[ethbro]

The problem with carving out exceptions for small companies is that larger ones would simply subcontract out all their data handling.

Like encryption, data privacy is either all or nothing.

And personally? I'd rather live in a world without tracking-enabled Google and Facebook business models than the one we're currently in.

Holding personally identifiable data is a toxic externality: Experian simply exposed a clear case.

If you want to do so, you should have to bear that cost. Or design your business model differently so that you don't.

[fanzhang]

For size limits, as logicians, we would think that companies would just split infinitely but that doesn't seem to be the case.

For example ACA 2012 (Obamacare) applies the most onerous terms on companies greater than 50, but not a lot of 100 person companies split into two groups of 50 to dodge it.

I think privacy is indeed along a spectrum and not binary. I certainly think that EU citizens are more concerned with Facebook and the vast trove of data they have and political irresponsibility with it than with GarethsFirstApp in the Android store handling user data well.

[ethbro]

Splitting core business functionality and siloing data handling to a contractor are apples and oranges.

And I'd point out that the latest Facebook media privacy outrage was caused by a smaller (1 person?) third party company.

GarethsFirstApp isn't so innocent when it's providing Facebook with data they can no longer collect themselves (given a hypothetical "You're small, so we'll let you get away with it" GDPR).

[_o_]

Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say domain_url@mydomain.com. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?

So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.

So... binary only is a right way to go.