
Ask HN: Could EU residents comment on how the GDPR has improved their privacy? - amelius
I&#x27;m curious if the GDPR is working as intended, and if it has actually reduced or eliminated online tracking of EU residents.
======
reqres
I'm an EU resident with a SaaS business storing EU personal information.

It's forced us to think more carefully how we build systems to pick up, retain
and scrub data. So all clients (>1,000) and their clients (likely in the
millions) have benefited

They absolutely won't have noticed a difference - by design!

Unbeknownst to downstream users, there are now more rigorous systems in place
to manage this information and reduce the surface area where it might be
captured

~~~
Y-bar
I work with e-commerce in the EU and my experience mirrors yours.

Almost all clients took an honest look at data collection and retention
policies.

Data was classified and tools built around the GDPR framework to allow
customers to be able to fully retrieve, request changes to, or delete their
information from servers.

Most clients ended up collecting less data and retaining it for a shorter
time.

All in all from my perspective it seems the law did much of what it was
designed to do.

------
s_dev
Immediately many EU companies just dumped their data that they were
arbitrarily collecting because it became a liability overnight instead of
something that may be an asset in the future.

Many of these companies didn't have consent to have the data to begin with or
at least no way to show that they collected it.

A good example is Wetherspoons Pub chain dropping their email database they
used to spam people with. I've noticed I'm not caught in any more breaches
according to Troy Hunt whilst before I was getting my email breached once a
year by some company. According to Troy Hunt's breach DB, over a dozen
companies with my credentials have been breached forcing me to never use those
email/password combinations again.

------
nottorp
Well, the cookie popups have helped me become more selective in my browsing.
If they don't make it reasonably easy to opt out, I just don't open the site.

But the real benefit is this:

Some random online store that i bought something from once decided to send me
a spam sms around black friday.

One email and 24 hours later, all the data they had about me was deleted.

Of course, this only works if you're in europe buying from an european store
so they're subject to fines from some trigger happy privacy authority.

Assholes like Google still do not ask for consent. Guessing someone at the EU
is working on gathering a mountain of documentation so they can fine them that
famous 4%.

~~~
dijit
The cookie pop ups were a thing before, I guess being able to opt-out is a
neat feature but there are certainly companies who do not comply when you
choose to opt-out. (Looking at you Verizon, yes I know it’s you behind
“oath”.)

~~~
nottorp
If i see the "oath" message when following a link, i close the browser tab :)

~~~
oneplane
Same here, it's like they don't even bother getting their systems up to date.

------
unixhero
Yes it has. Companies are now forced to build architectures that take data
classification and privacy in mind. It's been a really great addition and a
important check on the data economy.

~~~
amelius
Do you still receive targeted advertisements (assuming you have not opted-in
to them)?

~~~
supermatt
Unfortunately, yes. I haven't knowingly opted-in to anything. This may be a
problem with the whole "click here to accept all these cookies" bullcrap that
is on every site. I dont think this apparent benefit of the GDPR has worked -
at all.

However, in the organisations I have worked with professionally, GDPR is
absolutely working - user data collection, storage and security is now a
leading conversation - whereas it was a afterthought before, at best. Of
course, this isnt generally visible to the end user, and there are undoubtedly
still businesses who ignore this - but i guess we wouldnt know unless there is
an incident - in which case I would expect the EU to come down HARD.

I think its web-tracking and marketing in particular that still needs fixing.

~~~
concerned_user
Accept cookies has nothing to do with GDPR.

GDPR has to do that if you provide your phone/mail to some shop or other
service they can only use it to contact you with information directly related
to their business, like processing your order etc. They can not send you
marketing stuff unless you explicitly consented and must remove you from lists
if you ask. Even delete your account if you ask (not the data tho).

~~~
pteraspidomorph
GDPR added the bit where you can opt out of cookie usage on a case by case
basis (by use case or by data processor). American companies usually don't
implement that part in a correct or legal manner (they have no incentive for
doing so; they're only pretending "your privacy is so very, very important to
them" for PR reasons). European companies doing it wrong are on shaky ground,
since it's a matter of time until some regulator somewhere (which one depends
on their country) slaps them with massive fines.

On data removal: [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/dealing-citizens/do-we-
always-have-delete-personal-data-if-person-asks_en)

------
HatchedLake721
Yes - from inside knowledge, the lead/customer data being sold from business
to business has either massively changed or completely stopped.

Personally, I barely receive any out of the blue marketing calls or texts
anymore. If someone dubious market’s me via phone or email, I know my rights
and I can follow how they acquired my data and who sold them my personal
details.

As a software developer/entrepreneur, it made me think more about personal
data and has affected my architectural decisions.

~~~
lucb1e
> I barely receive any out of the blue marketing calls or texts anymore

That's strange, as anti-spam legislation is completely separate from GDPR and
has been in place for much longer. The only connection I see is that data
brokers got a harder time selling your data to these third parties that would
call or text you, but what those third parties were doing was already illegal
and still is for the same reason (so not because of GDPR).

In the Netherlands it hasn't been legal to cold call someone that opted out of
cold calls (using a national register of phone numbers that don't want to be
called) since 2009. Any marketing call you do receive has to offer enrolling
you on this list to prevent future calls.

For email, again speaking of Dutch laws, companies are not allowed to send you
unsolicited, promotional messages. Not sure as of which year this is, but it
has been the case for as long as I remember.

I assume most EU countries have similar constructions (I'm not sure if our
laws are based on a EU directive).

------
s9w
Popups everywhere. Insane bureaucracy, even at the doctor. And when it
matters, it's just being ignored. Most (medium-sized) companies haven't even
realized there is a new law.

~~~
raverbashing
I haven't noticed any "insane bureaucracy" at the doctor, but there's a new
box to tick in the signup forms

> And when it matters, it's just being ignored.

Where is that? Though you're welcome to point those out to your country
regulator.

> Most (medium-sized) companies haven't even realized there is a new law.

Actually they have, I was surprised at getting emails from medium sized, non-
online business about it

~~~
arkenoi
> > And when it matters, it's just being ignored. > Where is that? Though
> you're welcome to point those out to your country regulator.

Blanket forced consent in terms "we need to track you because we have a
business need, take that or leave", despite being explicitly prohibited in all
GDPR-related guidelines is still something you get away with.

Also one word: Facebook.

~~~
raverbashing
Yes, I agree that most websites continue to do that, though to be honest the
cookie management works in several websites

But I use ad blocking/cookie blocking so I guess it works the way I want
regardless of what they think

------
m3chars
I pretty much prefer to have a popup that I have to "accept" prior to the
website I visit can "legally" start storing identifiable information about me,
it allows me to just close the webpage if it's not something essential I'm
visiting. Like 90% of the links on the web, lets say more or less, are not
really worth my data, sort of just a "let me check" curiosity, that 99% of the
time, after you would finish the article/post wtv, you would go "that was
another turd". This doesn't mean it's completely effective or not at all but
it's at least some legal backing/precedent.

I still hope we'll be able at some point to come up with a more refined
protocol than http (or better sandboxing of the browser/device), where you
could selectively reject loading JS resources and where resources would need
to explicitly say what they were gathering, where pixel tracking would need to
be announced (and only after your consent would those resources run/load).
Totally ok with the site not loading either if you didn't gave the
permissions. Probably never going to happen, but that would be a true
handshake, "I want to check this out", RE: "Sure, we want your location, track
your navigation across the website and we'll sell this as part of a dataset,
including your IP, so that someone else then can buy several different
datasets and create a proper picture of your activity", "Sorry, thanks, not
interested". (and yes, it would need to be written in a way that's
understandable, not 5 pages of crap). The same applied to mobile
phones/computers/apps.

Or better yet, a browser/device API, where you (the developer) would need to
declare all resources you wanted to access (DEVICE_IP_ADDRESS,
DEVICE_LOCATION, MOUSE_POSITION etc) this would compile all of them into
legible manifest that you could read before it being un-sandboxed and allowed
to run. Any attempt to read such information from the browser/device where one
of those permissions weren't granted would return null (might be the best
argument for the existence of null).

------
Normal_gaussian
It's fantastic.

A lot of sites throw up a modal that just disappears when you say no. And I've
verified that in most instances this completely kills all telemetry.

I was involved working at a SaaS that provided first party personalisation at
the time GDPR was introduced and heard a lot of stories about clients just
dropping pointless and long term data.

I have family in the school system that called panicking that this was a
disaster... then a few months later admitted it meant that they actual handle
their data well and no longer accidently leak personal info (financial,
medical, behaviour, attainment) to other families, kids, teachers, or third
party companies. Oh, and their emergency fire list is now kept up to date.

I've used the powers of the GDPR to eliminate some low level harrassment of my
grandfather.

Google, Facebook, and the Yahoo auth group are still diddling with data they
shouldn't, but on the whole it is a much much better world.

------
oneplane
This has improved privacy awareness, curbed data hoarding and reduces tracking
across the board. It also made people aware of which companies don't have
their IT in correct order. (i.e. those that outright ban EU traffic, or don't
prompt to ask if they can hoard your data)

~~~
lucb1e
> [those that] don't prompt to ask if they can hoard your data [don't have
> their IT in correct order]

It's kind of the opposite: if they need to ask for your consent, that means
they're doing something that is not part of the standard exceptions.

For example, if they only use your data to do what you asked them to do, they
don't need consent. If I ask Contoso to ship me a horse, they don't need my
consent to process my address.

Every time you see a cookie banner, the message is: we want to invade your
privacy.

If you want to find those that don't have their data protection in order, look
for sites without privacy policy, or policies that were updated prior to ~2016
(that's when the GDPR text was finalized, i.e. the earliest time they could
have updated it to be compliant with new requirements). A cookie wall is a
signal that it's bad, not that it's good.

------
cataflam
All marketing email has an unsubscribe link if it didn't before, and you know
it actually works now to stop the emails, not just confirm your email address
works.

You also know you can get all the information a company has on you, and get
them to delete it if you need to. I haven't made use of it yet, but I've read
of people who have.

From inside the business side, I see most companies thinking about GDPR
compliance when developing new products and features. What was never the case
before and you notice now is they try to minimize PII collected to avoid
headaches, and they are very careful about how data is shared with 3rd
parties, asking for consent before doing it, etc.

~~~
lucb1e
> All marketing email has an unsubscribe link if it didn't before

GDPR says nothing about marketing emails. I can only speak for the
Netherlands, but our laws about unsolicited commercial communication is what
applies there.

What GDPR has to do with it is that they need your contact details to send you
anything, so they process personal data. The predecessor to GDPR (called DPD,
from the late 90s) also required companies to ask consent if there was no need
to process your data for things like fulfilling a contract (same as with GDPR:
they only need consent if it's not for a certain set of exceptions).

> You also know you can get all the information a company has on you

This was also the case under the previous law.

------
cj
I operate a B2B SaaS. We sell a service to other SaaS companies. To deliver
our service, we are sent PII from our customers which we process as a
subprocessor under GDPR.

From the perspective of selling a B2B SaaS service, GDPR has been incredibly
successful at making Security & Compliance an important discussion that is had
during the sales process. Most leads will have security/compliance as an
agenda item during sales calls, while before GDPR this was much less common.

GDPR has effectively turned Security & Compliance into a selling point and a
point of competitor differentiation (it was this way in the past too, but much
more so after GDPR). I think in the long run, this has/will result in
companies having a heightened awareness of security/privacy and budgeting more
time and money on security, simply because GDPR has connected it more directly
to the business's bottom line.

I think it's good in the long run. In practice, the result is probably a
decrease in risk of data breaches (less companies have your data, and the ones
that do are more aware of their responsibility to treat it properly).

It's important to note that this benefits everyone (not just people of the
EU). Very few companies will go through the trouble of treating EU data
differently than non-EU data. Everyone is benefitting.

~~~
goldcd
We're not a SaaS - but we noticed GDPR appearing as a requirement in RFx's

Our software does contain customer information, but isn't the focus. As
somebody actually designed it properly, compliance wasn't particularly
arduous. Huge sections simply didn't apply, and where it did we could just
link each requirements to the relevant details, API, logs etc.

As you mention, I think the main benefit is just formalizing something that
should already have been designed.

Another benefit is that it's driven 'bottom up' \- Customer doesn't have to
pay every vendor to provide them a new feature for say "scrubbing a customer".
All their providers supply "here's how you scrub in my product" and customer
just needs to stitch these mechanisms together to give their customers the
ability to be scrubbed.

------
tombrossman
I've used the new laws twice now to close online accounts with companies that
were uncooperative or too 'clingy' (looking at you, OVH and Microsoft). Much
easier to send a registered letter than waiting on hold or searching for an
online option that was deliberately made hard to find, or which may not exist
at all.

I have also used it to stop unwanted postal ads from local companies. I get to
find out how they obtained my info, and also stop some junk mail.

For the sibling comments mentioning the GDPR popups / cookie notices, why not
add a blocklist for these to your adblocker? At this point adblockers should
be considered basic security software, like a firewall or antivirus. These
lists exist are are pretty comprehensive.

As an American living in Europe I think it's a great law and I wish there was
something comparable to protect my friends and family stateside. And as
someone who administers a fair amount of business and client data, I do not
find the law inconvenient to comply with. I am very pro-privacy and protective
of user data, and I didn't have to make any major adjustments.

~~~
lucb1e
> Much easier to send a registered letter than waiting on hold or searching
> for an online option that was deliberately made hard to find

This hasn't changed. Every EU country implemented the Data Protection
Directive and you could just have sent a letter since the late 90s (the exact
date depending on your country).

------
m11a
The GDPR is working as intended.

For many of us software people, it isn't that revolutionary. These are things
we should've been doing for a long time, and many of us have been doing.

But many companies are massive and bureaucratic. Everything from random giant
companies to schools, hospitals, etc. These people don't really care about
'privacy', and many abused the hell out of people's privacy, many
unintentionally (just careless). And since they make up big processors of data
it was necessary to have them improve their practices. Now they actually think
about how data is being processed rather than just chucking it around.

The GDPR's biggest impact or purpose isn't to reduce online tracking. It's to
secure data rights for citizens in general. And the biggest abuses of that
didn't happen due to advertising or tracking.

------
arkenoi
General data handling guidelines: moderate success. Web-facing "consent",
cookie management etc: total disaster.

------
deugtniet
Professionally, I have not had to deal with a GDPR request luckily, as we have
a lot of anonymized legacy data that is hard to track back to specific
participants in our studies.

Personally, I feel the conversation on data in many organizations has helped
me feel more secure in my privacy considerations. Although it may not be
because of the GDPR, I feel I can make facebook/google/<data_aggregator>
accountable about my personal information, if I really wanted to. Although I
have not done it yet.

------
PeterisP
The big impact for me was on the non-online tracking and mishandling of
private information. All kinds of local non-online service providers and
companies (e.g. store 'loyalty programs') started to take data privacy and
(non-)collection much more seriously, significantly changing their policies
and activities. There are still all kinds of unacceptable activities, but now
they're (a) rare and (b) clearly forbidden, so we don't see local corporations
flounting 'sorry-not-sorry-we-did-nothing-wrong-and-will-keep-doing-it' PR
after they've been caught doing something shady.

So there's been a big change on how my data is being handled in the real world
- any effect on random websites online are just a nice-to-have bonus, it's
sort of moving in the right direction but it's obviously not a priority in
enforement and a better treatment for that can be tweaked in a next version of
GDPR, the important thing was to tackle all the big relationships (and privacy
abuse potential) people have with e.g. their cell phone provider, supermarket
chains, lenders, etc, which are now mostly 'clean' and the major online
players such as Facebook, Google, etc which will probably require years in
courts.

------
gtirloni
I'd also be interested in knowing the tangible results on a individual level
so far.

~~~
oneplane
As an individual, closing accounts is much easier, including getting your data
deleted or getting a copy of the data they have.

------
tgsovlerkhgsel
After a data breach, a custodial cryptocurrency wallet site forced me to log
in to change my password. I assumed it was a test account with no value
inside, but wasn't sure. Upon login, they didn't let me access my account,
asking me to fill in a KYC form with a lot of personal data. The form was
empty, but I didn't know what data they had anyways, certainly wasn't going to
give them more data, but couldn't see the wallet balances.

So I sent them a GDPR request, and they told me exactly what data they had and
which data they didn't have (confirming that it was next to nothing, and thus
that I didn't have to worry about the breach too much). They also confirmed
which wallets are in the account (allowing me to confirm that they were empty,
as expected, thus giving me no reason to fill ou the KYC).

Without GDPR, I'd be faced between the choice of giving them more data, or not
being able to confirm that the wallet is empty (thus potentially losing out on
cryptocurrency that I had forgotten about). In the end, I'd have probably
provided the information, potentially exposing it when they will inevitably
have the next breach.

Before that, Germany already had GDPR-style laws. I get very little spam,
because people don't sell my address. I think there was one case where my
address was passed along - I demanded to be told who passed it along, deleted,
and the deletion request be passed on too, and the spam stopped. Doesn't work
for completely fly-by-night companies and proper spammers, but does work for
the ones who try to stay on the shady-but-not-illegal side (losing one address
doesn't matter to them, and is certainly not worth the trouble of not
complying with the deletion request).

I'm literally not using a spam filter.

------
jnurmine
A shop belonging to a big electronics chain registered me as a member without
my consent.

After I contacted the chain about it, within a few days my information had
been erased and they said the clerk did not act appropriately and they'd also
contact the shop in question to make sure this is not repeated.

It's a long story, but when purchasing, the payment terminal asks "Member?".
If you answer in the affirmative, apparently somehow one becomes a member. In
this case, the clerk reached out from behind the counter and pressed the
button on my behalf while I was busy putting my card away. The receipt had the
text "member" with a membership number and so on.

In retrospect I suspected that the clerk's KPI contains the number of new
members. Most people probably won't care enough to raise noise about it.

Before GDPR, and actually before the improved EU privacy laws in general, say,
20 years ago, fixing this would have likely involved navigating some sort of
swamp of dark patterns with several phonecalls and tons of queueing, with a
long lead time for the removal and so on.

------
jacquesm
I'm positioned quite well to comment on this, our company looks at the back-
end of various web services on a daily basis because we look at their
infrastructure and associated bits and pieces prior to investment or
acquisition.

In the run-up to the GDPR we saw an increase in companies that started to take
security and privacy a lot more serious than before. Before the GDPR all data
was viewed as an asset and more was better.

After the GDPR went live - and especially after the first fines were issued -
this has substantially improved, most - but definitely not all - companies
that can afford it now have their security at a reasonably high level, they've
hired in-house specialists to help analyze the risks of their operation.
Typically access to live databases is now far more restricted and so on.

There are some downsides as well, but that was to be expected (such as: the
GDPR being used as an excuse to do things via web portals that used to be done
via email, of course that same email can be used to reset the password to the
portal...). Overall I'd say the improvement is vast.

------
PaulKeeble
Having used the ICO to try and stop a company illegally collecting biometric
information for access to a gym I am not confident it is very effective. Not
only did the gym not stop but the ICO all but rubber-stamped what they were
doing. Just like the data protection act before it on a daily basis on the web
you see companies openly breaking the law with the wrong defaults and reports
just disappear into a pit with the ICO.

The law exists but it isn't enforced by the regulator and the way the GDPR law
is set up there is no way to bring private prosecutions to enforce fines and
get the law applied. So since the regulator isn't doing it the law is
effectively useless. Some companies are complying but the bad ones are seeing
no consequences and the compliant ones are bound to notice soon that they can
safely ignore it completely soon enough. It has no enforcement currently,
there is no rush to ensure your company complies.

------
shreyshrey
We make file sharing and sync platform with GDPR specific functionalities. In
high level GDPR and the fines have forced companies to take inventory of PII
data they have and also limit the collection and storage of them. Also
companies have started appointing DPOs. Thats a welcome addition.

------
ckastner
I explicitly have to give my consent to certain processing, and my
relationship as a customer is not affected if I do not give consent.

For example, I now am far more willing to consider signing up for a loyalty
card, as long as they don't use my data for profiling purposes. I didn't have
many cards before, but the number has grown.

Same thing applies to online shops: I am far more willing to create an account
when I see that my rights are being observed, and I can eg delete my data
easily.

This, of course, assumes a processor that would rather be compliant with the
GDPR in its current form, rather than fight it. Facebook, for example, _needs_
to profile, and is using an IMO ridiculous interpretation of the GDPR to
weasel it out of the consent issue. Let's hope the courts do the right thing.

------
MildlySerious
I was able to get my account and data deleted from a crypto exchange with
relatively little fuss.

Had I not been protected by GDPR I would have had to submit documents to prove
my identity, none of which was even required to operate the account in the
first place.

------
goatinaboat
I had high hopes for the GDPR, a 4%-of-turnover fine would get any company’s
attention, but in practice the regulators are completely toothless and bad
actors such as Google and Facebook continue completely unchecked.

------
yrcyrc
Had an old debt I never honoured, but still under law it became invalid and
extinct. Yet it gets resold and some specialist companies try to get anything
from you, under 'amicable' terms.

They were harassing me, calling etc, and I wondered how they got my details
after so long. Made requests for data they held on me, and complained to CNIL
about their practices. They dropped everything and are now being investigated
by CNIL on how they handle GDPR.

------
gnarf2103
I am an EU resident and privacy activist. I did about 100 GDPR-Article-15
request for access to my personal data. For me, it is important to know what
data a company has stored about me. I found many unlawful collections by this
and filed complaints about that at the supervisory authorities. It is
important to know which data is collected and processed ant which data is
ALLOWED to collect.

------
loopz
Most remain invisible to customers and externals. However, inside just one
company, there are dozens of smaller projects that's fixed security and
privacy issues across all the horizontals: front end, ESB, middleware,
databases, applications, you name it.

Without GDPR the majority of those hidden improvements would've been postponed
indefinately.

I do regard spammy notifications as regressions though.

------
lucb1e
In terms of what a company has to do, not that much changed since GDPR's
predecessor. The difference between the previous law from the 90s and GDPR is
mainly publicity (privacy wasn't as big a topic in the 90s) and higher fines,
so what I notice as an EU resident is that more companies implement it. (Also
companies abroad, but I can't say that e.g. Google's update impacted me beyond
annoying banners: they still say "you consent to us doing anything we like"
and that is probably legal.)

The previous law was optional to implement for member states but I lived in a
member state (the Netherlands) that did (as "Wet Bescherming
Persoonsgegevens") and I think most other states did as well. Any company that
wants to do business in the Netherlands had to comply with that law already
(just like you can't come here to do business that is illegal for any other
reason).

The main features as I see them are that companies have to obtain consent or
have a valid reason for processing personal data, and you have a right to view
your data. That was the case and is still the case. I've done data access
requests prior and post GDPR and the responses are identical.

A number of details changed, but if you complied with the previous law and
you're not a personal data broker, then you have to do very little to comply
with GDPR. To give an example, consent now has to be "freely" and
unambiguously given, whereas before it just had to be unambiguously given,
which means that an employer can't ask you for consent due to the power
relation and it's popularly interpreted to also mean that you can't bundle it
("consent or don't get the service") because then it's not "freely" given.

~~~
oneplane
But it did change for everyone else that didn't have those laws. Also, the
impact of a brach is much bigger now.

~~~
lucb1e
> it did change for everyone else

OP was asking for EU residents to comment on how it impacted them. This is how
it impacted me. If someone else is very happy with GDPR because their country
didn't implement the previous law (DPD), they should comment separately.

Edit: actually, all EU member states implemented the DPD:
[https://en.wikipedia.org/wiki/Data_Protection_Directive#Impl...](https://en.wikipedia.org/wiki/Data_Protection_Directive#Implementation_by_the_member_states)

So this is actually representative for everyone else.

> Also, the impact of a [breach] is much bigger now

Indeed, as I mentioned, the fines are higher, and that's the only change in
that regard.

Note that the requirement to report data breaches to the authorities is not a
GDPR thing. The Netherlands introduced a separate law for that prior to GDPR.

And the reason you can be fined for a breach is not because you had a breach.
It's not a crime to become the victim of criminal activity, so that's also not
new with GDPR. The reason for it resulting in a fine is that it often
highlights inadequate security of personal data, which was also illegal under
the previous law.

------
kristov
My personal stages of gdpr experience:

Stage one: these cookie consent popups are empowering. I'm glad the people
won.

Stage two: I am getting a bit sick of having to understand custom consent
forms on every site.

Stage three: what have we done, cookie consent has made the internet suck even
more!

Stage four: I wonder what all this privacy stuff is really about (goes and
reads about it).

Stage five: The internet is a strip mall crossed with a red light district run
by the mob - we are doomed.

Stage six: This is something the government will be bad at for quite some
time, and I actually have the power to take control of my personal privacy and
freedom with minimal effort (relative to say overthrowing a tyrannical
government).

~~~
arkenoi
Stage seven: we probably need more smooth cookie consent management UX
integrated into the browsers.. oh wait they had it from the day 0 and it was
dropped because everyone agreed it is useless.

------
choeger
It has given you a quite powerful lever against unsubstantiated paymant
demands. It happens quite often that company A has a (debatable) claim to
person B but ends up demanding money from person C. Happened to me once
because B used my address and twice because A thought we had a contract, which
we did not.

In each case, A had no legitimate reason to store or process my data. In
particular the GDPR forbids them explicitly to exchange C's data with any
third party. Doing so could lead to severe penalties.

In all three cases I only had to point out these facts once to stop the whole
claim. Very comfortable.

------
andrewnicolalde
I love it. I’ve submitted several GDPR data deletion requests to various
companies demanding they delete my data for various reasons. Each one
complied.

------
gigatexal
US expat in Berlin: I hate the cookie consent pop-ups. I wish it just banned
cookies altogether. But that would probably break too much.

A friend of mine has used the GDPR give-me-my-data / delete-my-data email to
expose companies doing shady stuff as they’re afraid of penalties under the
law.

------
greatscott404
GDPR is trade restriction as the notion of "digital privacy" is perpetrated by
those who want to restrain US tech companies.

~~~
oneplane
Is it? Because if a consumer protection is a trade restriction, would
requiring electric devices to be insulated so they don't electrocute the user
be a 'trade restriction' as well?

------
tu7001
No,it has not, just made things annoing and complicate for companies. I think
it's a goal of supervised EU communists to make our business less effective
and competitive.

------
mathdev
It has definitely reduced the tracking. Due to degraded usability I use
European websites less, so fewer companies have my data.

------
throwno
I don't know about privacy, but it certainly increased the amount of popups I
have to click through daily. Thanks, wise European bureaucrats.

~~~
matthewmacleod
Blame the content providers who are unnecessarily tracking you, and not the
legislators that force them to now tell you.

------
ivanhoe
It does give you a (perhaps false?) sense of having some level of control over
what is stored where and how much tracking happens. Also, as an unintended
side-effect, it helped boost my productivity a bit, as when I open some link
and the page keeps twisting my arm to accept all the cookies, I just close the
whole tab and go do something more useful instead. And lots of sites,
especially news and media related, do this - I skip like 1 in 5 pages because
of badly implemented or hostile privacy dialogs.

