I would exempt small businesses from GDPR requirements outright unless the business model is a surveillance capitalism one. Like small adtech startups.
Defining a surveillance capitalist company without BS is difficult although, so in the end, I would probably just wholesale exempt private small businesses that are not subsidiaries of larger ones. The small businesses would need to be arms length from larger ones too.
A lot of the danger of surveillance capitalism come from concentrated power, and many small businesses are by definition the opposite of that.
Small companies can sell their data. Almost all of the data collected by all those small companies mentioned in those GDPR popups will end up in the hands of a few large entities.
The data is the same, regardless of who collects it. Leaking it is equally dangerous.
Defining a surveillance capitalist company without BS is difficult although, so in the end, I would probably just wholesale exempt private small businesses that are not subsidiaries of larger ones. The small businesses would need to be arms length from larger ones too.
A lot of the danger of surveillance capitalism come from concentrated power, and many small businesses are by definition the opposite of that.