[Nextgrid]

> I'm not actually trying to explain or interpret anything. Instead, I am mostly paraphrasing

Yes, this is what I meant - apologies if this was worded poorly (edited it now). I was indeed referring to American's (wrong) understanding/interpretation of the GDPR you are referring to rather than your own article's interpretation of it.

> I think it's more about baseless misconceptions and myths being thrown out here and there. Ask yourself: Why?

Indeed it is, however misconceptions/myths can be referred to as misunderstandings. I'm sure there are business interests at play and why there's a lot of bad advice being thrown around in an attempt to demonize the GDPR and make it seem more annoying than it actually is, but if we were to only assume good faith then I think it's fair to call it a misunderstanding.

[p_l]

Locally (Poland) I had a feeling that a lot of the misconception was fueled by people trying to sell consulting on GDPR, when majority of the situation could be summed up as "remember the GIODO (polish PII protection agency) rules that you ignored so far? Now they have teeth".

But if you sold it as something more complex than "PII is like nuclear waste, you want to avoid it", then you couldn't sell high-priced "GDPR transformation services" or get lots of ad views on your spiffy web page :/

[Nextgrid]

Agreed.

There is a lot of money to be made in GDPR-related consulting peddling non-compliant snake oil. GDPR compliance is actually quite simple, however it is often detrimental to the business, so it's near-impossible to do "honest" GDPR consulting because you'd be telling your client things they don't want to hear and they would rather go to someone else that tells them what they want to hear, even if they don't actually solve the underlying problem of compliance.

That's the only reason I can think of why non-compliant consent management solutions (such as TrustArc) are thriving despite even a casual read of the regulations would immediately point out that they are not compliant and thus do not help to achieve the desired goal of GDPR compliance.

Unfortunately there is no enforcement at present so there's nobody out there to set the record straight and scare companies into compliance (potentially getting them to sue the consultancies for their non-compliant solutions).

[p_l]

At the same time, looking at all "parties" trying to track me on random website, my core question ends up being "why the everloving fuck why?".

A lot of actionable data for many a business can be safely separated from PII. Simultaneously I have hard time understanding why a simple website might need 20-50 different tracking services, all 3rd party. In my experience, that's the typical kind of business that was targeted by dishonest "GDPR consulting".

For majority of businesses that I talked with, GDPR compliance could be handled by implementing a set of rules that fit, normal font, on A4 page. There are few that truly required more, but those also had that data as crucial data, and that's where good honest consulting could do a lot of good.