[pclmulqdq]

What's respectful about presenting you with a wall of text T&C document, giving you a checkbox to indicate you read it, and mining the crap out of your data on a server located in Europe? GDPR allows that - in fact, it assumes that you will want to mine the crap out of user data and specifies where.

GDPR has a few good ideas about encrypting data buried in its ~170 articles, but most companies were doing that already because data breaches are expensive.

The rest of GDPR is about (essentially) trade protectionism: they want you using European servers to store and process data. They want that data in easy reach of other EU laws and enforcement agencies.

[ls15]

Other websites like Github decided to comply in a way that does not require cookie banners. I think that the users appreciate it.

[pclmulqdq]

There are a lot of other clauses than just the cookie banners. In fact, the cookie banners are far from the most annoying part if you want to be compliant.

I would go so far as to say that most startups which don't do 100% of their compute within European borders are likely non-compliant with GDPR by the law as written.

Edit: To be clear, I would have no problem with the level of trade protectionism if it only applied to companies that do $X million of business in the EU. That's how every other data residency law is set up. If you want to force series E+ companies through weird hurdles, have fun.

[xxs]

>I would go so far as to say that most startups which don't do 100% of their compute within European borders are likely non-compliant with GDPR by the law as written.

What personal data do the startups require that's hard to rein?