I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.

More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.

Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.

Most baffling thing is that sometimes you can't opt-out from "always active" stuff that still involve hundreds of "partners"; see: https://news.ycombinator.com/item?id=45844691

Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.

That cookie thing should a browser's default.

I think I should be able to collect whatever publicly available data I can find.

Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.

Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.

> I get that too many regulations is a bad thing

Well yeah, cause your sentence relies on itself.

_Too many_ regulations is a bad thing.

But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.

Who is the audience your comment is trying to reach? Who are these mysterious "companies"?

It's important to realize companies are made of people.

Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?

That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.

Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.

Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.

> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.

you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.

Chat control is stupid.

So “smart rules” only means “more rules”?

Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.

Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.

That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...

AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.

A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered. Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle. They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.

Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.

Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”

Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.

Browser level consent primitives would be a significant improvement on the status quo.

I always felt applying the same rules to everyone was a big problem with GDPR.

Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.

Its not just cookies and websites, its any personal information stored electronically.

Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).

This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.

I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.

Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.

AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.

It's just… lazy. “Slap AI on it”-level policy. Ugh.

Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.

> clearer safe harbors for small actors

Different rules for different people huh?

Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.

Why did you use an LLM to write a comment?

There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.

What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die.

The problem is that with a nearly infinite amount of money, you are not going to get irrelevant on merit. You just buy up any company/talent that becomes a threat. They have done that with Instagram and WhatsApp (which was and is really huge in Europe etc.).

This is a proposal from the EC. Whether the EU accept it is not clear.

> What I really want to see is Meta getting irrelevant ON MERIT.

That's impossible. The network effects are too strong. Facebook may die, or even Instagram, but WhatsApp is so intermeshed with the majority of the world that it can only be taken out by a government.

> What I really want to see is Meta getting irrelevant ON MERIT.

Why? Is META relevant only on merit?

Can contract killers become irrelevant on merit, or does it take government intervention?

> HN was cheering on as EU went after Big Tech companies

HN is not a hive mind or a monoculture. Every time the EU goes after some company, some people always cheer, some people always boo, and some people will cheer some and boo others based on the impact/nuance of the particular policy or company.

Meta's only merit is having a lot of users and keeping them hooked at any cost.

It might surprise you, but success is not always rooted in having done great things for the world

Well yeah, the GPDR was great in theory and a huge win for privacy advocates until it did jack shit in practice. It turned out to have zero teeth and everyone just found ways to keep business as usual while 'complying' with the law.

It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.

Hackernews has always been a venture capitalist forum and has always had a significant minority that generally sides with money. I don't think that is substantially different today.

Most European regulations seemed to be less about helping regular people and more about protecting European ad firms, many of which are even shadier than big tech.

I live in EU. I am totally in support to force Meta down through government's big stick.

While they are at it, I hope they do it to the other big techs too.

Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.

> What I really want to see is Meta getting irrelevant ON MERIT.

That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.

Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.

So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.

I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.

Prior to 2020, FTC would have had a much stronger case. But too little too late.

I don't want an internet designed by lawyers and politicians. And I'm afraid that's what this level of regulation and enforcement would create.

I m not sure I follow your logic; are you saying that the regulation is not that bad because you are not fined enough if you don't follow it ? Some of us just follow regulations because it's the law - regardless of the fine. I feel like we should be allowed to express our opinion about their merits or shortcomings without considering the penalty aspect which is an entirely separate conversation.

Truly non-risk cookies were already exempt from the cookie banner. In fact, the obnoxious consent-forcing cookie banners are themselves in violation of the law. It's ironic that instead of enforcement we dumb it all down for the data grabbers. And most of them non-European to boot, so clearly this is amazing for the EU tech ecosystem.

Those “cookie banners” are nonsense aimed at getting this outcome.

This is a loss for European citizens and small businesses and a win for the trillion dollar ecosystem of data abuse.

The funny part is that many banners are already now not required. But there has been much propaganda by adtech around it, to rule people up against tracking protections and promote their own "solutions". That's the reason you see the same 3-5 cookie banners all around the web. Already today websites that use purely technical cookies would not actually not need any banners at all.

Can we get the do-not-track header instead?

https://en.wikipedia.org/wiki/Do_Not_Track

Because that made more sense than the cookie banner ever did.

Edit: it looks like there is a legal alternative now: Global Privacy Control.

So they finally admit that it was a mistake.

Even EU government websites had annoying giant cookie banners.

Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.

Related ongoing thread:

Europe's cookie nightmare is crumbling. EC wants preference at browser level - https://news.ycombinator.com/item?id=45979527 - Nov 2025 (80 comments)

the issue was never the law.

the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)

Most websites do. not. need. cookies.

It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.

https://noyb.eu/en/project/cookie-banners (edit: link)

jokes on them i never followed the law anyway

Non-risk cookies never required a banner.

That's the real news. There's no U turn, no weakening of GDPR. This article is propaganda.

I'm dubious of the privacy-preserving approaches and would rather we just quit with digital age verification. I'm specifically worried about unification of data sources identifying users.

The challenges presented to sites, and verifiers if the scheme uses those, would have to be non-identifiable in the sense that they can't tell that 2 of them came from the same key. Otherwise there's a risk users get unmasked, either by a single leak from a site that requires age verification and a real name (e.g. an online wine merchant) or by unifying data sources (timing attacks, or identifying users by the set of age-restricted sites they use).

Perhaps I just don't understand the underlying crypto. That wouldn't be super surprising, I'm far from an expert in understanding crypto implementations.

> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!

An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?

The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.

Another backhanded way to forbid opensource solutions? Because now they will argue we need secure booted tamper-proof windows/mac os to make sure the proof is legit.

> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)

Good kid mode[0].

[0] https://www.lego.com/en-gb/product/retro-telephone-31174

That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.

> This will probably lead to a series of committees about how to scale back the laws [...]

> [...] which will create new rules which will be put in place [...]

> [...] and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past

As intended by design.

I don't think there is some grand conspiracy or anything like that in the EU government around this, but it is clear where their priorities are. With those priorities being:

1. Perpetual rule of bureaucracy that exists for the sake of bureaucracy, with the best outcome of it being creation of even more bureaucracy. Anything of actual usefulness being done is just a side effect, not the goal. Bonus: this principle ensures perpetual job security for those career bureaucrats as well (and it helps with creating even more of them), as you can never have one too many committees or processes.

2. Hyperfocus on things that actually need to get done to consolidate power needed to ensure staying power for those bureaucrats and that the previous priority is not encroached upon. Case in point: an HN post[0] from yesterday about the EU pushing forward another new Chat Control proposal, shortly after their previous one failed earlier this year. For the EU governing bodies being stereotyped as ineffectual and too bogged down by their own bureaucracy, they surely are really efficient when it comes to repeatedly pushing publicly unpopular (but seemingly popular among the EU government bureaucrats) measures like Chat Control so quickly after their previous attempt had failed.

0. https://news.ycombinator.com/item?id=45970663

Lobbyists make sure that ~~Europe~~ the world stays weak.

They need more strict financial regulation than politicians do!

You can't build large ML models without swaths of data, and GDPR is the antitheses of collecting data. Therefore countries/companies that don't have to abide by it are at an obvious advantage.

If anything this is coming from political elite being convinced that AI research is a critical topic, EU recognizing it's weak because of the self-imposed handicaps and trying to move past that. I'd be shocked if we manage to do anything concrete on the matter TBH.

What were they doing with user data?

I do not care about 100s of startups and how they want to use my data for advertisement or other things they benefit from.

I care about keeping my personal data private so it will be more difficult to use for profiling me for whatever (whatever!) reason, but all are for other's benefit on no or marginal benefit for me in overwhelmingly major part of the cases.

If startups cannot do properly, then they should not do at all! They must spend on handling personal data well if they want to handle personal data at all! There are way enough already and most are just go out and bust, circulating data collected who knows where and how. And they are surprised it is so hard compiling data on people, people are increasingly reluctant to share because the so many abuse and actual damages caused by personal data abused.

People are important, not the startups!

Honestly? Sounds like incompetence. I have never had issues with GDPR compliance. If their business is using people's data in an irresponsible or intrusive way, then they probably shouldn't succeed. The engineering problems it introduces aren't hard problems.

What's the point of the choice in the first place. People either don't want cookies or they don't care. Nobody wants them. If both options are accessible enough, people always press decline. The EU should just make non essential use illegale.

They should do it on OS level instead of browser level, apps also do tracking, and collecting data. One question when you first boot up your device. One switch in settings.

> no need for notaries and in-person verbal agreements, etc.

With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.

And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.

They seem to be reporting on two drafts that were leaked by Netzpolitik.

https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...

https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...

The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".

https://ec.europa.eu/transparency/documents-register/detail?...

https://ec.europa.eu/transparency/documents-register/detail?...

They can be downloaded here: https://digital-strategy.ec.europa.eu/en/library/digital-omn...

> All consuming vague regulations like GDPR increase the cost of a startup by 500%.

Source?

What exactly did you see about cucumbers?

I don't see how training an LLM has anything to do with privacy laws.

It is perfectly possible to not train them on personal information, to remove or rewrite names, to remove IP addresses, etc.

> Training a large language model and privacy law as it's written today cannot coexist

If they aren't compatible, then the conclusion is abundantly obvious; the LLM has to go, not privacy. Small and questionable economic utility in exchange for a pillar of stable democratic society are NOT negotiable tradeoff.

There is enough data on the internet to train LLMs without breaking a single privacy law. If the economic value of LLMs are as real as the companies like to claim, there is enough data on the internet to train LLMs while paying for proper royalty for every single word.

I don't argue that privacy laws have been perfect. Only a fraction of GDPR seems to actually do much. But bending over backwards because big tech slips a few dollars in the pocket of Brussels is NOT the reason we should revise those laws.

Your proposed law would mostly be used against people who were publicizing the criminal record of the mayor's nominee for police chief or the ruling party's nominee for mayor.

What constitutes data about people?

If I save your comment, am I a digital stalker? Is Google a digital stalker because they archived this page? Is HN a digital stalker because they didn't get your explicit permission to show a profile page with your karma on it?

> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.

That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.

Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.

> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!

Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.

> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).

This was okay even before. Given this information (and your shirt size), you couldn't be identified.

I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.

What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.

The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?

Can you point to any of these guides?

> European Commission wants browsers to manage cookie preferences instead of pop-ups on every website.

Better late than never, but it's insane it took them almost a decade to figure this out.

EU citizens: WE DEMAND XYZ PROTECTIONS

EU: WE SHALL BUILD XYZ FOR EVERYONE

(years pass)

EU citizens: WE HATE XYZ PROTECTIONS

GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.