[igorkraw]

Small correction: the indie devs just building cools shit are fine under GDPR. The indie dev who wants to monetize his community while not caring about the externalities of possibly leaking their information has a headache.

If your business model depends on creating undesirable externalities for your "users" then you don't have my sympathy. The only shame is that we still need to enforce GDPR properly on large players, but that's a political and social thing, not per se a problem with the law itself.

And the oh so horrible cookie banners: the solution would be to not track people. If you aren't fully acting in the users interest, the cookie banner is easy to implement, or maybe not even required. So whenever you are annoyed by a cookie banner, it should be directed at the company, not the law.

[elvischidera]

What's the limit that an indie could go without caring about GDPR. Is it actually until they want to be "commercial"?

[kreeben]

It's not until you decide you want to start tracking people or in other ways use their PII that you should become worried, indie or not.

[sofixa]

No, it's until they decide they want to abuse personal data.

[igorkraw]

Until they start saving PII that is not necessary for their core business relationship with the user.

If your app is literally about self quantification and the user pays you to collect that data and keep it private? You might not even need to state it anywhere, although the safe thing is of course to list all the ways you do or do not collect data.

If your app is about self quantification and you monetize by selling user data or its aggregates... GDPR. If you use a third party data provider instead of hosting the data yourself: GDPR etc. Because user data might not be important to you, but it is to your users, so you probably shouldn't be allowed to YOLO handling it

[dane-pgp]

> you probably shouldn't be allowed to YOLO handling it

Exactly. If a company doesn't care enough about its users to even tell them what they are doing with their data (or in some cases even know what they are doing with it) then the user can't expect that company to secure it or to provide a valuable service with it.