these "cookies".
So they finally admit that it was a mistake.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
> Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at.
Server logs can provide this information.
Not for the amount of stuff on the web now that is client-side rendered.
It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
50 is not even close.
Those banners often list up to 3000 ”partners”.
The cookie law made this worse.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
uBlock blocks most of those for me lately.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... does a similar thing.
I use the first of those extensions, its the cookie whitelist one that no longer works for me.
There could be an extension to block the banners, too. I think uBO has a feature to block certain CSS classes?
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
You can just set your browser not to send whichever cookies you don't want to.
Cookies are a client-side technology.
Why does the government need to be involved?
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
Not really, it disallows tracking even if you aren't storing anything (eg via fingerprinting):
https://gdpr.eu/cookies/
That link seems to say the opposite:
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
Cookies that keep you logged in or maintain a session don’t need consent
Of course, let ME decide if I want to keep fdfhfiudva=dsaafndsafndsoai and remove cindijcasndiuv=fwíáqfewjfoi. I know best what those cookies do!
every accusation is a confession you see...
Cookie banners are made obtrusive by the people running CMPs as they want to make it as hard as possible to stop collecting the data
Funny thing is that I often will go out of my way to find the least permissive settings if the banner is obnoxious or has a dark pattern.
worst implementation ever. I bet it is the reason that most people are now taking anti depressants.
> if you don't do anything "bad" then you don't need the banners.
Because that’s how it is. For instance why does a site need to share my data with over 1000 "partners“?
And the EU uses the same tracking and website frameworks as others so they got banners automatically.
It wasn’t a mistake but website providers maliciously complied with the banners to shift the blame.
Seems you fell for it.
The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.
jokes on them i never followed the law anyway
Non-risk cookies never required a banner.
the issue was never the law.
the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)
Most websites do. not. need. cookies.
It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.
https://noyb.eu/en/project/cookie-banners (edit: link)
I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.
And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.
Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.
> lets you set font size and dark/bright theme,
You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.
I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").
Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.
The issue is the lack of enforcement of the law. And instead of strengthening the enforcement, they are diluting the law now.
> Most websites do. not. need. cookies.
All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who could just pay the fines and go ahead with violating everyone's privacy.
I'm not sure why this is being downvoted?
The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.
That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.
The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.
> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]
I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.
I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.
The potential reason of "law enforcement is just weak" that you bring up just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).
0. https://guides.libraries.psu.edu/european-union/official-ser...
1. https://www.europarl.europa.eu/portal/en
2. https://www.consilium.europa.eu/en/
3. https://european-union.europa.eu/index_en
> law wasn't poorly written, most websites just don't follow the law
I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.
Most websites in the EU also aren't following the law.
The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.
people intentionally made the banners annoying or tried to make the reject button smaller / more awkward so that they could keep tracking.
Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either
I'd settle for companies obeying the letter of the law. They don't do that either.
> Attempts at "compliance" made the web browsing experience worse.
Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.
A lot of people at HN work in industries that track, or are the ones choosing to use the banners in the first place.
Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.
That's the real news. There's no U turn, no weakening of GDPR. This article is propaganda.
> users would be able to control others from central browser controls that apply to websites broadly.
Great to see this finally. It’s obviously the way it should have been implemented from the beginning.
We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.
The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).
Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.
Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.
> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!
An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.
> OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?
Just let Estonia run the programme [1].
[1] https://e-estonia.com/solutions/estonian-e-identity/id-card/
> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)
Good kid mode[0].
[0] https://www.lego.com/en-gb/product/retro-telephone-31174
Adding a kids mode to *all* sites seems like a huge investment to most of the tech industry. I predict most would just NGINX-block users with the kid header.
That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.
Poor Europe - lobbyists make sure that Europe stays weak.
That statement includes Ursula by the way.
Lobbyists make sure that ~~Europe~~ the world stays weak.
They need more strict financial regulation than politicians do!
You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.
If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.
The GDPR is about protecting personal data, what personal data could you possibly need to train an AI model?
Let's turn that around. What personal data wouldn't help train an AI model?
But that extra click to read any webpage was keeping me safe
About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.
But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.
There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.
> no need for notaries and in-person verbal agreements, etc.
With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.
And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.
The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.
The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.
Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.
This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.
What were they doing with user data?
Most are running ads and needs to track the performance of their ad spend I believe, at least that what we do. We don't care at all about tracking anything other than x amount of users came from x ad source with some basic device info like mobile/desktop/etc.
We tried to get rid of any tracking banners but have been unable to do so.
Number one use case is sending anonymized and hashed data back to the ad platform to trigger conversion events.
Essentially all modern advertising is done algorithmically. The platform takes conversion events (a typical event is "someone fills out a form"), that signal is sent to the platforms, and the platforms use it to serve your ad to other people who may be interested. GDPR as it is means you need opt-in to do this, so it greatly reduces the effectiveness of online ad targeting.
So in practice, say you make a new cool B2B tool for, say, plumbers. It automates your plumbing business and makes plumbers more money.
In the US, you can make a Meta ad campaign with broad targeting and Meta will use algorithmic magic and be able to just find plumbers for you to show your ad to.
In the EU, this doesn't work as well, so its harder to find plumbers to show your ads to. Less plumbers get to use your product as a result. So its just one reason it's hard to get your EU based Plumbing SaaS off the ground.
Biggest issue with this is the modern web ads don't even work.
You get ads for fridge AFTER you bought one since they now know you browsed them.
What works is content based advertising - so advertise a power drill on a woodworking hobbyist site. No tracking required there. Conversion can be obtained when user clicks a link via redirect. Like in the good ol times.
But this modern approach that massively invades privacy has been sold to businesses and now they require it even though it is probably ineffectual.
They are strangled by rules in using personal data on algorithmic advertismenet?
GOOD!
I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.
I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.
If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.
People are important, not the startups!
Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.
How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.
EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.
[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.
Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.
It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.
Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.
> All consuming vague regulations like GDPR increase the cost of a startup by 500%.
Source?
Does anyone have a link to the proposal, preferably on the EU website?
I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.
They seem to be reporting on two drafts that were leaked by Netzpolitik.
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...
The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".
https://ec.europa.eu/transparency/documents-register/detail?...
https://ec.europa.eu/transparency/documents-register/detail?...
They can be downloaded here: https://digital-strategy.ec.europa.eu/en/library/digital-omn...
That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.
Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.
What exactly did you see about cucumbers?
They scrapped it actually but this law used to be the main example for overbearing EU bureaucracy
https://www.theguardian.com/lifeandstyle/wordofmouth/2008/no...
He actual regulation said that you had to classify them based on their characteristics. If I wanted a straight cucumber and I ordered one I would get one. If I was happy with a bendy one then I’d simply order an “any shaped” one.
I don’t see a problem woth mandating truth in advertising.
Does this mean fewer less-annoying cookie pop ups?
The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.
We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform
This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.
We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/
In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.
If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.
This is also why our privacy statement starts with "We […] don’t really want your personal data."
Can you point to any of these guides?
In our case we were working on a Dutch project so we used this; AVG is the GDPR implementation for the Netherlands:
https://ictrecht.shop/en/products/handboek-avg-compliance-in...
Let me steelman the new proposal a little bit:
You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)
Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).
Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.
> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.
That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.
Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.
Cowards.
>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.
From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.
The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.
So:
- If you dont provide the easy 'accept' button, you are in violation.
- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one
- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result
Its a sh*tty law that got more complicated over time and only helped megacorps.
People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.
Europe learn the hard way that you cant have a cake and eat it too
EU citizens: WE DEMAND XYZ PROTECTIONS
EU: WE SHALL BUILD XYZ FOR EVERYONE
(years pass)
EU citizens: WE HATE XYZ PROTECTIONS
@complaintvc on X has been doing amazing work in this area.
The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.
I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.
(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).
Related:
Europe's cookie nightmare is crumbling. EC wants preference at browser level
https://news.ycombinator.com/item?id=45979527
That is too bad, I had hope in this case regular people would win and get privacy we deserve. But as always big money wins, it just takes time.
While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.
The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.
The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.
It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.
The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.
Big players don't want this either, we rely on open source software and frequently contribute back
It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.
"Well, you can say what you like but it doesn't change anything 'Cause the corridors of power, they're an ocean away"
https://www.youtube.com/watch?v=Xpo2-nVc27I
Previously:
European Commission plans “digital omnibus” package to simplify its tech laws
https://news.ycombinator.com/item?id=45878311
If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?
The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.
Meanwhile the EU commission claims that this is for the benefit the European tech sector.
>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules
The latter seems like the more obvious explanation and what critics said about GDPR all along.
> The EU folds under Big Tech’s pressure.
This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.
The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.
The EU is not folding. The article is two facts surrounded by a huge ball of propaganda.
> due in part to burdensome privacy regulations.
A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.
I think this is a very rosy framing.
GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.
This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.
My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.
I'm not sure what you're looking for here. If your position is "it should be difficult to make a company that has PII" you won't get any significant AI or consumer tech companies in your jurisdiction. That's just reality, they use PII, they personalize on PII, they receive PII, that's how they work.
If that is your goal, OK, that's a choice, but then you can't say "oh GDPR fears were overblown". They caused exactly the problems people were predicting, and that's what EU leadership is now trying to change.
If I sign up your company I can opt into that personalisation at signup time.
You have no business stealing my personal data until we enter an equal agreement.
europe got stuck in the old world, they will never have tech companies.
Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP
Is that why most of the EU governmental websites have the same cookie pop up banners?
Lack of product ownership and cargo cult developers.
Legislation can’t change culture.
Is EU suffering from FOMO?
As an EU citizen, this is shameful and even kind of pathetic to read.
Will we start outsourcing all our IT needs to USA again?
Start?
I stand corrected. :D
You are quite right! They have never stopped. And I am ashamed on their behalf. We have amazing tech talent in the EU but we are beholden to old and ultra-risk-averse rich aristocracy. What a damned shame.
EU introduces Chat Control, then scales back GDPR, what's left? Digital ID and digital currency (with no possibility of paying by cash)?
This is infuriating. Running a startup myself, I don't have GDPR banners on my website, nor do I engage with any of the red tape associated with storing GDPR-regulated data. Why? Despite the flagrant misinformation being sown, GDPR doesn't apply for normal, useful-to-developers data collection. It is perfectly fine to use functional cookies like session storage and collect basic anonymous telemetry about how your site is being used, so long as there is absolutely nothing that ties it to a specific individual. Like the vast majority of businesses, I don't handle payment processing myself, so I have no need for any identifying information to ever grace my database.
From Microsoft's simple overview of GDPR for startups: https://learn.microsoft.com/en-us/microsoft-365/admin/securi...
> The GDPR is concerned with the following types of data:
> Personal data: If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address. The GDPR considers even encoded information (also known as "pseudonymous" information) to be personal data. If the encoded data can be linked to an individual, the data is considered personal, regardless of how obscure or technical the data is.
> Sensitive personal data: This data adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.
So when articles like this say "regulations are strangling small businesses", they aren't talking about the cost of compliance with unnecessary overhead, nor about being "forced" to have an unnecessary cookie banner. They're talking about being required to get consent before collecting and selling your personally identifying information. That is the regulation that's "strangling" them, and what they're aiming to change. If you don't engage in that behaviour, your small business probably isn't regulated by the GDPR in the first place. If it so happens that your business does have a legitimate purpose for collecting personal data, there are already exemptions in the GDPR from some of the red tape around it for small businesses.
It is particularly frustrating to see this proposed change coming after the EU finally started cracking down on consent banner abuse in court this year. It is now being legally enforced that, if you do have a consent banner, you must have a "reject" button that is equally as prominent as the accept button, not hidden away in a sub-menu. There are still many sites that aren't compliant, but this has been a markedly huge improvement to the web experience. It was disastrously long overdue, and that was a failure on the EU's part, but it vexes me to see people frustrated with consent banners cheering on the death of GDPR to automate data collection without consent when the actual solution was simply for the existing law to be enforced properly.
While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.
Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.
That was already the case for the majority of domains.
We must have lived on different internets. I have much lived experience of finding cool domains, looking up their email, and talking to them all the way up to GDPR coming into effect. "whois privacy" options at registrars were starting to take off but at least those still had the email to contact. Now it's nothing.
I for one like it to be able to post stuff on my website without the risk of someone sending me pizza or swat teams to my home address...
Shameful decision, caving to foreign capital interests.
Do better, EU.
I used to live and work in EU, get out of EU before it is too late.
like UK, you mean? boy that did really work out well for them!
So far so good - and I say this as one voting remain. The only gripe I have is that our domestic doomers were even more stupid than the EU ones. Ours were the progenitors of many of EU dumb ideas. So even outside EU, we in the UK not only did not repeal the utterly imbecilic laws we inherited. No - we added even more stupid laws. Consequence being people are put in jail for writing stuff on the Internet. I hope someone puts in jail the lawmakers that voted for these laws. To the cheering of and with public support, it must be said. It was not without consent, it was not only bi-party, but omni-party consent.
The UK was known for bureaucracy even before they joined the EU. The idea that the red tape would vanish was always silly.
I think a lot of Brexiteers don't entirely understand why the EU was a problem.
The only thing they saw was the EU migrant crisis and the UK not having total control over its own borders. Things I don't care about[0]. The actual problem with the EU is only tangentially related to that concern, and it's the fact that the EU is a democratically unresponsive accountability sink. When a politician wants to do something unpopular, they get the EU to do it, so they can pretend like they're powerless against it. See also: the 10,000 attempts to reintroduce Chat Control.
The easiest way to fix this would be a new EU treaty that makes the EU directly elected. But that would also mean federalizing the EU, because all the features that make the EU undemocratic are the same features that protect the EU from doing an end run around member states. The alternative would be for EU member states' voters to deliberately sacrifice their local votes in order to vote in people who promise to appoint specific people at the EU level. That's what happened in America with its Senate, and why it moved to direct election of Senators, because people were being voted in as Governor just to get Senators elected.
A lot of times we talk about political issues on a partisanship spectrum - i.e. "partisan" vs "bi-partisan" or "non-partisan" issues. The reality is that, in WEIRD[1] countries, most parties have a common goal of "keep the state thriving". The primary disagreement between them is how to go about doing such a thing and what moral lines[2] shall be crossed to do so. That's where you get shit like America's culture war. The people who live in the country and are subject to its laws are far less hospitable to the kinds of horrifying decisions politicians make on a daily basis, mainly because they'll be at the business end of them. This creates a dynamic of "anti-partisanship" where the people broadly support things that the political class broadly opposes.
For example, DMCA 1201. The people did not want this, the EFF successfully fought a prior version of it off in Congress, then Congress went to the WTO and begged them to handcuff America to it anyway. The people would like to see it reformed or repealed; that's where you get the "right-to-repair" movement. But the political class needs DMCA 1201 to be there. They need a thriving cultural industry to engage in cultural hegemony, and a technology sector that can be made to shut off the enemy's tanks. The kinds of artistic and technological megaprojects the state demands require a brutal and extractive intellectual property[3] regime in order to be economically sustainable. So IP is a bi-partisan concern, while Right-to-Repair is an anti-partisan concern.
In terms of WEIRD countries, the UK is probably one of the WEIRDest, and thus a progenitor of a lot of stupid bullshit legislation. If they had not left the EU, the Online Safety Act would have been the EU Online Safety Directive.
[0] To be clear, my opinion regarding migration is that the only valid reason to refuse entry to a country is for a specific security reason. Otherwise, we should hand out visas like candy, for the sake of freedom. Immigration restrictions are really just emigration restrictions with extra steps.
[1] Western, Educated, Industrialized, Rich, Democratic
[2] All states are fundamentally "criminals with crowns". Their economies are rapine. When they run out of shit to steal all the gangsters turn on each other and you get a failed state.
[3] In the Doctorowian sense: "any law that grants the ability to dictate the conduct of your competitors". This actually extends back far further than copyright, patent, or trademark law does. Those are the modern capitalist versions of a far older feudalist practice of the state handing out monopolies to favored lords.
Watch out for French government bonds (10yr), France will be the next before 2030.
I did the opposite, I moved to the EU before it is too late.
It's the only power left that stands for rule of law.
> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)
the consequences of their laws is pushing their hands
Yet again, European countries are showing who their leaders are: US Big Tech
No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens
The EU is a great example of a spineless paper tiger to Big Tech and is the reason why AI startups run to the US.
Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.
This is criminal.
How so? Like, figuratively, as-in outrageous?
To make the popup requirement for non critical cookies in GDPR less onerous? Or the change in data operation recording requirements that will kick in at a company size of 750 employees instead of 250?
I assume you mean the AI related stuff?
It was never required to show a pop-up for essential cookies.
I work in data privacy and I really hold the GDPR in high esteem. The "Ai stuff" is worrisome. The UK has left the EU and rolled back privacy rights. The EU is experiencing the slow erosion of privacy rights; and the US is a morass of highly variable state-level rights. I had such high hopes when the CCPA passed.
Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.
I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.
GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
Far less than 1% of people would care about either.
But far more than 1% are harmed by it.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Most people don't care about these things. Who are you to say that the harm is severe to people who don't care?