[novok]

I would exempt small businesses from GDPR requirements outright unless the business model is a surveillance capitalism one. Like small adtech startups.

Defining a surveillance capitalist company without BS is difficult although, so in the end, I would probably just wholesale exempt private small businesses that are not subsidiaries of larger ones. The small businesses would need to be arms length from larger ones too.

A lot of the danger of surveillance capitalism come from concentrated power, and many small businesses are by definition the opposite of that.

[solarkraft]

Small companies can sell their data. Almost all of the data collected by all those small companies mentioned in those GDPR popups will end up in the hands of a few large entities.

The data is the same, regardless of who collects it. Leaking it is equally dangerous.