GDPR is not about the cookie banner, it has massive implications around the whole lifecycle of data. For example you need to be able to gather all data of a particular client for them to access, and they have the right for all their data to be erased.
That is not surprising. Regulations are a way to ensure things that are not easily reached by market forces. Doesn’t mean that we should not care for that.
Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Many of the people who "don't care" don't know. Once you inform people about how much data meta has on them, for example, many of them do in fact care and they are in fact disturbed by it.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
> Most people don't care about these things. Who are you to say that the harm is severe to people who don't care?
I'm not the one deciding.
I said some of the harms are severe. Not everything. It refers to things like people losing their online accounts, having their bank account drained, their credit rating ruined, private photos shared, passwords changed or published, losing files to ransomware, all as an indirect result of poorly handled data collection resulting in identity theft and similar.
I'm pretty sure most people affected by those things do consider them severe, and that many people upon learning about those things also consider them quite severe, even if they didn't care before they learned.
If most of those people consider those things severe, that's enough to call them severe.
This is what infuriates me with people that knock GDPR. They simply don't understand it's prime purpose: creation of a legally enforceable audit chain of data ownership. This is a prerequisite if you want to enforce how people's data is used and shared amongst private entities.
