> It's a foreign requirement that feels like a violation of sovereignty.

Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.

1. when you open a restaurant nobody cares you're a collage student. You have to have all the checks and permits to serve people food. It's not because somebody hates small businesses, it's because the right not to be poisoned is more important than the right to do business hassle-free. Why should internet be different?

2. Fuck your souvereignty. Seriously. USA has no problem violating secrecy of correspondency worldwide, and argues in length for years whether wiretapping its citizens is OK, because everybody agrees wiretapping others is perfectly fine. USA forces poor half of the world to follow ridiculous copyright law, including software patents and art becoming public domain after a century or more. There's no good will earned there, so don't expect a free pass cause of your feelings. Want to serve customers from other countries - have to obey the law there.

3. they probably could. Still - I'm sure there will be "GDPR as a service" soon. Maybe some libraries, frameworks and standards how to handle personal data will finally be created? This should have been done decades ago.

I don't get the complaints about how hard GDPR is and having to understand it all. If you're based in the US, have you read the actual DMCA document? CFAA? California S.B. 1386? TWEA? ADA? Or at least any interpretations of them and validated that you comply?

If not, then worrying about GDPR which is mostly not enforceable in the US sounds disingenuous.

You are speaking as if the European Union spit out this legal document and nothing else, when in fact loads of supplementary material have been released, for consumers as well as for enterprises. Of course, the actual act must be written in formal legal language.

EDIT: Example: https://ec.europa.eu/justice/smedataprotect/index_en.htm

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.

If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.

The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.

> It's a foreign requirement that feels like a violation of sovereignty.

It must feel horrible, now that the US is on the receiving end of this for a change... ;)

> I think the things that bother me is:

>

> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

That's false. The GDPR repeatedly refers to evaluating the risk with regards to various decisions. The ICO even has separate guidance for small businesses and big businesses.

> 2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.

This one I can appreciate, but perhaps look at it from our point of view:

You're violating our laws that protect our citizens.

Why would we possibly have any sympathy for that?

> 3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?

The GDPR is easier to read than many US laws, and you don't have to read it anyway. The ICO has written extremely high-quality guidance for most businesses which will suffice. It should take no more than a few hours to determine how your business would be affected.

https://ico.org.uk/for-organisations/business/

> " It's a foreign requirement that feels like a violation of sovereignty."

How about you look at what bs comes out of the US gov't? That is the worst foreign requirement and violation of sovereignty so far, and it keeps on giving.

> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.

A college student working on a side project probably shouldn’t hoard personal information if it doesn’t care to protect it.

>1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

If the side project uses personal user data, then there is no reason to treat them differently.

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

And why not? The result/harm is the same.

It doesn't matter a bit whether a company's web site is handing its visitors' data over to Facebook or a "private site" does.

The side project or the private site always have the option of not participating in the adtech frenzy.

But of course they want to participate (free money!), even if they find out much later that almost no money is coming their way.