I don't like Google but seriously this whole GDPR thing is getting out of hand.
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
Yes, that's happening, and it's a good one. Privacy Shield was cancelled because of Schrems II. The US simply don't care (intentionally?) to protected any data of people not living in the US. With FISA (Foreign Intelligence Surveillance Act) or "Executive Order 12333" they can get every data they want, even silently. Disclosing that a company had to handover any data will get them prison time.
This is against the intention and protection the EU set for european people. So if a company is violating these terms, it's good to take action.
If you want to toss some static HTML into a host, go for it. If you want to record statistics on how many page hits you had, go for it. If you want to add JavaScript for interactions and making it look prettier, go for it.
But if you want to contribute to a privacy-violating network that tracks individual users, then that goes far beyond wanting "just to put up a website somewhere".
> so long as the data is located and processed in France.
... you also have to ask for permission first.
The main difference is that for a data processor in France it seems possible to get all the right contracts in place, while a US based data processor is incapable of doing that thanks to FISA and similar US initiatives.
> you can totally contribute to a privacy violating network … so long as the data is located and processed in France.
While that's not the issue being discussed here, you should by default only collect & process the minimum amount of data needed for the product/service to function. Analytics aren't part of that and would need to be opt-in.
I'd be interested to hear exactly what default configuration violates GDPR, as that wasn't something I'd heard before. However, even if that is the case, that would imply that the defaults should be changed.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
Thank you, that was an aspect I hadn't considered. That said, I'm not sure how much I agree with the conclusion of this particular answer. My understanding is that IP addresses are only considered personal data if they either uniquely identify a person (e.g. a static IP address), or can be joined with additional available data to uniquely identify (e.g. a dynamic IP address logged by somebody who also has logs on the dynamic IP assignment).
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
And web server logs are fine for troubleshooting and detecting abuse, you don't even need to ask for consent!
Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.
I looked into this at back when the GDPR came into effect [0]. I am not a lawyer but in summary:
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
I have a collection of small, US-focused websites.
I'm investigating low-effort ways to geo-fence the EU. At some point it just becomes easier to ban Europeans, rather than keep up with whatever they'll come up with next. I saw in this thread that the Google fonts on my website are now a problem as well!? That's the first I heard of it.
This is the perfect example of why government oversight is needed. You run a bunch of websites and aren’t aware that you are inadvertently involved in violating the privacy of the people who visit your sites. How are non-technical people supposed to deal with this?
No, this is a perfect example of the exact opposite.
A bureaucrat on the other side of the planet comes to a conclusion and I, who never voted for this person or knew about their existence, am legally bound by their decision.
On pain of who knows what fines or penalties. I’m nearly overwhelmed by the amount of work on my core product, I can’t add “keep up with European legal opinion” to my todo list as well.
As I said, it’s simpler to just geofence everything.
Overall, yes. At the very least it's been incredibly enlightening. It's amazing how random websites have 50 "partners" all of which for some reason need to know what I'm doing.
So you think your "enlightenment" is worth the millions of work-hours people are putting in just to read and click a cookie banner they give absolutely not a single crap about?
They wouldn't have to do this if they didn't spew personal information indiscriminately to scumbag "partners". So yes, I do think that is worthwhile. The cost is born by the correct people.
Not for nothing, as you can see in this post. Little by little we're stopping to send private data to the US. That's a good thing, even if it's painful at the start.
Says who?! I have zero problems sending my private data to the US. I did it for years and I still think is one of the better places to send my private data to. Definitely better than my own country.
Answering here because there's a thread depth limit.
> Free content and services. What do you lose in exchange?
Privacy. What I do shouldn't really be anybody else's business.
An ad-targeted web. IMO ads are a plague on useful content, because everything is about getting views and clicks. This makes actual content less useful and more annoying to consume. It incentivizes posting low effort, watered down content rather than smaller amounts of great content. It also means content creators are trying to please the advertiser, and not me.
Risk of manipulation. Lots of effort has gone into figuring out how to best manipulate people, and when you know who somebody is and how to best tailor any given message to them, you can get pretty far. I'm quite sure that I also have buttons that can be pushed if somebody knows how, and I don't particularly like the thought of that.
And every single user outside the EU. I never voted for these crazy runaway regulations, but I can’t browse many sites on mobile at all with all the damn banners.
EU bureaucrats are effectively prescribing how the web should work for everyone. Ridiculous.
Never a shortage of people mad that they can't eat trans fats or inhale leaded gasoline exhaust anymore, either. Not great analogies, since giving up personal info to use free services is a reasonable choice for individuals... But in aggregate, it's like giving up a bit of sovereignty to be that transparent. Microtargetting has helped enable some serious societal harms, i.e. spreading lies to the gullible while evading scrutiny from others, and that pales to how intelligence agencies can use the hoards of personal data. I think France and the EU are moving in the right direction, given the CLOUD act exists, and given all the other bad societal effects enabled by a surveillance focused economy. US politics hasn't weathered the shift well, unless of course your fitness function for politics is how resilient the elected government is against voters, i.e. how little can it serve their interests without losing power.
Noone is dictating you how to live your life. The recent EU privacy laws are about giving people a choice how there data is used. You are free to accept the cookies. You are even free to automate that via browser extensions. You are free to build websites in ways that don't require tracking user data and thus don't require consent. You are free to vote for politicans that are against privacy right or even campaign yourself.
But a fundamental issue with freedom is that sometimes freedoms conflict with each other. Here the freedom to do whatever you want conflicts with the right to privacy of others and the EU has decided that in this instance the right to privace takes precedence.
I am not free to use add-supported US services when they stop being provided to EU citizens due the onerous requirements imposed on them by privacy laws.
I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
The right to privacy is not a freedom. I am not sure it's even a real right. But it was easily accessible even before the current privacy laws, even if it needed a little technical competence. It wasn't the default though. And the current laws do not provide me the privacy I actually need: from EU government(s).
> I am not free to use add-supported US services when they stop being provided to EU citizens due the onerous requirements imposed on them by privacy laws.
Those companies are free to not to do business wit you but it is not the EU privacy laws making that decision. Those companies can provide their service in a privacy-respecting way and many will - the EU is not a small market to give up on. You can also use a VPN.
> I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
And don't forget that hose consent popups are likely specifically designed to be annoying in order to get you mad at the privacy laws. Don't fall for it - the EU privacy laws do not required websites to be user-unfriendly.
> The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
I am not going to pretend the EU is a perfect democracy, but ultimately, those decisions are made by those elected by the peole - directly or indirectly.
> The right to privacy is not a freedom. I am not sure it's even a real right.
It is a real right that has historically been enforced in many EU countries. The recent laws do nothing more than update that enforcement to the digital age.
> But it was easily accessible even before the current privacy laws, even if it needed a little technical competence.
No, it really wasn't. You can block cookies but you cannot stop companies from tracking you via the 10 million other ways they have available or to trade information about you with third parties. You cannot use technical means to find out what information companies have collected about you. You cannot use technical means to compel companies to delete information they have already collected. THAT is why we have new laws.
I feel for my European brothers and sisters these days. As an American, I hardly ever see these banners. Went to an EU country for work and... Holy cow. Y'all get these banners every site. How do you tolerate it?
This is so funny. Under GDPR everything is illegal, the only legal website is no website.
Good for Europe, they are just going to law themselves out of the internet. Up to the point were your ISP doing hops to send your TCP packet will be illegal unless you approve them sharing that info with all the shops.
What about clicking or typing in a site? Is your webserver processing those? That means you’re gratuitously using user data to run your for-profit business! That should be illegal!
That ruling declares that a centralized solution is no good.
The predictable outcome from that ruling is a decentralized solution: a few libraries attempting to build frameworks that are compliant, everyone implementing their own one-off versions of permission-granting and cookie consent using those frmeworks as a basis, and the Authority chasing mom-and-pop sites that are out of compliance until the sun goes cold.
In a sense, that may satisfy the goals: the data will be decentralized, stored widely, and harder to aggregate. On the other hand, what we learned from the virus era and the Windows OS monoculture is thousands of nodes running the same software (but not centrally maintained; maintained by people who have a job other than maintaining a website and are therefore slow to patch security holes) will be vulnerable to scripted attacks against frameworks.
My prediction is a net increase in stolen PII and, while individual site-runners will get screwed, the number of sites collecting the data won't go down. It's just too valuable, and the odds you will get hit by a hacker are too low.
This! GDPR is a big block towards technological improvement.
Do virtually any business that involves user registration at some point, and now you need to be sure that you're compliant with all those rules, spending limited resources on that to avoid ridiculous fines.
It benefits only the big players who has lawyers to know exactly what to do and not, and a nightmare for anyone who tries to grow a small business or have a small website.
It was already non-invasive. I, as a conscious human being browse a website, use their (potentially free) services. The website can of course put a cookie and track me. If I'm really paranoid I could block cookies etc but regardless, no one forces me to use their website.
If someone pointed a gun and forced me to go to a website, enter my personal data and give my data to trackers that would be something else (still not website's fault but anyway).
"As regards the limits on intelligence activities, the referring court emphasises the fact that non-US persons are covered only by PPD‑28, which merely states that intelligence activities should be ‘as tailored as feasible’. On the basis of those findings, the referring court considers that the United States carries out mass processing of personal data without ensuring a level of protection essentially equivalent to that guaranteed by Articles 7 and 8 of the Charter."
and
"As regards judicial protection, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to EU citizens."
So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
> So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
Nothing about this stops that. Like I said to the other person this is protectionism. Requiring every US-based tech company to duplicate its infrastructure in the EU, Which in turn gives EU competitors an unfair advantage.
The argument is not that Google shouldn't hand over data with a warrant if it resides in an appropriate jurisdiction. The argument is that Google shouldn't have the data in that jurisdiction to hand over in the first place unless an individual user has given consent for that.
Why should every US tech company be expected to duplicate its infrastructure in the EU? Google isn't special, this applies to EVERY US-based competitor to GA. This gives EU competitors an unfair advantage.... and that's the real point.
Because the US cannot implement reasonable privacy laws that give basic safeguards to personal information expected by EU citizens (or even UK citizens).
If anything, EU competitors to Google Analytics are at a _disadvantage_ because they can't apply the same lassaiz-faire techniques for US-based customers that US-based companies get away with.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
No, Germany is a big leader in the EU. They are very sensitive to issues around privacy, from the DDR era.
They don't want private corporations having DDR-like folders of information on citizens.
That's the funny thing: they are sensitive of data collection by corporations when the data collection during the DDR was done by the government, something that they surely dont care about.
Government surveillance on citizens has a long history of horrifying consequences, especially in Germany. What is the worst corporations are doing with our data? Better ads?!
> working from home monitoring, or insurance companies profiling individuals
Comparing that with what governments can do with data gathered about me, I know which ones I want to be protected from. Unfortunately they are the ones writing privacy laws and they leave huge loopholes for themselves.
especially not in systems in which the goverment turns totalitarian. (see, fascism and while stalinism doens't have the concept of a company, many of its state owned enterprises where former companies).
Yup. Governments already can access any data they want anyway. Sure, with access to big data collected from corporations that would be easier, but even without that, government can do whatever they want (unfortunately).
This harms companies, website owners trying to use services, and users (someone using my free site, I need to monetize it, targeted ads was a nice way, now I can't).
I don't see that as a relevant distinction. Democratically elected governments can do really bad things, too, and they have a much bigger tool kit for it than corporations.
> Rest is just making life of web developers/admins/tech company owners harder.
Well, of course, tech companies, especially Google, Facebook, Amazon (and this one doesn't even respect basic work and union regulations and rights) are getting out of hand, making their life harder (if not dismantling them) is the legislator's job.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies.
Again, yes, of course, so what ? The US (tech and government) has been prying on the rest of the world with its tech advance and has been using it to spy and gather data it could not get otherwise. France, the EU, are just defending their citizens' rights and their interests, especially economical, against another threat to civil liberties.
I wasn't referring to FAANG, I was referring to smaller devs/admins who try to keep up with analytics and don't have ridiculous amounts of money to work with lawyers to see what they are doing for analytics for the sake of improving their service might be landing them $1m fines for some new rule in some geographical locations.
Well, if they want to operate somewhere, they have to follow local rules.
I doubt American companies wouldn't comply with American law, European law is no less important than the American one and I don't see a reason why we should be accommodating towards foreign businesses, especially, again, those of a country which is a threat. Big companies shouldn't serve as a model to follow.
That's the problem: web should be global and open: a website shouldn't be bound to laws of somewhere. It's 2022 and forcing following local rules for a web based global service only does harm to users (and the service).
A basic example: government of my country requested all data and payments to/from PayPal to be controlled by them, PayPal naturally rejected it, and they got banned from my country.
Now who is affected? Us! The whole world can use PayPal to send/receive money pretty much everywhere, but we can't.
These regulations and "needing to follow local rules" itself is alone a reason for a completely decentralized-countryless web to succeed.
I don't like the meat industry, but seriously all these food safety laws are getting out of hand.
Anyone who's concerned about salmonella, hormone levels or animal welfare, can just not buy any products that could potentially contain animal products from countries with weak animal welfare or sanitary laws. The rest is just making life of farmers/shops/wholesalers harder.
Especially with these European intentions, I frankly believe that one single country's laws should be universal and no other country may implement or enforce laws that protect their consumers. The onus to protect themselves from harm must lie with the individuals and governments should not dare inconvenience anyone just to protect their citizens' interests.
And governments now outsource some of their functions to bigger corporations as a loophole around human rights- mass spying and censorship, for example.
Then let's fight the actual problems - the governments - and stop going after the decoys. Let's make it illegal for government to access and use business data. That will fight the actual problem while allowing businesses to keep serving us better.
I have somewhat of the opposite opinion. I use Google search and Gmail and think they are good products. When GPDR was first being rolled out I was convinced that it was going to destroy the web and ruin a lot of what I like about it. I was wrong and now I’d like to see the US provide similar protections for consumers.
You need to drink water to survive. You browse web voluntarily, picking the website you want to visit voluntarily and with intention to go there. No one dies if they don't visit a website.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
This requires a level of access and technical skill which most people don’t have. If you have ever tried doing this, think about how many sites break because they have code which assumes GA calls always succeed and then ask what percentage of the population would be able to identify and work around those problems.
Well no one puts a gun on your head and forces you to visit a website. Anyone who cares can always block GA with extensions either. If you are entering my site, hosted by me, owned under my domain, I can put whatever tracking script I want, controlled and used by any company and no one should have a right to control it.
> Rest is just making life of web developers/admins/tech company owners harder.
Seriously? People spend tons money and time to track users. If you want to be GDPR-compliant, simply don't save unnecessary userdata and if you still feel the urge to do so, give users the option to control it. It's that easy. Any problems you get from it are of your own making.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies
We created the GDPR, but then knee-capped it with safe harbor. Then Schrems sued and the courts dropped it, but the EU simply reinstated it under the name privacy shield. Then Shrems sued again and after having to have a legal battle again, it unsurprisingly turns out that it's still illegal. I can't see how you think of the EU as anything but overly lenient.
Many just want analytics and GA is the most convenient option. Though with GDPR now website owners (many offering free content and hosting a site where a user explicity browses into with their own will) need to learn law to make sure they are compliant, which obviously shouldn't be the case for such a simple task.
I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
> Many just want analytics and GA is the most convenient option. Though with GDPR now website owners (many offering free content and hosting a site where a user explicity browses into with their own will) need to learn law to make sure they are compliant, which obviously shouldn't be the case for such a simple task.
The problem is that we made collecting user data the easy task while ignoring privacy protection. The fact that Google spend billions to make spying easy does not mean it should be legal. And it's really easy to be compliant - don't collect data. You don't need it to host your website, you really don't.
> I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
And you're absolutely free to ask people for consent for collecting their data or to simply block visitors from the European union. You can also not collect data or do so in compliance with the GDPR, by the way. All ways are perfectly viable.
But just because I opened a link in my browser does not mean I consent to anything - by that logic, ransomware is perfectly fine, because you visited their website and downloaded their software. This is ridiculous.
GDPR is not merely a list of bad things not to do. You aren’t compliant unless you follow slow, expensive processes to continually demonstrate compliance.
I'd really love to see a quote on the section you're referring to. The GPDR has some processes for larger companies (i.e. DPOs), but they're neither expensive nor slow, and small companies have a lot more leeway.
The most egregious I know of is https://gdpr-info.eu/art-36-gdpr/, which calls for an 8–14 week delay that may or may not apply to any launch. I don’t even think the entire EU must agree on what the conditions will be.
Apart from “a natural person in the course of a purely personal or household activity” I don’t know of any size exemptions.
Have you seen the list of companies that typically show up when you opt-out of data-sharing? It's frequently in the hundreds. I'm incredibly sick of them so frequently starting with "Your privacy is very important to us" immediately followed by "So we're going to share your data with these 100 anonymously named shell and reseller corporations."
It's not GDPR making life harder for companies, it's the shadowy practices of businesses that are finally being brought to light.
When I was young adult, when visitor counter on a website was en vogue, I was building a system that would take note of where user came from, which pages they visited how long have stayed there, which page they exited through. What paths they took through a site.
It didn't go that far. But when I saw people plastering Facebook like button everywhere I knew exactly what that meant. That one random corp now can know everything about everybody's behaviour everywhere.
Then Google put out Google analytics and I just switched my sites to this thing. I didn't mind all that much because it was Google and do no evil was still a thing.
But GDPR is something that reminds me of how ridiculous things we accepted as if they were normal just because they were technically feasible.
The industry standard is to show utter contempt for the user. It's expected that every site will show you tacky and distracting ads and will dump 90 third party cookies on you. It's beyond belief.
Imagine going into a travel agent to inquire about a flight. The moment you step through the door 50 people attach themselves to you. Some start recording your every action in a notebook, others flash torches in your eyes, two of them start showing you a video at the same time. And the rest follow you around holding up large ads. And they carry on following you around even after you leave the store!
Imagine there is another travel agent not doing all that, but it costs money while the first is free. Wouldn’t you like to have the right to choose which one to visit, or do you prefer that choice to me made for you by politicians instead?
I would absolutely like the ability to pay for services which do not track or advertise to me. But they don't exist for the most part, and the existence of those services does nothing to diminish the requirement of the ones engaging in poor practice to make their service "free" to obtain _consent_ for what they are doing.
Then focus on the people that do want it - which by the count of the number of people who say no to Facebook tracking on iOS, is a very high number. Enough to be of material impact to Facebook's bottom line.
The law does not allow Facebook to refuse service to those saying no to tracking. If they were faced with that choice, I am sure most users would've made a very different selection.
Due to a misconfiguration by my local ISP which meant Google services were not accessible, I discovered that the UK government's 'parliamentlive.tv' has a dependency on JQuery loaded from Google's CDN.
You might say that it's up to the UK government to fix that, and I agree, but as an individual with no direct influence on the implementation of this service, it's also clearly not the case currently that:
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains
Or at least, they can, but they may be excluded from civic services they are entitled to avail themselves of, which their taxes go towards paying for.
This is completely unrelated to GDPR. In France, Google Analytics was illegal since it was ever started. French privacy laws from 1978 are still to this day MUCH STRONGER than GPDR which is just salt on the wound and does not prevent malicious collection of data (though now you have to come up with a "legitimate interest" excuse for that).
Google knew they were making an illegal business and still went ahead. IMO they should be charged for being a criminal ring defrauding small businesses for SEO as part of a global scheme... if not for helping genocidal regimes surveil/censor/imprison/murder their population as they have been doing for years.
>Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
The GDPR is not limited to the internet. So say you go to make a blood test to check your health, GDPR will apply there too, you don't need to go with a fake ID and with a mark on your face, the law protects you from greedy companies so you and your family don't have to use weird workarounds to protect yourself.
> I don't like Google but seriously this whole GDPR thing is getting out of hand.
IMO it's the other way round: data collection and lack of respect for privacy got out of hand and has been like that for a long time now. It's finally coming under control, albeit slowly. This is not the end of it. And I'm super happy about GDPR.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
Why is it on the victims to protect themselves against illegal practices? We have courts and authorities for a reason.
If it stopped at Google, this would be easy. But GA is just tip of the iceburger.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I don't believe that at all. But ultimately what I believe does not matter. I'm just happy that right to privacy online is finally becoming a thing.
Surely that is to do with her knowledge and education around privacy and data collection. Ignorance to the issue doesn’t mean we should ignore people like this.
I am perfectly educated about privacy and data collection and I completely fail to see the actual harm being done. I am much more bothered by those incessant cookie dialogs.
> Rest is just making life of web developers/admins/tech company owners harder.
there are hundreds of alternatives to Google Analytics, developers/admin/companies should just choose wisely. That's what the GDPR is about: end of free lunch for everybody at the expenses of people's privacy, choose your shit carefully.
The CNIL was created in the 1970s. The main thing the GDPR has done is give it a lot more teeth. So in effect data privacy has been the law for over 40 years now. Ignorance of the law is not an excuse, not for such large corporations in particular.
I don't want to comment on GDPR, but you must be kidding with 'can just block'. Do you expect that average joe can do that ? It like saying, we don't need police you can simply defend your self.
Everything comes at a price. I don't expect every average Joe to be tech savvy to use extensions. Though when visiting a site (an action that a personal deliberately takes) if they really care about their privacy on web, cookies, GA tracking they aren't probably average Joe and can use a blocker.
You are conflating "technically savvy" and "doesn't want to be spied on". I understand that these probably correlate in your world, but a simple moment to think about why most people click "no" to the iOS tracking opt-in prompts explains that these are orthogonal issues.
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)