alt.hn

2/3/2026 at 5:48:22 PM

I made 20 GDPR deletion requests. 12 were ignored

 https://nikolak.com/gdpr-failure/

by nikola-k

2/3/2026 at 6:36:59 PM

This kind of failure-to-enforce is endemic to government. Oversight and enforcement are implicitly expected of well-regulated governments, and that costs money that nobody wants to pay. Laws get enacted with little thought to how much it will cost to administer them, and they either get underfunded or added to the list of government bloat.

There is no easy way out. The oversight to ensure that governments do what they're expected to without corruption costs real money. We haven't yet figured out how to balance good government with fiscal efficiency; but it would at least be an improvement if people could be educated on the actual cost of properly implementing a law before it gets voted on.

As usual for cases like this, the only chance for a person to force compliance is to have enough money/resources, putting it out of reach for the general population.

by unbalancedevh

2/3/2026 at 6:52:46 PM

We have figured out how to get money to enforce paying taxes and GDPR compliance: Pay them with the taxes and fines. USA's IRS has a famously high ROI, and I'm willing to bet a single GDPR fine for Google/Facebook/Microsoft pays for a whole lot of GDPR enforcement.

by tpxl

2/3/2026 at 6:58:51 PM

In general, when it comes to enforcing laws on normal, individual people, governments seem to have no problem finding and cracking down on you. When it comes to enforcing laws on the rich, or corporations, suddenly the kid gloves go on and the "but we're simply not funded for enforcement!" excuses emerge...

by ryandrake

2/3/2026 at 6:56:42 PM

While enforcement and the cost of enforcement is an important consideration, I would say that there is still value in unenforced law and regs. They set an expectation and a norm.

by lo_zamoyski

2/3/2026 at 7:02:58 PM

This is one problem, but in the GPDR's case it's worse: the law is designed for governments. The only people who can actually take action based on the GPDR ... are NOT the courts (same with the AI act btw).

Which governments have immediately used to:

1) exempt themselves from GPDR (e.g. allowing the use of medical data in divorce cases, and then refusing deletion of medical data from public institutions "for that reason". Then of course this was extended to tax enforcement (some of you European bastards DARE to try to get dental treatment when owing back taxes! Some things CANNOT be allowed)

2) they used it to attack certain firms for entirely reasonable reasons. One example, one of the very first cases, before the law was even in force was against Google. You see there are some online articles about José Manuel Barroso, the communist non-executive chairman and senior adviser of London-based Goldman Sachs International (yes, really, communist, not a joke), ex-socialist, then EU commission president ... that according to him violate the "right to be forgotten" (which technically doesn't apply to public figures, but apparently EU commission presidents aren't public figures)

There were some articles he wanted deleted about how technically he is (was?) a murder suspect (he organized and participated demonstrations where some people were killed by a mob that he was part of, and probably the leader of), and how there were complaints against him by his students that allege he beat them up (as in physically), apparently in arguments about financial systems (yes, even when he was a pretty extreme communist he was a professor). He couldn't get the articles deleted ... and so he wanted them hidden. He got what he wanted, without court involvement.

by spwa4

2/3/2026 at 6:14:38 PM

Unfortunate. I've had good success rate with smaller companies, whereas I still have an open email chain with Deezer and Glovo in my inbox because their process required to much back and forward (Deezer was particularly stupid because while I had an active trial they couldn't delete my account).

I think the bigger problem is that the entire process is left up to the invidual, to both deal with the vendors (sometimes having to scavange the privacy policy for an email address, or follow multi step processes) and report to the local DPAs. And the local DPA could have as arbitraty rules for the process, and very involved form fillings.

It doesn't help when institutions smell as corruption, as likely seen in Ireland, where it took them almost 8 years to resolve a complaint against facebook and fine them.

Only line I always want to see go up https://www.enforcementtracker.com/?insights

by mhitza

2/3/2026 at 6:25:29 PM

That is unfortunate as its more important to enforce the law big companies, especially those who trade data.

by graemep

2/3/2026 at 6:24:06 PM

It could be worse: You could be in the US, where companies can buy and sell your personal information without consequence.

by gwbas1c

2/3/2026 at 6:27:41 PM

I would suggest the US is slightly better. At least we don’t have an unenforceable law that offers the illusion of privacy protections.

by munchler

2/3/2026 at 6:45:03 PM

There’s an implicit assumption in this snark that the only purpose of a law is to create legal consequences (a subclass of error that’s very common on this forum, some type of “literalism”).

This is IMO a bit shortsighted: laws impact culture, laws represent ideals worth striving for, and in a democracy, laws help define the type of society in which the people would like to live.

A law’s utility is not limited to its ability to be enforced. In fact, in a democracy, when a law is not enforced, it is a strong signal that the will of the people is not being carried out by those charged with enforcement. See: the current USDOJ.

by datsci_est_2015

2/3/2026 at 6:59:52 PM

"Will of the people" aside, the law is indeed a teacher. It sets a norm and an expectation even when not enforced.

by lo_zamoyski

2/3/2026 at 7:11:12 PM

Except when “not enforced” becomes the norm and the expectation.

by isjdjsidjsidb

2/3/2026 at 6:38:40 PM

how is having NO law better? I'd say 12 out of 20, is better than zero.

by ejpir

2/3/2026 at 8:59:30 PM

When enforcement is this shoddy, it’s easy to create corruption through selective enforcement.

“We don’t have the resources to go after everyone, so we must prioritize” - but it turns out there’s a bias to the selection process…

I believe that justice is only true when we are all treated equally under the law.

by gretch

2/3/2026 at 6:45:39 PM

I think you mean 8 out of 20. Fewer than half.

by irasigman

2/3/2026 at 7:58:13 PM

[dead]

by zxcvasd

2/3/2026 at 6:29:45 PM

> A flat minimum, say 5,000€ per violation, no matter how small the company

It's hard to imagine a practice more hostile to starting and operating a business than such a policy

by throwmeaway820

2/3/2026 at 6:37:55 PM

How is a fine for mishandling personal information "hostile" to business?

A true Hacker News and YCombinator moment.

by goshcoding

2/3/2026 at 7:24:39 PM

Yes, especially as the company could just implement a button "Delete your data" on their website. An automated task initiated by the user. No work for them.

Companies could also make clear before any registration, on one page, which data they will ask for and later collect. If they were honest. Then the user had a chance to opt out _before_ they have given any data to them.

Well, they are not honest, because what do they do instead? Page 1: "Please, your E-Mail". Page 2: "We also need your phone number (we may call you)". Page 3: "Great, nearly done. Now please, your address, your credit card, a fingerprint copy and a picture of your penis".

I am in favor of appending a zero to those 5.000 Euros.

by nilslindemann

2/3/2026 at 9:31:07 PM

Til there are a lot of penis pictures on the internet. A gdpr goldmine!

by Ylpertnodi

2/3/2026 at 7:04:34 PM

It gets in the way of ever increasing profit. The most important thing ever.

by testing22321

2/3/2026 at 6:43:13 PM

Not allowing reckless disregard for the rights of people = literally fascism.

by michaelsshaw

2/3/2026 at 6:46:28 PM

California has the exact same penalty structure in the CCPA:

> (b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

$7,500 per intentional violation, $2,500 per unintentional.

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

by petcat

2/3/2026 at 7:00:05 PM

But the California law only applies if your business has more than $25m revenue or does a lot of selling of PII. See SEC. 9. Section 1798.140 in the page linked.

by patja

2/3/2026 at 7:02:31 PM

> [receives] the personal information of 50,000 or more consumers, households, or devices.

That's a trivially small bar to clear in order to be regulated under the CCPA where large-scale data harvesting is the focus.

by petcat

2/3/2026 at 10:19:42 PM

There is more to that clause:

Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

So it only applies if you are buying or selling or sharing PII. Not if you just have 50,000 users/visitors to your website and keep it all private.

by patja

2/3/2026 at 6:40:55 PM

If compliance is so difficult for a business that they will fail if the law is enforced, good.

by Apreche

2/3/2026 at 6:34:49 PM

If you open a business you should be responsible enough to comply with the laws. A business that became large enough where this would become a time sink would be able to afford to hire someone.

by mattjhall

2/3/2026 at 6:38:53 PM

And why not make the fines 0.1% - 1% of a venture's revenue? Because that's what you're talking about.

by jbverschoor

2/3/2026 at 6:46:15 PM

Why not make it 4%? Because the highest fine per GDPR is 4% of global revenue or 20 mil, whichever is higher.

by tpxl

2/3/2026 at 6:37:26 PM

can you explain why? I mean a company ignoring common and simple rules of law... why you want to "protect" that?

by y42

2/3/2026 at 6:52:49 PM

" simple rules of law..." - sadly, EU regulations in their totality are far from simple

by matkoniecz

2/3/2026 at 11:16:27 PM

Please elaborate, what's so complicated about it?

by worksonmine

2/3/2026 at 9:32:16 PM

Which ones? I've had no problems - especially with gdpr.

by Ylpertnodi

2/3/2026 at 6:39:27 PM

You really think mom & pop business that have limited IT skills have 5k laying around for some minor violation like not deleting an older email?

by raverbashing

2/3/2026 at 6:43:56 PM

Mom and pop businesses with limited IT skills are not collecting emails and private information. At worst they’d be using some external service (e.g. Mailchimp) which does it for them, and those have an obligation to be familiar with the law.

by latexr

2/3/2026 at 11:29:42 PM

> Mom and pop businesses with limited IT skills are not collecting emails

They absolutely are!

by throwmeaway820

2/3/2026 at 9:17:59 PM

The GDPR really isn't that hard to follow, for a "mom & pop" business, it really comes down to:

  * Limit data retention — Don't keep personal data longer than necessary
  * Honor data subject rights — Allow individuals to access, correct, delete, or port their personal data
Simply, don't collect personal information if you don't need it. If you do need it, add a delete button.

by mmh0000

2/3/2026 at 6:43:43 PM

They will not get that fine for a looooooooong time

by troupo

2/3/2026 at 6:48:25 PM

All you have to do is respect the law and respect your customers. Absolutely the most basic thing we can ask of a new business.

by WheatMillington

2/3/2026 at 7:16:28 PM

The issue lies somewhere in between.

I agree that businesses who unlawfully sell your data or do not implement a minimum of security measures should be punished hard.

I also agree that a flat 5000 € is problematic. Not because I believe that breaking the law shouldn't be punished. It's because you also get punished if you protect the data and respect your customers, but you don't document the thousand things you must document as a small business.

I don't know if you ever looked at GDPR, but that does not distinguish between a company with five employees and 50,000 employees.

The company with 5 employees must exactly (!!!) implement the same audit trail and processes that the 50,000 employee company has to do. Or worse, there's literally no difference between you founding a company and Facebook.

This shit gets extremely overwhelming extremely fast and that's just killing small businesses.

by 7bit

2/3/2026 at 8:31:28 PM

As someone with experience with it, I heartedly disagree. It’s not that hard to not invade user privacy. You have to go out of your way to be invasive, just respect your users and collect as little data possible. That’s truly the way to go and reduces your liability in a multitude of ways, including protecting you of data breaches (if you don’t keep the data, there’s nothing to steal).

by latexr

2/3/2026 at 7:15:10 PM

Privacy by design is easy. If you are incapable of dealing with GDPR, don’t start a company, because you lack survival skills amyway.

by ivan_gammel

2/3/2026 at 7:04:35 PM

On the "German DPA can only forward it to Czech DPA" there is now regulation (2025/2518) around the cross-border enforcement and as far as I understand it actually has hard deadlines. However it will only start being in effect around May 2027 and will only affect cases which were filed after that. It is still very long process and does require that the original DPA actually initiates things.

The spam filter loophole is unlikely to be legal. It it contrary to other DPA rulings (like Norwegian DPA ruling on Mowi ASA), EDPB guidelines don't strictly define it but I would say tilt towards that excuse not being sufficient & my understanding is that there are also some court cases from Germany and Austria that treat messages routed to spam as recieved (https://www.nospamproxy.de/en/emails-in-spam-folders-are-con...). Of course if you want to actually enforce it you would need to appeal the decision in court, I have no clue how easy or hard that is in Germany.

by buzer

2/3/2026 at 11:53:51 PM

As the DPA indeed doesn't function for these kinds of cases, it's also possible to involve the courts and get a legal remedy (i.e. sue them). In The Netherlands that's possible with a 'complaint procedure' in the case of GDPR rights, which is more forgiving on the process (it starts with a not-too-formal letter to the court instead of a summons) and allows for representing yourself. Maximum costs would be somewhere around € 2500 if you lose, € 0 if you win (disregarding all the work and effort that cannot be recouped).

Of course this really isn't something you'd want to do for these kinds of simple cases. But threatening to do so often goes pretty far. The court in the country of the data subject has jurisdiction, so any company operating from another country would need to defend themselves abroad, which can be a strong incentive to cooperate or settle the case.

I've gotten results for GPDR article 20 requests (data portability) multiple times after some strongly worded letters (Spotify [1], NLZiet, AliveCor and Albert Heijn), and have gone to court twice. Once won against Eneco (although that was only about court fees they didn't want to pay without an NDA), and once didn't lose but regrettably didn't win on a quite complicated case against ABN AMRO in which the court just didn't understand what machine readable means despite the clear guidelines by the EDPD.

[1] https://news.ycombinator.com/item?id=24764371

by Confiks

2/3/2026 at 6:08:21 PM

There was a presentation here a while back (last year) about how to avoid getting ignored or played otherwise when submitting those requests. Sadly I cannot find it, but maybe someone else has the link?

by paweladamczuk

2/3/2026 at 7:29:32 PM

> I'm a German citizen

Of course, who else would complain about this.

When my ex-wife just moved to Germany, she was extremely anxious about waste sorting. She spent an hour sorting trash according to video guides on YouTube. Regardless doing everything perfectly, some German neighbor snitched on her to her landlady. Then some other old neighbor was watching through her windows with binoculars (privacy my ass!). Germany is a terrible country, the sick man of Europe once again

by loorke

2/3/2026 at 9:26:13 PM

Two neighbors do not a country make.

by Ylpertnodi

2/3/2026 at 6:07:40 PM

My understanding is that GDPR is being strongly reviewed with the goal of modeling it closer to what California did with the CCPA [1], which seems to be a much more effective privacy regulation.

[1] https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...

by petcat

2/3/2026 at 6:08:10 PM

Do you know what the primary differences are?

by LunaSea

2/3/2026 at 6:43:57 PM

If you mean what they are planning to change (as part of the omnibus) there is report by NOYB https://noyb.eu/sites/default/files/2025-12/noyb%20Digital%2...

If you mean how CCPA/CPRA differs from GDPR there are lots of things. For example you are not entitled to know actual recipients of your data, only the categories. So you cannot really know who actually received your data which then prevents you from exercising your rights against those controllers (or covered entities in CPRA language). GDPR also requires companies to usually notify you if they receive your data as controller (though there are some exceptions), in reality that's not really happening though (e.g. how many payments processors or acquiring banks have notified you about your credit card payments?).

CPRA also allows selling your personal data if you do not opt-out, in GDPR that would generally require consent (except in certain situations where you can use legitimate interest as the basis). GDPR also regulates cross-border transfers a lot more closely as the idea is that the protections & rights travel with the data.

by buzer

2/3/2026 at 6:46:16 PM

That’s essentially what I’ve experienced, call it 'anecdotal evidence.'

I had a long, ongoing, and very upsetting interaction with a bigger German company. Since I have experience in data privacy and GDPR, I eventually started thoroughly crawling their entire online presence for infringements. I found a significant number of issues and compiled a very extensive report. At first, they were completely dismissive. It was only after I issued formal legal warnings that an actual lawyer contacted me and promised to fix the issues.

Most of the GDPR violations were simply sloppy, though some were genuinely ignorant. It’s wild that we are eight years past 'Year Zero,' and while everyone is constantly talking about data privacy, these gaps still exist.

Some of them eventually has been fixed after my report, silently of course. phhh...

by y42

2/3/2026 at 6:19:53 PM

Until there is legislation to simply ban data mining/reselling no companies are going to stop. The benefits to selling you out are simply too profitable and ignoring the hand slap laws/fines stops no one.

The biggest hindrance is that there is ZERO government desire to reign this in. Why? Because the government itself is one of the biggest customers of this data.

The government "fines" the company and immediately comes right back around to the checkout line and hands the same company piles of money for the exact same data they just fined them for selling. The company then just raises the price to make up the difference. I don't see any of this changing in the next 50 years.

by citizenpaul

2/3/2026 at 6:11:40 PM

> A flat minimum, say 5,000€ per violation, no matter how small the company, applied automatically when non-compliance is confirmed.

No wonder Europe is such a laggard in tech when even software devs write non sense like this.

One one hand they want independence from the evil US hyperscalers but on the other hand they are ready to kill any new company in the EU.

by tasubotadas

2/3/2026 at 6:17:35 PM

Many of the "evil US hyperscalers" are headquartered in California, and the CCPA [1] has this exact penalty structure codified in law:

> (b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

$7,500 per intentional violation, $2,500 per unintentional.

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

by petcat

2/3/2026 at 6:27:44 PM

But it also doesn't apply to small companies:

The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, does business in California (regardless of where it is located), and satisfies at least one of the following thresholds:

Has annual gross revenues in excess of $25 million in its most recent tax year;[11] Buys, receives, or sells the personal information of 100,000 or more consumers or households; or Earns more than half of its annual revenue from selling consumers' personal information.[12][13]

https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...

by konne88

2/3/2026 at 6:34:30 PM

Right, the CCPA targets large/semi-large scale data processors. That Wikipedia seems to be outdated, because the law text reads:

> satisfies one or more of the following thresholds:

> (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

> (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

> (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

This alone is enough to apply to most non-trivial apps/businesses where large-scale data harvesting is a huge problem:

> the personal information of 50,000 or more consumers, households, or devices.

by petcat

2/3/2026 at 6:49:35 PM

Those numbers are maximum fines per violation if I understand the wording correctly ("not more than") while the suggestion was that €5,000 should be a minimum.

by mytailorisrich

2/3/2026 at 6:13:32 PM

In Spain the fines are like 60k for data protection violations, no matter how small you are, and if you’re self employed, you can’t declare bankruptcy and you have to pay the fine with your own personal assets.

by blell

2/3/2026 at 6:29:55 PM

Sounds like a great reason to never start a company in Spain, ever.

by wincy

2/3/2026 at 6:36:59 PM

Sounds like a great reason to never start a criminal company in Spain.

by jjgreen

2/3/2026 at 7:03:01 PM

Perfect recipe to discourage individuals from innovating. I'm all for holding actual companies with user bases and counsel and insurance and a business model and etc accountable. But "private party just getting started with a bespoke solution was a bit careless or ignorant; luckily no serious harm was caused" should never be financially ruinous.

by fc417fc802

2/3/2026 at 6:30:57 PM

why would anyone risk starting a business in such an environment?

by throwmeaway820

2/3/2026 at 8:04:41 PM

This is self employment only where your company assets == your assets. You can make an LLC and this isn't a problem.

by tpxl

2/3/2026 at 10:35:15 PM

An LLC will cost you much more money. It’s a great pay cut.

by blell

2/3/2026 at 6:18:55 PM

Or perhaps they want to stop any company that doesn’t want to play by the rules as defined by the laws of society. So doesn’t matter whether it’s a US hyperscaler or an EU wanna be.

by jjp

2/3/2026 at 6:23:08 PM

Then don't violate it, you won't get fined.

by avh02

2/3/2026 at 6:26:14 PM

This comes from the same website that tells you that the average person commits a thousand crimes every day and that prosecuting criminals is therefore meanie mean.

by blell

2/3/2026 at 6:20:18 PM

You wouldn’t even believe the stuff I’ve heard in “startup” and “innovation” spaces about regulation and stuff like government grants.

I usually hear the “we [europe] have some of the brightest minds, we can do anything” and sure, granted, but that’s not the issue and it has never been. Why would those bright minds want to build something in a place that’s so obviously against the very same idea of free competition? Of course they don’t, those who can just flee and those who can’t usually end up building some useless grant-ware in an endless cycle. That’s not to say that we don’t have great startups and entrepreneurs, we do, but I find myself fighting every day against a system that’s built for the state to decide what, when and how citizens must innovate (and live).

/s

by rmonvfer

2/3/2026 at 6:16:49 PM

Criticism of the EU always gets down voted here but this on point. The EU does too much trumpet blowing.

Too much gets put into law/regulations and then ignored without any kind of retrospective with regards to undesirable effects and efficacy.

Companies have realised GDPR isn't really anything to be feared in reality. Don't quote issued fines at me - quote fines that have been actually paid at least (you'll find that harder to Google)

by gib444

2/3/2026 at 6:52:20 PM

> Criticism of the EU always gets down voted here

The Chat Control threads are an easy example to demonstrate otherwise.

by latexr

2/3/2026 at 7:26:06 PM

Sure, pick the weakest part of my comment to reply to because I was imprecise in my language

by gib444

2/3/2026 at 8:02:54 PM

You make it seem like disagreeing with one of your arguments (you made more than one) somehow means I believe all of them are invalid. That’s not true at all. I also don’t see what was imprecise about your language, the argument seems quite clear.

I do agree the GDPR is not enforced enough. I disagree that “criticism of the EU always gets downvoted here”. I don’t know about unpaid fines, but doing a web search I can’t find information either way, so perhaps if you know they aren’t paid you could provide the source for that claim?

You don’t need to take it to heart. Disagreeing with your point isn’t an insult to you. We’re all wrong about some things and right about others. Saying that “X always happens on HN” is typically incorrect (I have yet to find the situation where it is true).

by latexr

2/3/2026 at 6:34:56 PM

One could argue that the intention of the law is to make it possible to collect revenue from non-EU companies. Since the EU doesn't have any sizable internet companies. Not counting Prosus group as they are a holding company, Spotify is the biggest at 100mm. EU doesn't care about small / midsized companies because they don't have enough income to bother with. "The purpose of a system is what it does".

by briandw

2/3/2026 at 7:00:21 PM

> EU doesn't care about small / midsized companies because they don't have enough income to bother with.

I am so very tempted to quote you sarcastically using mixed upper lower case text for how incredible wrong you are. Yes, there is less enforcement than I want of GDPR, but any insinuation that they do not bother is a lie.

Here is your proof:

https://www.enforcementtracker.com/

by Y-bar

2/3/2026 at 11:40:26 PM

point conceded, they do enforce gdpr on smaller companies thanks for the enforcement tracker link i scraped that page to get the raw data and added it up by company. i wanted to see how much the main us tech companies paid vs everyone else

these aren't audited but total €6,848,216,522 us tech €4,527,961,028

so 66% from just a few companies from outside europe

by briandw

2/3/2026 at 11:44:09 PM

forgot about a few others uber marriott clearview openai €4 899 121 028 or 71.5%

by briandw

2/3/2026 at 7:23:43 PM

Which of those fined have landed in the EU's bank account?

by gib444

2/3/2026 at 8:06:32 PM

None. EU has no bank account. Fines are levied by member countries and their equivalent of the IRS and police collects them. Collecting these fines are a requirement to be a voting member of the EC, so any member state that fails to collect will be stripped of their right to vote on EU regulations.

by Y-bar

2/3/2026 at 6:34:32 PM

Are there citizen punishments that can be levied when a company refuses the law?

For example, you put in a GDPR deletion request. Company ignores or otherwise does not comply with the law. Can you sue them directly over that?

In the USA, Ive seen a lot of various laws like CAN-SPAM act. But there are no remedies for citizens who were spammed to get statutory damages for being violated. Having that option to get money for being wronged would solve these sorts of problems.

by mystraline

2/3/2026 at 6:39:39 PM

Deletion requests are a bit fuzzy. Withdrawing consent is easy, some deletions are easy but we need to remember that the GDPR have a carve out "for the establishment, exercise or defence of legal claims."

In practice this means that companies will keep data, and are entitled to keep data, for the period a legal claim may be made. For instance in the UK that period is 6 years and so you will find that companies will keep data for 6-7 years.

by mytailorisrich

2/3/2026 at 6:01:17 PM

GDPR is privacy theater

by oncallthrow

2/3/2026 at 6:14:06 PM

At the very least it did result in plenty of services that previously didn't allow one to delete accounts to add that option. For other cases writing a strongly worded email did the trick, unfortunate that Nikola did not have as much success with it.

by SyrupThinker

2/3/2026 at 6:03:24 PM

Somewhat, but not entirely. For smaller players it's a hassle/PITA but it does enforce some checks and balances on the larger players.

by Insanity

2/3/2026 at 6:39:56 PM

thanks for the insight, keyboard warrior

by 0123456789ABCDE

2/3/2026 at 6:11:12 PM

only because it isnt enforced.

if fines were levied and actually collected, itd be a pretty robust regulation for privacy. theres other issues with it, but nothing that requires gdpr to be wiped out -- just modified (and clarified) a bit.

by zxcvasd

2/3/2026 at 6:06:30 PM

Honestly I'd think about several "worse" companies to annoy with such "a test" first than Prusa, but anyway

> A company can list an email address as their official GDPR contact in their privacy policy, and if their own spam filter eats your request, it legally never happened. There is no obligation to check. There is no obligation to ensure delivery. The burden is entirely on you to prove they received it.

That's you being silly. The correct way is to send a letter with a Reception Receipt https://en.wikipedia.org/wiki/Avis_de_r%C3%A9ception which is the way lawyers like to do

by raverbashing

2/3/2026 at 6:15:35 PM

[flagged]

by kshmir

2/3/2026 at 6:13:56 PM

While I love the idea of GDPR, and especially local versions like CCPA that benefit me directly, I loathe much about the GDPR.

1. Cookie popups. Enough said.

2. Its extraterratoriality claims. Yes, I know you also want it to apply to companies in, say, Japan. Bummer. Unless they signed a treaty agreeing to abide by it, their they're own sovereign entities and their businesses don't have to comply with remote EU laws.

3. The annual moderation report. I've lost an aggregate of several weeks of my life filling out reports where 99.9% of our moderation actions were to delete link farms, fake drug sales, phishing portals, and cockfighting fliers.

4. The misperception that GDPR means you have to delete everything. Uh, no. If we suspend joe.scammer@gmail.com's account for phishing, we're not obligated to purge every instance of that email address from our systems, especially not the one that gets to decide whether a new user is allowed to register for another account. And if "joe.scammer" deletes his account, we don't have to return "joe.scammer" into circulation so another user can register it, and simply saying that "joe.scammer is not available" is not disclosing sensitive data. And in any case, a company entirely outside the EU isn't compleleled to do it anyway (see #2).

Love the idea, strongly dislike the implementation.

by kstrauser

2/3/2026 at 6:25:11 PM

> Unless they signed a treaty agreeing to abide by it, their they're own sovereign entities and their businesses don't have to comply with remote EU laws.

What is your opinion concerning laws such as FATCA and other such laws that apply to non-US entities when working with US citizens abroad?

by Topfi

2/3/2026 at 6:30:40 PM

Other laws that apply to the US's own citizens abroad, I can kind of get in line with. Like even if you go to a country where murder and mayhem are legal, you can't go there on vacation, rack up a body count, then come back to Wyoming and go back to work on Monday.

Other laws that apply to non-citizens abroad, I'm against, of course. We don't have the moral right to legislate what someone in China can and can't do. However, prosecuting them for that should they enter the US is a different animal. If you run a scam farm and defraud a million Americans, then go to Disneyland on vacation, you should plan on having a bad time. Similarly with GDPR and other EU-local laws: violate them outside the EU, but it'd be wise to skip Barcelona on your next world tour.

by kstrauser

2/3/2026 at 6:32:58 PM

But neither of your described scenarios applies to either of the two.

Both FATCA and GDPR apply to entities/companies that deal with citizens from their respective jurisdiction. FATCA applies e.g. to foreign banks handling US customers, GDPR to foreign data processors handling EU user data.

If you don't want either to apply to you, easy, just don't handle US customers money/process EU user data.

by Topfi

2/3/2026 at 6:39:21 PM

The penalty for non-compliance comes down to: you can't do business with the US government anymore, which is a huge bummer for any financial institution. If you don't care about that, say because you're a credit union servicing a small town in Brazil and you had a single American move there, I imagine you'd also ignore it.

by kstrauser

2/3/2026 at 6:47:06 PM

I am by no means an expert, but as far as I am aware FATCA violations carry slightly higher penalties then what you suggest and are very much not limited to "you can't do business with the US government anymore".

Also, even if "you're a credit union servicing a small town in Brazil" and even if the penalty was as limited as you think it is, I doubt even a smaller institution could survive loosing access to US securities, etc.

by Topfi

2/3/2026 at 7:10:59 PM

Such laws and policies are a blatant overreach. However the US is a superpower so if we act inappropriately smaller economies simply have to tolerate it to a large extent. It's no different than China throwing their weight around with their neighbors.

The EU jumping on that bandwagon was predictable but I don't think it's a good thing. We all ought to strive for a higher moral standard.

by fc417fc802

2/3/2026 at 6:17:36 PM

As far as cookie popups go (and recognizing you probably know this so it’s more a general comment), GDPR doesn’t encode cookie popups into law, but the entire industry follows the pattern of cookie popups in response to the underlying requirement of informed consent. Companies could choose to not collect as much info, or take other approaches, but cookie popups are the default.

by qkeast

2/3/2026 at 6:25:55 PM

You're right, for sure. It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes. I haven't put any time into nailing down the wording, but something that communicates "sites are allowed use 'authentication cookies' to validate a user's ability to make server requests" would be most welcome. Then you could actually have an incentive to remove the cookie banner on sites that only use cookies for session authentication. You don't also use them to integrate with your marketing analytics kraken? Sweet! You don't have to have a banner or other notice!

by kstrauser

2/3/2026 at 6:34:24 PM

> It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes.

That’s exactly what it does.

https://commission.europa.eu/resources/europa-web-guide/desi...

They list more types of cookies which do not need consent than the ones which do.

by latexr

2/3/2026 at 7:32:29 PM

It's important to note that this is what European Commission has determined to be acceptable for them. One very important distinction here is, as far as I understand, that EC is not bound by ePrivacy Directive as directives bound member states and require them to include them on their national law. They do still try to be consistent with how the directive is applied in the member states though but since it can be varied they have more leeway compared to most other controllers.

The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.

by buzer

2/3/2026 at 6:42:29 PM

Oh, nice! That page seems to have been written a year ago[0] and I wasn't aware of it. If that had existed from day one, we probably wouldn't be having this conversation.

0: https://web.archive.org/web/20250301000000*/https://commissi...

by kstrauser

2/3/2026 at 6:58:48 PM

> That page seems to have been written a year ago

The page has existed for several years, it was just at a different URL before. Here’s a version from 2021:

https://web.archive.org/web/20210623122357/https://wikis.ec....

by latexr

2/3/2026 at 7:03:22 PM

I'll concede that, but that's still several years after the law was deployed and people had to kind of guess for a while.

GDPR isn't unique in that. When HIPAA came out in the US, no one was sure what it actually meant. I personally talked to hospital administrators who were convinced that we'd have to put up a "take a number" device in waiting rooms and call out "#53? It's your turn #53!", which the owners of the practice I ran flat-out refused to do: "the waiting room is currently occupied by Mr. Smith and Mrs. Jones, who have known each other since kindergarten, and I'm not going to refer to them as numbers". It took several years to build consensus on how to comply with it.

by kstrauser

2/3/2026 at 7:16:21 PM

> I'll concede that

In case it wasn’t clear, I wasn’t trying to “gotcha” you or anything. I took your message to be in good faith. I just knew the website used to exist on another page because I remember having it in my bookmarks and it breaking and having to search for the new one.

> but that's still several years after the law was deployed

Maybe, I do not know. I didn’t search for it before then, so for all I know it was available at some other domain too. Or maybe it wasn’t, that’s the earliest one I remember.

by latexr

2/3/2026 at 7:36:20 PM

Understood, and appreciated in the manner in which you meant it! I do love talking about this stuff. I've discovered that I have a giant regulation nerd deep inside me.

by kstrauser

2/3/2026 at 6:49:01 PM

the site didn't exist from day one, the exceptions do

(but some informational requirements have been slightly relaxed recently I think)

by dathinab

2/3/2026 at 6:43:43 PM

See Article 5(3). There is a specific carve-out for cookies that are used solely for essential site operation and security.

by bruce511

2/3/2026 at 6:32:06 PM

If you use cookies only for authentication it can be a single note on the login form.

by mhitza

2/3/2026 at 6:35:23 PM

You don’t even need that.

https://commission.europa.eu/resources/europa-web-guide/desi...

> Cookies and similar technologies that generally do NOT need consent

> (…)

> Authentication cookies, for the duration of a session

by latexr

2/3/2026 at 6:56:26 PM

needing consent and informing the user are two distinct concepts

I think you did need to explicitly tell the user about it.

But I think (not fully sure) they did relax that recently so just listing it in you Privacy Policy or similar should be enough by now.

But also due to how enforcement is designed it's not that you really had to worry about anything if you only have non-censent requiring cookies and list them clearly in the privacy policy. Worst case a privacy agency tell you to "improve on it" without penalty.

It's just which site (or app) today doesn't use something like Google Ad Network, or Metas Ad Network, or Apples Ad network. All of which do not support ads without tracking (which still are very viable, e.g. select ads based on what the side/ad is about).

by dathinab

2/3/2026 at 7:08:58 PM

> It's just which site (or app) today doesn't use something like Google Ad Network, or Metas Ad Network, or Apples Ad network.

For websites, Hacker News doesn’t seem to use any of that. For apps, Alfred doesn’t do any tracking, nor does Wipr, or Inkscape, or mpv.

by latexr

2/3/2026 at 6:46:14 PM

> It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes.

it does have such exception, always did (as long as the cookies are not used for tracking or other non essential things etc.). It might not be supper explicit but it's explicit enough to have you on the safe side.

you do have to inform people, but there are very non intrusive ways to do so (as it's informational only, i.e. no user interaction like confirm/accept is needed at all). (I think? they also have removed part of the explicit informational requirement for some things recently, i.e. it's good enough to list it on your site in the TOS/Dataprotection section/sub-site.)

there are other (I think not EU wide but nation specific) laws which get confused with it and handle things different, based on sites storing their data on your computer (and with that any cookie)

the reason most sides don't do anything like that isn't because they can't. It's because they try to harass user endlessly until they always click on confirm and can be tracked. Or because they don't know better due to a endless slew of systematic misinformation spread by advertisement agencies like Google Ads.

by dathinab

2/3/2026 at 6:24:20 PM

Yeah it's wild we blame GDPR instead of the companies that decide tracking us is worth our inconvenience

by causal

2/3/2026 at 6:24:48 PM

GDPR does not formally require cookie popups (and the cookie stuff predates GDPR as such anyway). But it's challenging to the point of impracticality to run a website with so few cookies that a popup is not required. The EU's official resources on data protection, for example, have a popup. (https://commission.europa.eu/law/law-topic/data-protection/r...)

by SpicyLemonZest

2/3/2026 at 6:37:46 PM

> But it's challenging to the point of impracticality to run a website with so few cookies that a popup is not required.

It is not. They even list more types of cookies which do not need consent than the ones which do.

https://commission.europa.eu/resources/europa-web-guide/desi...

> The EU's official resources on data protection, for example, have a popup.

Because it’s mandatory for them, not because the cookies are invasive. See the top of the page of the link above:

> Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies-owned websites, regardless of the cookies used.

by latexr

2/3/2026 at 7:04:28 PM

> point of impracticality to run a website

only if your site insist to use any of the widely used Ad networks

through there are Ad Networks which base ads on what is on your site instead of who visits

and the popup you link is _not_ a GDPR popup but is related to some other older and very misguided law(s). (Not EU wide laws, but EU sites want to be compliant with every member countries laws.)

Having a EU decision which requires countries to remove this older misguided laws has been on the agenda for years. It's just given that most sites anyway will have popups (e.g. for Google Ads) things move way way way to slow :(

by dathinab

2/3/2026 at 6:46:32 PM

>> But it's challenging to the point of impracticality to run a website with so few cookies that a popup is not required.

Nonsense. It's easy to create a site that doesn't need a cookie pop-up. Indeed the mere existance of a cookie pop-up screams "we are tracking you and selling your info".

by bruce511

2/3/2026 at 6:31:27 PM

> Cookie popups. Enough said.

except a lot of the things related to cookie popups isn't GDPR but other (misguided older) laws

furthermore setting a (proper 1st party and HTTP only) cookie to remember you opted out of tracking doesn't require your explicit consent and as such any side which ask you again and again makes it extra hard to opt out in a way _not legally compliant with GDPR_.

also the do not track flag in a browser is a very clear unmistakable signal from the user that they don't want to be tracked, ignoring it and harassing the user with tracking dialogs is also not GDPR compliant

> 2. Its extraterratoriality claims.

It's based on your citizens data being owned by your citizens. Extraterritorial claims about your citizens is pretty normal. And only enforced things matter so basically it only matters if they do business in the EU. And requiring someone who does business in another country to comply with that countries laws is the norm. Just because you do it "through a website" doesn't mean you can doge responsibility. That would be absurd.

> 3. The annual moderation report.

if it's moderation deletion then that isn't GDPR but other laws, and the reports which are needed for GDPR can be trivially automatized.

> 4. The misperception that GDPR

any half way serious source is pretty clear about that and there isn't much law makers can do if people are to dump to read and then insist they know better

The main issues is still enforcement, or the systematic lack of it in all kinds of ways.

Due to that bad companies don't try comply with GDPR but with "what level of systematic intentional GDPR violation can we get away with" and that in turn leads to legal unreliability/unclear-ness.

Oh and that some business models are inherently incompatible with it and instead of judges being like "bad luck you had years to adapt" they are often hesitant to do much about it (like "pure abos" which deceive the end-user (and judges) with a false dichotomy about ads vs. no ads when the laws is about tracking vs. no tracking and you can have ads without tracking, just not google ads but that is a googles made problem not a fundamentally one).

by dathinab

2/3/2026 at 6:23:29 PM

Cookie pop-ups are not part of the GDPR.

Every time I read this point on Hacker News I got to point this out because it's an extremely common misconception.

Read the GDPR, at least the outline, it's not there.

by piva00

2/3/2026 at 6:59:17 PM

Also, cookie pop-ups appeared before GDPR.

by matkoniecz