| 2016 was a weird time. When this legislation came down we literally had no idea what to do. We were a US company and didn't run any ads or broker data, so we thought at first that we were exempt. After consulting with a legal team they made it clear this was not the case. And for the next 2 years there was a lot of pain. We had too many cookies that were important to UX and analytics. If you don't understand why, imagine trying to run a store but not be allowed to look at your customers. We were fine not chasing them into the parking lot with a Polaroid camera, but GDPR didn't make a distinction really invasive tracking and "normal" un-creepy QOL cookies. Before tools like OneTrust or Trustarc were available, it was also not even clear how you actually handle consent. TL:DR; you basically have to set a semi-anonymous cookie that tells you it's okay to load other cookies. But at the time it was not even clear if this was legal (since there are somewhat conflicting advice as to what could constitute PII in this situation). To this day, we still deal with a lot of GDPR edge cases. Specifically what constitutes PII at a technical level when you are talking about session IDs, users IDs, or client addresses. It's still really tricky and we're always afraid the rug will be pulled out from under us. And even the most expensive lawyers will be experts in the law but need constant hand-holding through even the most basic technology. (Data removal requests are another story - if people only knew, man) The lesson I have learned: - Anyone who says GDPR is simple has no real experience - Do exactly what other companies are doing - do not try to stand out - The only real winners were the lawyers |