Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.

I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.

Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.

But uncertainty in compliance and time spent navigating compliance is nearly pure waste.

To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.

The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.

I'm not sure.

Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).

Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.

Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation."

Wild cards and crazy rules versus no regulation is a false dichotomy.

And the answer should be self-served, ideally, with an automated authoritative self-served approval. It could have a lag time of a few days or even a week for a person to approve.

Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.

These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.

I keep hearing that, but do we actually have stories about small European companies being ruined?

I bet we don't, unless they ruined themselves due to being very negligent or unwilling to implement even after being reported and found out.

The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.

I totally agree with this view!

I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.

But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?

I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.

IP addresses are PII. This has long been determined.

This is a perfect example of uncertainty causing compliance overhead.

You say IP addresses are PII and this has long been determined.

Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:

> > logging an IP address.... > Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement. > Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so. > More on that: https://missinfogeek.net/gdpr-consent/

So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.

They are of course, like everything else context-dependent legitimate interest, or even needed to provide a service to the visitor or user, but that doesn't make them non-PII. There is a reason for things like Google captchas and Google Tags manager to have a flag to not even send an IP address to the backend.

> They are of course, like everything else context-dependent legitimate interest,

Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)

I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

> I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.

(not a lawyer, but this is my understanding)

> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.

> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

That I cannot answer, or have not thought about in sufficient depth.

> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.