[Isinlor]

There are no costs because no one is enforcing it.

> In one we actually track user's behaviour to make better recommendations, but we're open about it and they can disable it if they want.

If I understand well this is opt-out instead of opt-in... If you would be slapped some percent of your revenue for this you would feel the costs. Not only the cost of fine, but also of reading and implementing GDPR more carefully. But data protection authorities don't have enough resources to audit even 1 / 100 000 of companies that ignore GDPR up to this level of detail. So you can live in happy ignorance that you are implementing GDPR.

That not to say that GDPR doesn't help in general. The issue is that it will be a dead law or a law that hits randomly some very, very small percentage of companies breaking it.

Having a law that no one implements properly is just a recipe for abuse of power by authorities. "Show me the man and I’ll show you the crime" is well known to people living under the Soviet rule. (And, No! EU is not the Soviet Union. But some DPA are in post-soviet republics with people that were raised in this mentality.)