GDPR: Is It Worth It?

Original Article ↗ Hacker News Discussion ↗

Overall value of GDPR

  • Many EU-based developers and some business owners describe GDPR as a strong net positive:
    • Forces data minimization and better security practices.
    • Gives users rights to be informed, access, rectify, and delete their data.
    • Provides leverage to push back on unnecessary tracking and “data hoovering.”
  • Others argue it is overrated or “worth nothing”:
    • See it as bureaucratic, vague, and a job-creation scheme for lawyers.
    • Claim consumer data is not substantially safer; collection methods just changed.
    • Note it’s sometimes used politically (e.g. blocking services like ChatGPT).

Cookie banners and tracking

  • Large agreement that cookie/consent banners are annoying; many use blockers or automation to reject.
  • Several clarify: GDPR doesn’t mention cookies; the banners mainly come from the older ePrivacy directive plus ad-industry “malicious compliance.”
  • Banners are seen as:
    • A useful signal of which sites track aggressively and use dark patterns.
    • Often non-compliant (no “reject all,” opt-out hidden, illegitimate “legitimate interest”).
  • Some want browser-level or API signals (DNT/GPC) to stand in for banners; others note industry refused to honor such signals and even used them for fingerprinting.

Legal clarity, implementation, and enforcement

  • Confusion around “should” vs “shall” is traced to people reading the preamble rather than binding articles.
  • Implementers report real ambiguity:
    • What counts as “deletion” when data exists in WALs, backups, data lakes, sketches, or hashes.
    • How to honor “right to be forgotten” while remembering opt-outs.
    • How to authenticate data-subject requests reliably.
  • Some want clearer, binding guidance or certification schemes.
  • Regulators are said to focus on cooperation and gradual compliance, but enforcement is seen as too slow and uneven.

Impact on businesses and small players

  • Startups and non-EU sites often block EU users rather than risk non-compliance.
  • Others counter that if you can’t safely handle PII, you shouldn’t collect it; many small EU firms do comply.
  • Misconception: GDPR does not strictly require EU-only servers; it allows data export with adequate protections.

Broader effects

  • WHOIS redaction is blamed by some on GDPR; others say it’s mostly about spam and that business contact info isn’t protected in the same way.
  • Some see GDPR as making personal data “toxic waste,” intentionally raising the cost of storing it to change incentives.