Analysis of economic and productivity losses caused by cookie banners in Europe

> shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss"

You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)

> know the best way of not having to care about GDPR? Don't store PII

This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)

[1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument

> this was a predictable response to a stupid rule

It was predictable that ultimately people would blame the regulation instead of the companies? Not sure I understand what you mean, and even if you meant what I think you meant, not sure what the point is? People blame all sorts of things all the time...

Edit since you've added more to your comment

> Proving compliance with GDPR is tedious

That's my point. No need to prove compliance if GDPR doesn't apply.

> predictable that ultimately people would blame the regulation instead of the companies

It was predictable this would result in disclosure/consent spam.

> No need to prove compliance if GDPR doesn't apply

If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms. (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)

Both laws’ aims are noble. But they require tweaks. Starting with the cookie banners would be smart.

Except it's not that black and white. If you follow the regulation too loosely, you get warnings. If you then ignore the problem, you'd get bigger problems. But no one is gonna put a "10% of global turnover" as a fine immediately.

> But no one is gonna put a "10% of global turnover" as a fine immediately.

You're dealing with the EU. Stupidly high fines happen weekly.

> If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms.

I think you might be missing that I'm talking about this from the companies perspective, not from the perspective of a person inside EU.

If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data" as defined here: https://gdpr.eu/article-4-definitions/

> (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)

Happen to have any quotes/sources for this? Would be the first time I've come across it myself. I'm genuinely interested in if it's being misused like that.

> You're dealing with the EU. Stupidly high fines happen weekly.

Thank you for making it clear you wasn't taking the conversation seriously, I almost thought someone could hold opinions like that in real life, but I'm happy it wasn't so.

Tell that to Emanuel Macron, who has openly said that the EU might literally die functionally, if not politically, in just 2-3 years due to sheer economic lack of competitiveness.

"Our former model is over. We are overregulating and underinvesting. In the two to three years to come, if we follow our classical agenda, we will be out of the market."

"If we want clearly to be more competitive and have our place in this multipolar order; first, we need a simplification shock."

"The EU could die, we are on a verge of a very important moment."

https://www.politico.eu/article/emmanuel-macron-france-europ...

> for websites requiring a login

They don't need consent for that.

> reliant on ads

Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.

> This is a nothing to hide argument

"Don't store PII" does not seem to be that, to me?

If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?

Link does not support claim "Stupidly high fines happen weekly."

I've worked with two firms that have faced GDPR complaints. It's "up to", not "immediately on your first offence".

> I've worked with two firms that have faced GDPR complaints. It's "up to", not "immediately on your first offence".

It's not specifically GDPR - it's the degree of overregulation in every sector, for almost every aspect of doing business. I was also speaking facetiously about large companies in particular - for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect. Or, the EU's stuff with Apple, the $12 billion fine against the will of Ireland, which has Apple assessing the profitability of even being in Europe.

Saying you don’t need to worry about GDPR if you don’t keep PII is the “nothing to hide” argument. There is still a cost to demonstrating compliance that goes beyond complying.

After multiple warnings and lawsuits, sure. Conform to the rules if you don't want the fines. But these companies are so big and rich, they'd rather break the rules and risk a fine than give up on their sweet data. And even if they get sued, they have armies of lawyers - still cheaper to spend millions on lawyers than pay a hundreds of millions fine.

> If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data"

You’re still obligated to respond to requests, even if it’s no response. And data regulators will still follow up on groundless complaints.

DMCA is strictly about copyright violation. If you’re not violating copyrights it should have nothing to do with you. But that isn’t how things play out in reality.

> have any quotes/sources for this?

No, just anecdotal. Every Magic Circle firm, however, will happily file complaints in multiple jurisdictions for you.

I’ll admit I’ve used GDPR a touch vindictively after a customer service interaction went poorly. Lots of requests, wait for a minor fuck-up, escalate to multiple data regulators because I technically have multiple nexuses. European equivalent of copying your state AG on a letter, except the burden to respond is on the company.

Maybe an analogy will make it click: If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal.

Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).

> for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect

This one?

"The EU fined online giant Meta almost 800 million euros on Thursday for breaching antitrust rules by giving users of its Facebook social network automatic access to classified ads service Facebook Marketplace." - https://fortune.com/europe/2024/11/14/eu-fines-meta-840-mill...

Because if so, that's going to have the opposite of a chilling effect, as it is anti-trust.

Likewise, what Apple got with Ireland, while Apple has to pay, it's something Ireland did wrong by illegally giving Apple a tax dodge to encourage it to base itself in Ireland rather than anywhere else in Europe — if that's "chilling": good. We don't want tax-dodgers. If Apple can't be profitable in Europe without dodging taxes, something's gone very badly wrong for them.

Now, I'm not saying the EU doesn't over-regulate, as that kind of claim about any government is like saying that a software project contains zero functions that are never invoked by a user. But I am saying the scope of your rhetoric is not sufficiently supported by the evidence provided.

> If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal

This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)

Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.

Yeah, GDPR is tedious. Not expensive nor even onerous.

I built a GDPR request deletion system for a company right as GDPR came into effect. In the first year the only requests that came in were from privacy advocates and competitors.

I don’t know if after that it saw more natural usage but I doubt it.

> By making the marijuana illegal, you also implicitly widen search powers.

Nope, you don't. Those are two different things.

There are plenty of things that are made illegal without giving the government the power to search for them.

> You can’t arrest someone you think smells like weed if weed is legal.

You can't arrest someone by smelling like weed in any democracy where it's illegal either.

I agree with the rest of your comment but

> You can't arrest someone by smelling like weed in any democracy where it's illegal either.

isn't true. Sweden is super strict on usage and if even a "normal" person and/or neighbour would smell weed from you or your place they'd definitely call the cops on you. If a cop smelled weed on you in public you'd get arrested immediately no doubt.

Yet, most people consider Sweden a democracy :)

I'm sorry, but I was partially pulling a No True Scotsman on that part.

If some random policeman can look at you, decide to arrest you with no real evidence, and it's all legal, that a huge Human Rights violation right there.

How does a judge deal with this? Do they rush to smell the culprit too?