| ▲ | danishSuri1994 5 hours ago |
| I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses. |
|
| ▲ | clickety_clack 4 hours ago | parent | next [-] |
| So “smart rules” only means “more rules”? Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place. |
| |
| ▲ | cael450 4 hours ago | parent [-] | | Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy. |
|
|
| ▲ | marcosdumay 4 hours ago | parent | prev | next [-] |
| Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not. That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning... |
| |
| ▲ | sothatsit 2 hours ago | parent | next [-] | | Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway. I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity. | |
| ▲ | mlyle 4 hours ago | parent | prev [-] | | Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on. But uncertainty in compliance and time spent navigating compliance is nearly pure waste. | | |
| ▲ | a4isms 3 hours ago | parent [-] | | To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them. The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage. | | |
| ▲ | marcosdumay an hour ago | parent | next [-] | | I'm not sure. Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain). Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process. | |
| ▲ | mlyle 2 hours ago | parent | prev [-] | | Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation." |
|
|
|
|
| ▲ | btreesOfSpring 3 hours ago | parent | prev | next [-] |
| A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered.
Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle.
They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws. |
|
| ▲ | ljm 4 hours ago | parent | prev | next [-] |
| Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down. Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?” Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment. |
|
| ▲ | 3 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | seanmcdirmid 2 hours ago | parent | prev | next [-] |
| AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply. |
| |
|
| ▲ | shadowgovt 4 hours ago | parent | prev | next [-] |
| Browser level consent primitives would be a significant improvement on the status quo. |
| |
| ▲ | d-lisp 3 hours ago | parent | next [-] | | I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners").
While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely). But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics. | |
| ▲ | recursive 4 hours ago | parent | prev [-] | | Do Not Track was a spectacular failure. You can still turn cookies off in your user agent though. | | |
| ▲ | lenerdenator 4 hours ago | parent [-] | | It was a spectacular failure because the people who thought of it didn't stick to it. | | |
| ▲ | recursive 2 hours ago | parent | next [-] | | I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side. | |
| ▲ | bigfatkitten 3 hours ago | parent | prev [-] | | In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising. | | |
| ▲ | pseudalopex 3 hours ago | parent [-] | | Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now. | | |
| ▲ | shadowgovt 3 hours ago | parent [-] | | > Advertisers said they would ignore it for this reason That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived. But they weren't prepped to take action yet. | | |
| ▲ | pseudalopex 2 hours ago | parent [-] | | Microsoft made the user expressed intent and the user expressed no opinion look the same. | | |
| ▲ | K0nserv 2 hours ago | parent [-] | | That doesn't track (pun not intended). It's a binary state so either side has to be the default, they just changed which side the default fell on. Prior to the change no opinion expressed and expressed intent (in favour of tracking) still looked the same. |
|
|
|
|
|
|
|
|
| ▲ | graemep 4 hours ago | parent | prev | next [-] |
| I always felt applying the same rules to everyone was a big problem with GDPR. Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information. Its not just cookies and websites, its any personal information stored electronically. |
| |
| ▲ | MangoToupe 4 hours ago | parent [-] | | I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network? | | |
| ▲ | graemep 4 hours ago | parent | next [-] | | I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite). I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in. | |
| ▲ | pembrook 3 hours ago | parent | prev [-] | | Ughhh here we go again. Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam. I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details. Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice. My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is. And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog." | | |
| ▲ | SiempreViernes 3 hours ago | parent | next [-] | | I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians? | |
| ▲ | troupo 2 hours ago | parent | prev [-] | | > but will continue to go back and forth if GDPR remains as-is. Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data. | | |
| ▲ | pembrook an hour ago | parent [-] | | I totally get it, it's fun to take wildly impractical ideological stances on things and ignore reality. However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists. Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business. Unfortunately, in fossil fuel driven reality, you can't just shut off the fossil fuels and switch to paper straws, you have to build actually viable alternatives first. Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks. Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death. Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model. Etc. Etc. | | |
| ▲ | vladms 22 minutes ago | parent [-] | | You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed. What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc. |
|
|
|
|
|
|
| ▲ | YetAnotherNick 4 hours ago | parent | prev | next [-] |
| Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes). |
|
| ▲ | port11 4 hours ago | parent | prev | next [-] |
| This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care. I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it. Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market. AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc. It's just… lazy. “Slap AI on it”-level policy. Ugh. |
| |
| ▲ | Retric 4 hours ago | parent [-] | | Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right. |
|
|
| ▲ | MangoToupe 4 hours ago | parent | prev | next [-] |
| Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe. |
| |
| ▲ | jedberg 4 hours ago | parent [-] | | > I don't see anything about GDPR that would harm innovation or long-term success for europe. It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge. There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII. You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations. | | |
| ▲ | troupo 2 hours ago | parent [-] | | > The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII. So either you're lying or your lawyers are lying to you. In 9 years you could've finally read and understood the rather small law yourself. | | |
| ▲ | jedberg 2 hours ago | parent [-] | | I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you. |
|
|
|
|
| ▲ | jdasdf 5 hours ago | parent | prev | next [-] |
| > clearer safe harbors for small actors Different rules for different people huh? Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy. |
| |
| ▲ | Swenrekcah 5 hours ago | parent | next [-] | | Not different rules for different people. You would be subject to one rule for your small company and another rule as it grows. This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures. | | |
| ▲ | rat9988 4 hours ago | parent [-] | | This is different for different people said differently. Why would small companies have access to things not allowed to big companies? | | |
| ▲ | alwa 4 hours ago | parent | next [-] | | Yes, it is—gp’s point being we do that all the time and often agree that it makes sense. A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public. Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate. | |
| ▲ | Swenrekcah 4 hours ago | parent | prev | next [-] | | Corporations are not people. This is not different rules for different people. In the traditionally implied sense of different rules for different social classes. | |
| ▲ | kelseyfrog 4 hours ago | parent | prev | next [-] | | Because quantity is a quality of its own. | |
| ▲ | Levitz 4 hours ago | parent | prev [-] | | Because their conditions and abilities are different. | | |
| ▲ | rat9988 an hour ago | parent [-] | | But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens? |
|
|
| |
| ▲ | kazinator 5 hours ago | parent | prev | next [-] | | The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything. For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever. Such ideas often have regressive effects. However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way. Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.) | |
| ▲ | 47282847 5 hours ago | parent | prev | next [-] | | Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it. | |
| ▲ | 4 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | ivan_gammel 5 hours ago | parent | prev | next [-] | | >Different rules for different people huh? That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special. | |
| ▲ | veltas 5 hours ago | parent | prev | next [-] | | Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair. | |
| ▲ | andrepd 5 hours ago | parent | prev | next [-] | | In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious. | | |
| ▲ | veltas 4 hours ago | parent [-] | | In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals. I wish you were right though. | | |
| ▲ | vouwfietsman 4 hours ago | parent | next [-] | | I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc. | |
| ▲ | hobs 4 hours ago | parent | prev [-] | | Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc. | | |
| ▲ | no-name-here 4 hours ago | parent [-] | | > home owner But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc? | | |
| ▲ | Spivak 4 hours ago | parent [-] | | Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation. |
|
|
|
| |
| ▲ | cess11 5 hours ago | parent | prev | next [-] | | I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful. But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on? | |
| ▲ | JumpCrisscross 5 hours ago | parent | prev | next [-] | | > Different rules for different people huh? Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense. | |
| ▲ | shadowgovt 4 hours ago | parent | prev [-] | | It could, however, be good policy independent of personal preference. I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth. |
|
|
| ▲ | pants2 4 hours ago | parent | prev [-] |
| Why did you use an LLM to write a comment? |
| |
| ▲ | gruez 4 hours ago | parent [-] | | What makes you think it's LLM generated? | | |
| ▲ | pants2 4 hours ago | parent | next [-] | | Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y" | |
| ▲ | stronglikedan 4 hours ago | parent | prev | next [-] | | colons and directional quotation marks scare folks who don't know how to use them properly | |
| ▲ | barrkel 2 hours ago | parent | prev | next [-] | | The structure of what it wrote, and the banality of the point. | |
| ▲ | marknutter 4 hours ago | parent | prev [-] | | The double quotes perhaps? |
|
|
