Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.
We ran the numbers on how much it would cost to establish compliance, and with that alone it was barley worth it based on the current EU customer base we have.
We also considered all the additional liability we’d be taking on, and with that alone it was barely worth it based on the current EU customer base we have.
We’d also be very happy if one of our competitors started investing in the EU market. It’s worth about 10 times less than the US market in our industry, so having them chasing peanuts in Europe (and investing in compliance with European - absolutely not international - regulations) would be a truely fantastic outcome for us.
Where did I advertise misuse of our customers data? Compliance and privacy are not the same thing, just like compliance and security are not the same thing. We have a great privacy policy and we don’t misuse our customers data in any way.
For us, it didn’t make sense to invest the amount of money we’d have to to establish compliance with the GDPR, or to invest in maintaining that compliance, and the liability that GDPR would introduce for us most certainly didn’t make sense.
Europe is worth almost nothing to us, we don’t market ourselves there because it’s a waste of money. The EU customers we have all sought us out, not the other way around. For us, the cost and liability is simply not worth it. I think you’ll start to see more businesses make this decision, based on facts and numbers. You can’t just cry that they’re all being hysterical or want to abuse they’re customers data and privacy. When you introduce expensive new regulations, that have very strong punitive elements, this is exactly what you’d expect to happen. Small to medium sized businesses will wear the most of the cost (while posing the least of the risk). Luckily for us, EU is worth close to nothing for us.
You are advertising that your handling of personal data is so haphazard that GDPR compliance would be expensive.
You are admitting that you aren't good enough for the EU, and therefore that you aren't very good in general at whatever you do.
I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.
I’m sorry, but this is simply the naive opinion of somebody that has clearly never had to deal with compliance before on a meaningful level.
My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.
This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.
We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.
You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.
I'm arguing from the point of view of a customer, not "slandering".
Customers are going to have a choice between GDPR-compliant companies and USA-only ones and (if they care) they are going to assume the worst about why the GDPR can make a company retreat from the EU market.
As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received.
Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.
You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.
Right now we are going through a federal audit. We sell only to US orgs, but also have a social media platform.
Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.
(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)
If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.
And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".
Edit:
> "My customers are all happy with my privacy policy,"
Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.
Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.
Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.
So because you don’t have many in-scope systems, you believe that the cost of compliance is going to be the same for every company in the world? And what did I say that gave the impression that I don’t respect my users or their data?
Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.
In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.
As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.
I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.
Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.
Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.
I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.
Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.
I think you've hit the nail on the head regarding the bias of this particular forum. As a group, it seems obvious that HN would be less risk-sensitive than the average.
For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.
Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
> For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type
I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.
Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?
If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.
> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).
Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.
I think the underlying idea here, is that data is "radioactive". Quite a lot of data can be fed into classifier systems to accurately identify people (not just computers), their trends, their shopping habits, and other much more private things.
In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.
The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.
Your response seems to completely ignore what I said, which had nothing to do with data. It's as if you're just making an appeal to emotion.
I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.
Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.
I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
> I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.
It certainly doesn't appear to be a false dichotomy to me. If your company has a European presence, you will be required to follow the GDPR. But for my purposes, companies that say they will support the GDPR globally will absolutely get my business before those that do not.
And there are plenty of areas where my data is used against me. Look no further than the recent cell phone location leaks, or facebook, or google.. The time for their siphoning every last shred of data is done.
> I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
And I, a customer, can make a very easy choice of "If you assert that you follow the GDPR globally, I will buy from you." I think of it like California Emissions, or other 'Better than average certifying bodies'.
> It certainly doesn't appear to be a false dichotomy to me.
That's the problem. What you seem to be espousing is exactly "my way or the highway" (where "my way" is the GDPR) or "you're either for it or against it", the very epitome of false dichotomy.
Why not actually address the middle ground that has now been clearly explained multiple times? In what way does that non-compliance equate to nefarious conduct?
> And there are plenty of areas where my data is used against me
And here, again, is the appeal to emotion. Where's the data in this case, not those other cases?
That, and the fact that a good chunk of present day Europe was under the Soviet boot for 40 odd years and the people there got to see up close how dangerous data is in the wrong hands (in that case: the government).
Hungary and Poland were under the Soviet boot, but a generation later they are going back to undemocratic and authoritarian governments. Eastern Germany was under the Soviet boot and they have far more neo-nazism than Western Germany who wasn't. So the 40 years seem to have made some long lasting damage instead of fostering as strong "never again" attitude.
On the other hand 12 years of nazi government have left a much more permanent "never aggain" against big brother in Western Germany. To my knowledge it's the only country on the planet where citizens' resistance made Google to stop deploying Streetview (where it might well be debatable whether Streetview is the worst big brother thing. But sometimes relatively minor issues raise big fears and hit big resistance, as it seems to be with GDPR for small US businesses)
Countries are made up of individuals and not all individuals have the same mental make-up. Yes, there are quite a few worrisome developments but there still (maybe not much longer) is an institutional memory of these things that is for the moment exerting a positive influence in this particular domain.
I'm not sure what you mean by this. No magic is required, only sufficient desire by those in power.
That wasn't my point, though. It was that now only governments are allowed to gather and keep this data. Granted, the breadth of what's available to them may not be as great if they're mainly recording traffic with no access to corporate servers, but even that access can be periodically arranged given sufficient desire.
I remember the time we had very good privacy policies but getting that project to be compliant with COPPA was still a significant effort, so I think I get where you're coming from.
Once we became compliant, quite frankly, I felt a lot safer and more confident in affirming that our privacy policies were very good. Maybe it was some kind of sunk cost syndrome, but I was glad we did (were forced to do) it.
thanks, you’ve pointed out a great signal that now exists. don’t do business with companies that choose to pull out of the eu market rather than comply with gdpr. these are companies that have made an explicit decision that user data privacy is a burden not to be cared about.
my company OTOH is choosing to apply gdpr principles globally.
Compliance and cost of doing so does not equate to privacy. Remember when all of the auto manufacturers in Europe "complied" with new regulation by spending a fortune on testing?
And in your mind there is absolutely no possibility that a reasonable explanation would exist why a company would pull out because of it?
How about cost of compliance? For example, just the fact that you need to figure out whether you are compliant or not costs money. If you ask for user consent, then you must be able to later show that you got said consent from the user to work that data. You also have to take into account the risk of fines if something somewhere goes wrong. We, as software developers, should be intimately aware of how things can go wrong despite everyone trying their best.
All of these things cost money. If the cost is greater than what the business from the EU brings in, then it's not worth it. The fact that there are people who immediately and only jump to the thought they don't care about privacy is very worrying.
There is a difference between complying with GPDR and caring about privacy.
I completely and utterly care about privacy, but things like not tracking IP address and allowing people to request removing them are a bridge to far. I can’t comply with that. I treat my customers important PII (names, addresses, etc) very delicately. But the cost of complying GPDR is too must.
> allowing people to request removing them are a bridge to far.
Are dissonant. You will have to pick the one or the other but you can't both care about privacy and not allow people to request removal of their data. That should be fairly obvious.
GDPR does allow you to record IP addresses in access logs and whatnot. And I'm not so sure people can actually ask you to remove their IP addresses; they'd have to demonstrate use of that IP over the relevant time interval, which is beyond most people. So I think while GDPR requires you to have a good reason to collect IP addresses, it doesn't meaningfully impose an obligation to be able to expunge them in removal requests.
and what will you do when Canada follows in the EU's footsteps? Or the rest of the world? When they finally put pressure on the US to do the right thing? Because this is the right thing to do.
An option that I see a lot of companies taking, we considered it, but decided it wasn’t worth it. I personally know of a few companies that have decided to blatantly ignore it until they see how offshore enforcement works out. If it ends up being favourable, it’s a strategy we may adopt.
The GDPR regulation directly applies in all member states, and does not need individual states to do anything at all to enact it. If national courts decline to enforce it then it can escalate to the Eu courts.
It is also international in that it applies to EU citizen date no matter which country it is held or processed in.
It is true — you need to read the actual GDPR rather than online summaries.
The GDPR creates some new criminal offences that can be prosecuted through courts without the regulatory authorities being involved in Clauses 162 & 163.
Article 82 allows individuals to sue in court for compensation if breaches of GDPR rules cause harm.
I read the article, and I found it more than slightly dismissive of this option, particularly because the article (and other commentors, it seems), in effect, makes the inference that the main goal of avoiding compliance is a continuation of some nefarious behavior.
A bunch of companies are going to do this and then regret it when they notice that their competitors really didn't have to do much work to become compliant.
Then they'll try to come back... after their EU user-base was kicked out and forced to find alternatives.
> If the original business couldn’t, its unlikely the competitor could.
Considering amount of FUD spread about fines, even here, with fairly educated readership - I don't think you can really trust other people's cost / benefit analysis, even when they happen to have same variables with same values.
People are often wrong even in much clearer cases . . .
We’d be quite happy if that happened. Seeing our competitors investing in Europe would simply mean less competition in markets with much greater growth.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
By blocking EU IPs the service is very clearly, unambiguously, not targetting EU residents.
Not sure why downvotes. If you block EU IP, EU resident accessing a website on holiday outside EU will not know that the website is not meant to offer services to EU residents. Solely blocking EU IPs is not sufficient. What would do probably is to have a banner on the website, where user is informed that website doesn't allow EU resident visitors with "Leave" button.
Now the problem is if the EU resident confirms that he/she is not an EU resident. Then controller or processor is still processing protected data, but unknowingly.
If you block EU IPs but your business is not targeting Europeans who are on holiday you don't need to comply with GDPR.
If you block EU IPs but your business is targeting Europeans who are on holiday - well, you probably still don't need to comply with GDPR because you've demonstrated attempts to actively avoid European residents.
The test in GDPR is not "does any European ever use the service?" but "are you targeting them?"
I was really wondering that as well. Can we be held accountable?
It would be nice if the GDPR had a piece about “if a company refuses sales, even if they accidentally happen, the company isn’t liable” and/or “blocking EU IPs or redirecting to a no sale page is sufficient to avoid compliance”.
Probably they will not be - but there are cases of extradition of EU citizens to the US for various crimes like hacking. Who knows, maybe it will happen the other way around or some people will have to take holidays in the EU off the list.
Same here. EU makes up such a small amount of or customer base, and EU customers spend far less money with us. Which is generally true in most industries, US consumers spend far more than consumers anywhere else in the world.
If we ever choose to enter the EU again, it will be a careful and deliberate choice, and will likely only ever happen if our growth slows in other regions.
We’ve got a great privacy policy, and don’t abuse our customers data in any way. However compliance would be very expensive for us, largely due to some of our early architecture decisions. The liability is also insane, and we don’t want anything to do with it. When we looked at how little our EU customers were worth to us, it was a very easy decision to simply abandon them.
so you say. if you don’t have strong processes to make sure that is true, it isn’t true. gdpr is mostly about ensuring you have such processes. if
you can’t do things such as tell the user what data you have, and delete it, you do not have a great policy.
methinks you need some advice from better counsel. i bet that you are closer to compliant than you think.
Do you actually think the only way to respect users privacy is to comply with GDPR? That is an absurd and narrow minded opinion. Do you also actually believe that the entire regulation is reflected in your two line comment?
Listen, you’ve said higher up the thread that you are plan to spread FUD about all companies that don’t comply with GDPR as a marketing strategy for your own product. I don’t see how anybody here could possibly take you seriously. GDPR is going to have a lot of unintended consequences, and people aren’t going to be happy with all of them. One of them is that small to medium sized companies will reconsidering doing business in the EU, another is that the scope of the legislation is especially anti-competitive for small EU based businesses. There’s been a lot of FUD going around HN recently that the only reasons a company would plan to pull out of the EU are hysteria and malevolence. That’s not true, and for many companies this is just a simple business decision.
> That’s not true, and for many companies this is just a simple business decision.
But likely based on incorrect advice.
You haven't said why you think your company isn't compliant with GDPR, and it's possible your company is compliant with GDPR, or would require only minor tweaks to privacy policies to make it compliant.
If you ask US-trained lawyers (especially those with exposure to the tech or financial sectors) to perform an impact assessment of a European regulation, don't be surprised to receive a full-on Chicken Little response.
The reality is that the law is not a programming language and compliance is about alignment with principles, not blindly following a set of rules.
Sounds like he analyzed if very closely, so probably not base on incorrect advice.
And I’m guessing he can’t share too much about why since he has said its based on architectural decisions, which might reveal business secrets.
The biggest reason I don’t like complying with GDPR is the IP address situation- I’m going to continue to track them and I’m not going delete them because somebody requested.
> I’m not going delete them because somebody requested.
Why do you think you need to delete them when requested to do so? Can you point me to the bit of the regulation that makes you think that's a requirement?
When I read it, I see that the "The data subject shall have the right to ... erasure of personal data ... where one of the following grounds applies: ... the data subject withdraws consent...."
I imagine that HTTP logs associating URLs and IPs are personal data because they associate users with activity, so they would have to be removed.
It's pretty hard to destroy individual log lines (they're often aggregated in zipped files, for instance), and logs show up in lots of places: your load balancer may log, your web server may log, your application may log, those logs may be backed up to tape, you might have debug logs captured for analysis from any of these systems, and those debug logs might be present on developer machines, not on servers or long-term storage.
That basically means that if any user asks to have their data erased, you have to figure out whether they owned that IP address at that time (so they can't ask for others' information to be removed), then delete all those logs, potentially rewriting your whole tape archive(!), potentially having developers destroy the debugging info they were using to track down a memory leak or whatever (on laptops, or in the ticketing system, or in heap dumps, or wherever it might be).
It's pretty easy to say "don't keep logs of IP addresses", but that's one of the major ways people detect malicious traffic, e.g. spam, denial-of-service attacks, and break-in attempts. It's hard to live without that.
Am I reading something wrong? Is there something I missed in that section that makes it easier?
Is "so we can look for malicious traffic" enough of a legal ground for processing to keep personal information around indefinitely even if the user asked for it to be removed? I can't imagine that's so, as that would be a pretty big loophole.
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
There are several justifications for procesing user data. One of them is consent. But there are others. One is "legitimate need". You're not using user consent to process this log data, you're using a legitimate need justification.
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest doesn't let you gather everything and keep it forever, but standard practice log rotation seems like it's compliant.
The proper way to deal with this is to rotate out the logs after a finite amount of time (you are doing that anyway, right?) and then to delete the logs after yet another period of time, once they have outlived their useful life. That's good practice anyway so I really don't see the problem.
Looking for malicious traffic is not a loophole that allows you to keep data indefinitely - even if nobody asks you to remove it - you don't need to keep it indefinitely.
I'm not the person you're asking this from, but any regulation tends to require extra work to be done. Just the fact that you need to know that you're compliant requires work. Then you have requirements such as being able to prove that users gave you this consent, being able to prove that you did delete all the user data in all the possible places (including back ups, VMs, crash dumps on developer machines etc) when requested etc.
You also have to take into account the risk of the fines. The fines are enormous and there are no guarantees that the regulators will not slap you with the highest fines "to make an example of you" or because you just rubbed them the wrong way. Even if you try your hardest to comply and think you have all the bases covered, it could very well be that you are not compliant because something was overlooked or there's a bug somewhere or something else entirely. You can never be certain about this.
Now you add up all of these costs and compare it to how much the EU market offers you. If the costs to comply exceed the income, and there's no near-future opportunities for large growth, then it would make a lot of sense to just pull out of the market.
If you are already compliant with your great privacy policy, what are some specific things that you find too expensive to be worth it? All I read from GDPR detractors are vague hand wavey claims of “compliance stuff” being expensive. I’m obv not a professional compliance expert so ELI5.
This argument makes about as much sense as "if you have nothing to hide, you have nothing to fear" in support of surveillance laws. Presumption of guilt is a terrible rule to live by.
Actually your argument makes no sense because it amounts to : I am honest therefore there is no need for laws. Thousands of years of human history suggests you are wrong.
GDPR and “not spying on your users” are not even remotely related. GDPR is a massive regulation requiring significant resources that most small businesses simply don’t have.
Surely you already had "cyber" coverage on your general liability policy, right, since you are handling users' data? I haven't been notified of any changes in premium for our policy related to the new regulations, fwiw.
>I haven't been notified of any changes in premium for our policy related to the new regulations, fwiw.
I don't see how you can legitimately believe that there is not going to be an increase in costs. Either the insurance company was overcharging you before, they're lowering their margins or the price goes up. Anything else would require that the risk would be basically non-existent. The price might not increase right now, but it might increase next year or the year after that or the service might get worse.
>Massive legal fees for what, exactly?
To deal with situations that you didn't expect to happen, but did happen anyway. Even if you try your best, mistakes can happen.
The GDP, the consumer spending market and the consumer spending per household is all higher in the US than the EU. You can cherry pick out a few industries where other countries spend more than the US, but it's still the most valuable market by far in most industries.
There is a difference between what GDPR says is okay with user data and what is actually okay with user data.
We may be reasonable with user data, but either disagree with a portion of GDPR (like IP addresses) or do not have the time or money to very we comply.
Still don't understand the issue. IP addresses are being kept private like with all the other user details right? You still can have web logs with ip addresses without needing consent.
And also (as stated in numerous places) that you won't get hit with fines. If you aren't compliant (and it would take a big violation to get their notice) you are given ample time to comply. Or you could in your case if you really are violating it flagrantly then you could just block access to EU. But you would have to a big violater.
So if you look at a prisoners dilemma outline you've got:
- you are violating / you block EU: outcome is no market access to EU
- you are violating / you don't block EU: you have access to the market and if you are caught violating you got ample time to change or you can just block EU and you're in the same boat as before
- you aren't violating / you block EU: you just blocked access for no reason and losing out on a market
- you aren't violating / you don't block EU: You have access to the market
So if you don't know you're violating or you wonder about the IP address and weblogs issue which is minor, then the prisoners dilemma show that best go with continue as normal. There is no case were you would be hit with big fines.
Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.