[infinitismal8]

If you make money from EU users and are US based you need to be GDPR compliant or they will target you through payment processors and ad networks.

If you don't make money from EU users and don't want to be GDPR compliant you should probably just shut them off if you ever want to operate in the EU in the future

[skinnymuch]

The OP initially says if you’re small time they likely won’t target you. Are you really saying if you’re super small time, the EU is going to go after your payment processing? Of course anything is possible. It seems highly unlikely though.

Then his/her last point is that they’ll give you a chance to correct things.

Your post doesn’t seem to cover that either.

[bigbugbag]

The way it's been done in the past, it usually starts by notifying you and giving you reasonable time (a month) to fix things then move up to sanctions.

But this is not a given every time and not everyone goes the nice route, some go directly to court. So when you are a small fish, you are better off doing your best to follow the GDPR in the first place than scrambling to avoid sanction in a limited time later. it is not that complicated to not collect data you don't need, ask before collecting it and informing about what you do with it.

[dpark]

> it is not that complicated to not collect data you don't need, ask before collecting it and informing about what you do with it.

This is not all the GDPR requires. You’re just describing traditional Privacy Policy.

[infinitismal8]

They will go after you the moment you become bigger and if you are person running a business one of your hopes is that you won't remain small time forever

[parenthephobia]

> they will target you through payment processors and ad networks

How will they do that, and on what legal basis?

[zAy0LfpBZLC8mAC]

Garnishment.

If the regulatory agency decides to fine you, and you don't successfully defend yourself against that in court, then you'll have to pay that fine. If you fail to pay the fine on time, any entities within the juristiction that owe you can be ordered to pay the fine instead (i.e., your payment processor will be ordered to redirect funds arriving for you to the state, which also, as far as their juristiction is concerned, fulfills their debt towards you--as far as their legal system is concerned, the payment processor has paid you and you have paid the fine).

[whataretensors]

Sounds like a good reason to start only accepting crypto

[zAy0LfpBZLC8mAC]

Except that won't help you? Usually, payment processors are ordered to redirect funds as that is usually the easiest way, but if that is not an option, your customers will be ordered directly to redirect payments. As long as you have customers within the jurisdiction, they will find a way to make you not earn any money from them until your fine is paid.

[briandear]

So you admit that GDPR is really just a trade barrier.

[icebraining]

How can it be a trade barrier when EU companies are more affected by it? (They have to provide these protections for everyone, whereas non-EU companies only have to provide them for people in the EU).

[qeternity]

You just answered your own question. The cost of compliance is largely a fixed cost. So if only 50% of my users come from the EU, then my per-user costs are 2x what an EU-centric company's would be. So it skews the economics in favor of blocking the EU if your business is not EU-centric. This in turn means users are pushed to EU companies that have no choice but to comply.

[doppel]

But the cost is the same for both companies inside and outside of EU, so US companies "not being forced" just mean they have the luxury to decide whether EU customers/visitors are a concern to them - EU companies HAVE to do it, even if 95% of their userbase is in the US (but I think those US users will appreciate it still).

Imagine a law that forced all companies in the EU to be polite to their customers no matter what or face fines. In that case you could also say that users would be pushed towards EU companies because they were "forced" to be polite, but I think that would be deserved and US companies could just do the same. Similarly to GDPR, if one side is forced to treat my data with respect and actively have me consent, then I would chose them, law or no law.

[adventured]

GDPR - the core of it - is about privacy, it's an increment on prior laws in EU countries. It's also in part a response to the data hungry US tech companies, without question.

The 4% of worldwide revenue fine potential is exclusively targeted at the US tech giants. By my last count, the US has roughly 100 tech companies worth over $10 billion each (with trillions of dollars in worldwide revenue). Nobody taxes revenue, that's about the most moronic thing you can possibly do - unless you're doing it to try to harm / punish companies. Very few EU tech companies have meaningful worldwide revenue to tax.

[icebraining]

Of course they're trying to harm companies when they fine them. That's implicit in the term "fine".

They target revenue because otherwise companies will just use Hollywood accounting to declare they make 0% profit, they just pay huge licensing fees to some cayman island company.

[tannhaeuser]

No it applies to any organization offering data services/web sites to EU residents, including authorities.

GDPR is only a regulation stating more explicitly what you're required (and were always required) to do for compliance with EU privacy laws. It obviously was needed since privacy violation has become so blatant. The GDPR legislation has been a long time in the making. It might be the case that privacy in Europe is being valued more than elsewhere in the world, I don't really know, but it's nothing new at all. For example, in Switzerland (not in EU but certainly with humanist and very old democratic and civil rights traditions) privacy in the form of banking secrecy is held in even higher esteem.

Yes, as a collateral effect, some business models might not work in EU any longer, or not to the extent they used to (though ads and affiliation links had been on a race to the bottom anyway). But I'd say that's a win, or can be turned into a net benefit. Think about what the Web has become in the last 10-15 years. We still don't have reasonable micropayments, and nobody wants paywalls anyway, etc. The result has been the rise of "platforms" and monopolies where the user's data and attention is the product, with publishers of quality, nuanced content struggling or going out of business. While you of course don't owe dead-tree publishers anything, an economic model for content creation working for more people than it is now is still very much desired.

If you're perceiving GDPR as trading barrier (even though it's just a privacy law), please also consider the US's total and utter failure to get their antitrust regulations in gear: Facebook buying WhatsApp, Google buying DoubleClick and YouTube, etc. At a certain point, others will have to react to that kind of government-sanctioned monopolization to protect their markets.

[dpark]

> please also consider the US's total and utter failure to get their antitrust regulations in gear: Facebook buying WhatsApp, Google buying DoubleClick and YouTube, etc. At a certain point, others will have to react to that kind of government-sanctioned monopolization to protect their markets.

The European Union also green lit those acquisitions. Hence the fines against Facebook for essentially lying to the European Commission about the merger.

[tannhaeuser]

It will be interesting to watch this unrolling, and I'd think criminal investigation is also on the table (vs Fb employees and EU officials).