[photon12]

If you build robust privacy guidance mechanisms into the fabric of your startup from the beginning, your ability to handle risk management around these types of cases can be resourced to scale with the customer expectations of the system you build.

Unfortunately, if you do that, you are going to be outcompeted by the teams that are working to get their first 10,000 paying customers by any means necessary, because privacy planning is less capital efficient.

The companies that do get big enough to overcome their immediate survival constraints often have a harder problem identifying and providing resource needs for privacy assurance because it's less on the minds of the people in charge of making resource decisions because you have other operational scaling issues at the front of mind.

Your engineers and support staff doing dumb things with your data is a risk you can have resources allocated to. But it's not on the critical path to market dominance so it shouldn't be expected to be a priority.

[throwway120385]

Sounds like it should be illegal to share data by default, and that individuals shouldn't be able to sign away their expectation of privacy as part of a EULA.

[jacquesm]

That's called the GDPR. Positive, coercion free, explicit and non-tied consent is a hard requirement. See article 7: https://gdpr-info.eu/art-7-gdpr/

[iso1631]

Unsurprisingly the average startup bro hates the GDPR, they see it as an obstacle to doing things with data they shouldn't