> It's not obvious why this is worse or any less of a deterrent.
I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US, and much less common (and hush-hush in the rare cases where it does happen) in Europe.
I'd also hazard a guess why it's less of a deterrent: the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower compared to the relatively high probability of a DPA going "WTF no" in Europe as soon as someone reports it.
> I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US
But that's because the US doesn't even have the law requiring express and freely given consent, so they just stick the consent in some agreement nobody reads next to a box you have to check. You could have that rule without having the whole GDPR.
In this case they apparently collected the data even if you never checked the box, which is just egregious and now they're getting sued.
> the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower
Certainly this is not because plaintiffs would be unwilling to file claims if they could.
I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US, and much less common (and hush-hush in the rare cases where it does happen) in Europe.
I'd also hazard a guess why it's less of a deterrent: the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower compared to the relatively high probability of a DPA going "WTF no" in Europe as soon as someone reports it.