[tjansen]

> What trouble? It's really not rocket surgery to be compliant with the GDPR if > your business model isn't to sell (or profit from) targeted advertisements.

There are a lot of popular services you apparently can't use, like Stripe, and a lot of rules to follow, especially if you store any kind of personal data.

[Silhouette]

If the regulators actually enforced the letter of the law and the current court precedents fully and consistently, could you even use many popular payment methods or communications channels anywhere in the EU (or possibly the UK), given that underlying a lot of that infrastructure at some level is the use of services operated by businesses with a presence in the US?

Maybe the situation has changed again recently but I thought a literal reading of the current regulations and precedents implied that no such business can ever be compliant, because of the US laws that give parts of the US government privileged access to any data available to any such business even if that data is held off-shore?

[ben_w]

I believe a significant part of enforcement is supposed to be a deterrent. If the U.K. fully enforced speed limits, the only people who would have not had their licenses revoked would be people like me who don’t drive or aren’t in the country any more.

It’s not clear to me that any particular analytics service needs to be run by an American firm, so the point about USA rules forcing actions on USA feels situational rather than permanent.

(I won’t pretend to know if the GDPR allowance for handing data over due to legal obligations is or isn’t relevant here, even normal law is way outside my ken, let alone international).

[Silhouette]

If you have a law that would be impractical to enforce fully and in all cases because you'd end up penalising almost everyone it affects, it's a bad law. I don't believe we should legally prohibit normal behaviour for fallible humans, particularly if no real harm is caused and no ill intent was present.

Selective enforcement is rarely a good solution to that problem. With selective enforcement you have not only reduced the risk to those who really are doing something seriously wrong, so also reducing the deterrent effect, but also penalised those who paid a price or gave something up to do the right thing and were then left disadvantaged relative to the wrong-doers.

[ben_w]

> If you have a law that would be impractical to enforce fully and in all cases because you'd end up penalising almost everyone it affects, it's a bad law.

I think this describes almost every law, not just speed limits and GDPR but also copyright violation and drug use and… well perhaps not literally every law, but enough of them.

> I don't believe we should legally prohibit normal behaviour for fallible humans, particularly if no real harm is caused and no ill intent was present.

I don’t believe this describes GDPR. First because websites don’t really need to grab analytics, because stuff you genuinely need to provide a service is explicitly exempt from the GDPR informed active consent requirement; second because website and app development isn’t normal behaviour for normal humans, it’s a profession; third because this data does cause harm.

Yes, there are all those risks you list from selective enforcement.