It's more like not subjecting employees who bake cookies and share them with coworkers to the same inspection requirements as commercial kitchens whose entire business is selling food to the public.
Even moreso because one person distributing bad food can give a dozen others food poisoning, but the concerns with data collection come from mass surveillance and aggregation, which implies a scale that large entities have and smaller ones don't.
> not subjecting employees who bake cookies and share them with coworkers to the same inspection requirements as commercial kitchens whose entire business is selling food to the public.
A coworker baking cookies and sharing them with coworkers isn't trying to make money off of those cookies. A startup is.
The coworkers consuming those cookies are generally able to identify that the cookies were homemade, bakeshop, or industrial quality. Today we can barely even identify what is tracking us, let alone how, and definitely not why.
You're not comparing apples to oranges. You're comparing apples to bushes. Homemade cookies and startup personal information aggregators aren't even in the same league of category.
Also it feels like a slippery slope. Let's say the cut off is $25m in revenue. So you have some business ideas based on violating user privacy that are profitable, until the company reaches the size where it has to comply, and all of a sudden its unprofitable.
Clearly the next step is to lobby for raised limits, rather than companies planning in advance for what they'll do when they cross the threshold.
Typical lobbying is completely the opposite of that. The companies who have the resources to do it aren't going to be inside the threshold between e.g. $25m and $100m and they wouldn't want to stay that size anyway, so what they'll do is lobby for a generic exception that isn't related to entity size at all. Or if anything is inversely related to it, so that the same large entities that have the resources to successfully lobby to change the law are also the only ones who can comply with the rules while simultaneously skirting their intended purpose.
And if you have a problem with corporations controlling your legislature then in general it doesn't do a whole lot of good to debate what some other law should be since the better law wouldn't be enacted by a legislature controlled by lobbyists anyway.
When I said small I was thinking more about <$250k a year in revenue. At that size I think the companies would be small enough that their lobbying wouldn't matter.
If you're in the millions a year in revenue then I don't see how understanding and complying with GDPR would be a large barrier. Even $250k might be too high.
> A coworker baking cookies and sharing them with coworkers isn't trying to make money off of those cookies. A startup is.
You're implying that the rules only apply to companies whose line of business is selling data. There wouldn't be an issue if that were true. Making money by selling mugs on the internet where you also collect some customer data is analogous to making money by working for a company where you also distribute cookies.
Even moreso because one person distributing bad food can give a dozen others food poisoning, but the concerns with data collection come from mass surveillance and aggregation, which implies a scale that large entities have and smaller ones don't.