Re: Envelopes
You make *some* good points, I particularly enjoyed 'It’s like being handed a squirt gun and told you’re part of the fire brigade.'
The problem is you're seeing it as a conspiracy rather than an ongoing effort of problematic companies to work around the rules due to both some abiguity and more importantly the enforcement organisations being under resourced. This isn't new. See also 'the gig economy' and most recently in the UK heated tobacco products advertising, which is a great example.
Heated tobacco products. Without wishing to be sued, what can be said is that it is clearly a product that is unhealthy for the consumer. You could probably reasonably call its existence evil, as it's more harmful than vaping (but less so than burned tobacco). Trading standards' position is that advertising this is banned, but this has not been tested in court because they are under resourced. So some adverts for it have been running. The resolution to this is the Tobacco and Vapes Bill, currently grinding its way through the parliamentary process.
The point of this? Legislation is a long, slow, error prone process, and many entities that stand to make money could try to abuse it.
If GDPR formalised data exploitation this would imply: What existed prior to GDPR was better - this is very clearly not the case, even if personally I feel the utterly bullshit popups ruined the web. Post GDPR companies are able to more easily harvest data, with the correct legal trickery. Based on your specific posts, that many/all companies are salivating at the prospect of abusing customer data
Prior to the GDPR Facebook had the Cambridge Analytica scandal. The GDPR, if anything, helped to some degree in preventing *that specific class* of misuse reoccurring.
Having implemented GDPR data cleaning for a product in a company that contains large amounts of personal data I can tell you that as Gordon alluded to, we do the best we can. I took the best care I could to clear down the maximum amount of data whilst keeping the system operational. We don't use customer data for any purpose other than the system defines, there's mandatory training on appropriate use of data and reporting for its misuse, and there have never been any conversations on using data for purposes which would be useful to the business but not related to functionality based on the products on offer.
That is for an EU based company though. Let's just say if I worked for a US company I wouldn't trust many of them to uphold those standards.
I wouldn't primarily blame the laws. I would take a closer look at the amount of funding, enforcement, and deals done at compliance organisations. Are they adequately funded? When there is a breach is it enforced? When it is enforced, is the scale of enforcement appropriate?