[JumpCrisscross]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Nothing. Doesn't mean they have nothing better to do than respond to letters and regulatory enquiries. (To be clear, I'm not disparaging regulators asking questions. I'm simply observing that such questioning-and-answering has a cost. That cost is reasonable for a large company. It may not balance favorably for something smaller.)

[zentiggr]

Like TFA describes pretty in depth, that response burden, for sites that have no saved data and process nothing personal can be as simple as a form letter response pointing to a properly detailed GDPR statement.

Or might have to be expanded on a bit, point is the response cost can be scaled as well.

[gcthomas]

It will likely be years before any small business gets a routine regulatory enquiry, unless there is a complaint. And that is how it should be, isn't it?

[dorgo]

So, a pragmatic approach then. Everybody violates the laws a little (maybe without knowing) and regulators pick big violations first. Software developers like to handle each edge case up front - which is not possible on this scale I guess.