[AitchEmArsey]

By your own argument, foreign companies can navigate the rules for selling into Europe just fine - so what is stopping a European company from doing the same?

If there is any remaining problem it is that the rules are not enforced strictly enough on tech giants.

[FreeHugs]

Lets talk about startups first:

An indie dev in New York does not care about the GDPR. The just build cool shit and put it online. Look at all the Show HNs here.

In the EU, the situation is very different. Indie devs are super afraid and work hard to make their stuff less useful to please the GDPR.

Now about larger players:

EU companies agonize their worldwide users with cookie banners. Because that is what the GDPR tells them to do.

Non EU companies dont do that. Because why should they? Will a lone Italian traveller in the USA sue them for using Google fonts? Probably not. And if they do - they can handle it. So they only agonize their EU users with cookie banners.

[ClumsyPilot]

Unlike in UE, EU companies are not allowed to sell their customers data to random third parrty spammer, scammers, adtech companies and bounty hunters.

That is it - as a startup, GDPR is not a massive prohlem. You know what is a real problem? The fact that you can raise 10x more investment in the US with the same slide deck.

[igorkraw]

Small correction: the indie devs just building cools shit are fine under GDPR. The indie dev who wants to monetize his community while not caring about the externalities of possibly leaking their information has a headache.

If your business model depends on creating undesirable externalities for your "users" then you don't have my sympathy. The only shame is that we still need to enforce GDPR properly on large players, but that's a political and social thing, not per se a problem with the law itself.

And the oh so horrible cookie banners: the solution would be to not track people. If you aren't fully acting in the users interest, the cookie banner is easy to implement, or maybe not even required. So whenever you are annoyed by a cookie banner, it should be directed at the company, not the law.

[elvischidera]

What's the limit that an indie could go without caring about GDPR. Is it actually until they want to be "commercial"?

[kreeben]

It's not until you decide you want to start tracking people or in other ways use their PII that you should become worried, indie or not.

[sofixa]

No, it's until they decide they want to abuse personal data.

[igorkraw]

Until they start saving PII that is not necessary for their core business relationship with the user.

If your app is literally about self quantification and the user pays you to collect that data and keep it private? You might not even need to state it anywhere, although the safe thing is of course to list all the ways you do or do not collect data.

If your app is about self quantification and you monetize by selling user data or its aggregates... GDPR. If you use a third party data provider instead of hosting the data yourself: GDPR etc. Because user data might not be important to you, but it is to your users, so you probably shouldn't be allowed to YOLO handling it

[dane-pgp]

> you probably shouldn't be allowed to YOLO handling it

Exactly. If a company doesn't care enough about its users to even tell them what they are doing with their data (or in some cases even know what they are doing with it) then the user can't expect that company to secure it or to provide a valuable service with it.