I made 20 GDPR deletion requests. 12 were ignored

Original Article ↗ Hacker News Discussion ↗

Effectiveness vs. “Privacy Theater”

  • Some see GDPR as largely symbolic because many deletion requests are ignored and regulators rarely act, especially for routine violations.
  • Others argue it meaningfully improved privacy: many services now support account deletion, big tech has paid multi‑billion‑euro fines, and the law resets norms about what’s acceptable.
  • Several comments stress that the main failure is enforcement capacity and political will, not the text of the law.

Enforcement, Fines, and Impact on Small Businesses

  • Strong support from some for automatic, substantial per‑violation fines to make non‑compliance uneconomical, citing similar structures in California’s CCPA.
  • Counter‑arguments:
    • Flat minimum fines (e.g. €5k or €60k in some countries) can be ruinous for small or self‑employed businesses and may deter entrepreneurship.
    • Documentation and process requirements (records of processing, impact assessments, retention policies, etc.) are seen by some as overwhelming for 5‑person shops.
  • Others respond that:
    • Basic compliance for typical SMEs (“collect little; keep it only as long as needed; offer deletion”) is quite manageable.
    • Businesses that can’t handle minimal privacy obligations shouldn’t operate.

GDPR vs CCPA and the US Context

  • CCPA/CPRA is described as:
    • Focused on larger data processors (revenue and volume thresholds).
    • Allowing data sales by default unless users opt out, unlike GDPR’s usual consent requirement.
    • Providing only categories of data recipients, not specific entities, which weakens follow‑up rights.
  • Debate over whether “no law” (typical US case) is better than a weakly enforced law:
    • Critics of GDPR say unenforced rules create illusions and enable selective enforcement.
    • Others argue laws still shape culture and express societal ideals even when under‑enforced.

Individual Rights in Practice

  • Users report:
    • Mixed success with deletion and portability requests; big companies often slow or obstructive.
    • Burdensome processes to find the right contact, follow opaque procedures, and then file with national DPAs that may be slow, politicized, or under‑resourced.
  • Some countries allow cheaper, simplified court procedures; credible legal threats can suddenly make companies comply.

Specific Frictions: Cookies, Extraterritoriality, Retention

  • Multiple commenters clarify:
    • Cookie popups are mostly from ePrivacy/cookie rules plus tracking-heavy business models, not GDPR itself; essential/session cookies don’t require consent.
    • Extraterritorial reach (applying to foreign companies processing EU residents’ data) is defended as normal for protecting citizens, but others see it as overreach akin to US FATCA.
  • Deletion rights are limited by legal‑claims carve‑outs: companies can keep data for statutory limitation periods (e.g., 6 years in the UK).