[tgsovlerkhgsel]

They'd only do it as long as the risk of getting caught and the punishment when caught made it worth it.

If the authorities that are supposed to enforce GDPR (and other data protection laws around the world) were doing their job, app makers would be a lot more careful with what they embed and what data they send where. Because these authorities don't seem to have been doing anything useful, it's now so normalized that you could probably send a $20M fine to every major app and be right about it.

[andy_pl]

Slightly more nuanced now — EDPB's 2024-2027 strategy explicitly prioritizes large-platform enforcement, and recent turnover-based fines (Meta €1.2B in 2023, TikTok €345M, Uber €290M in 2024) suggest the deterrence math is tightening. Health data under Art. 9 carries the heaviest penalty multipliers; the question on Flo is whether national DPAs coordinate via the one-stop-shop mechanism or local supervisory authorities (Polish UODO, French CNIL) move independently.