This is just inaccurate. GDPR is derived from warranted concern over rampant data abuse. And it's actually much easier to make a startup GDPR compliant than it is to overhaul a large company with rigid systems already in place. If anything, GDPR favors startups.
It hurts small startups trying to perpetuate the same blatant disregard for human rights as American startups have done in the past. It doesn't hurt small startups that are privacy-aware and treat their users with respect.
Not giving users a way to delete their accounts was never okay. Tracking user behavior without consent was never okay. Holding users' data hostage was never okay. Not giving people a way to correct the data you keep about them was never okay.
US startups have been playing on easy mode by getting to ignore human rights and just follow the local letter of the law even when going international.
If anything you'd think HN "classical liberals" would love this as it evens the playing field, allowing for fairer competition between already privacy-aware EU companies and the previously unfairly advantaged US companies entering the EU market. Of course this assumes you think privacy and data ownership should be protected as human rights in the first place.
> Not giving users a way to delete their accounts was never okay. Tracking user behavior without consent was never okay. Holding users' data hostage was never okay. Not giving people a way to correct the data you keep about them was never okay.
Sure. If being GDPR compliant just meant you just don't have to do those things, it wouldn't be a problem. But with GDPR you now have to spend time (=money) understanding what GDPR means (probably with a lawyer's help) and ensuring that you are in fact compliant. "I try to protect user's privacy" isn't good enough when the EU could effectively put you out of business if you aren't. You'll have to deal with Data Access Requests, most of which are from trolls. You may need a DPO, which might require hiring someone. I'm all for protecting privacy, but the GDPR adds quite a bit of burden, which large corporations will be able to eat, but will set back smaller corporations. Really medium size companies are in the best position, since they have the resources to meet GDPR obligations, but don't have to do massive overhauls like the big corps do.