I'll be honest, I've been selling EU wide for a while now (~2 years), only abiding by UK laws for the LTD, and before that with a Belgian BVBA. There's all the laws which I never thought about, and no one ever said anything about it. Sure, it's not sustainable long term, but now I can fix all of it because I actually have a profit.

So, you can either be afraid and dump a lot of your money into "doing everything right" or start right away and fix shit later. I'd say don't be discouraged by the seemingly spooky EU laws.

It sounds like you're saying that users that care about their privacy/pii should be wary of startups?

Good. It's about time start-ups started taking that responsibility seriously.

I sort of agree? I think it's important that people take data privacy and security seriously. I don't think someone, however, needs a nuanced understanding of what constitutes legitimate interest for data processing, or needs to have an attorney from every country or region they do business in on standby.

The issue is that vendors (CRM, marketing automation, etc.) are trying to offload too much of the risk and accountability to their own end users, which leaves startups piecing together tech stacks that are sometimes not even legally compliant in their default settings. Not OK.

That's definitely true, but I'm not too worried about it. It will be a short-term headache, but I think eventually processes will be refined and new models of responsibility will evolve.

It's not about responsibility, it's about the unnecessary red-tape.

I actually think it's in most cases not that bad for new projects, since you can from the beginning design it accordingly. Tracking down all the details, making sure existing vendors are compliant (and having to swap out those that don't) and finding replacements for processes you maybe wouldn't do like that now in an existing application sounds harder than minimizing exposure in the first place. keyword "privacy-first design"