At my company, we do business in the EU. It's a wide market with many opportunities. We're extremely careful with personal data: we do not intentionally collect user data, we do not share data with any third-party (and certainly never sell it)!
Importantly though, the law does not suffice with "careful". We *think* we have our bases covered and are careful to try to ensure they are but we're not sure how to *know* our bases are covered. There's the fear that some logs that we believe are anonymous might be considered identifying by some data scientist armed with techniques we've never heard of. There's the concern that some third-party library might dynamically pull in a font-set that comes from a US-based CDN based on some user configuration that we don't foresee. There's the anxiety of asking "Did we forget something? Is the DNS server in us-east-1?" when trying to roll out new features.
These are all strawmen, but they represent the kind of anxiety we feel. Having done our best to respect the requirements and the spirit in which they were written, there's the fear that we were imperfect in our awareness and that that something could cost us a fine that would have gone to someone's salary.
I would very much condemn the indiscriminate collecting, reuse, and selling of personal data, but I would also caution that those of us wanting to play by the rules find them lacking in precision.
> These are all strawmen, but they represent the kind of anxiety we feel.
No idea why you would feel the anxiety. If you're found lacking, you will forest get s notification from the DPA asking you to remedy the situation. You wont even be fined
Importantly though, the law does not suffice with "careful". We *think* we have our bases covered and are careful to try to ensure they are but we're not sure how to *know* our bases are covered. There's the fear that some logs that we believe are anonymous might be considered identifying by some data scientist armed with techniques we've never heard of. There's the concern that some third-party library might dynamically pull in a font-set that comes from a US-based CDN based on some user configuration that we don't foresee. There's the anxiety of asking "Did we forget something? Is the DNS server in us-east-1?" when trying to roll out new features.
These are all strawmen, but they represent the kind of anxiety we feel. Having done our best to respect the requirements and the spirit in which they were written, there's the fear that we were imperfect in our awareness and that that something could cost us a fine that would have gone to someone's salary.
I would very much condemn the indiscriminate collecting, reuse, and selling of personal data, but I would also caution that those of us wanting to play by the rules find them lacking in precision.