First of all, I wanted to thank you for the constructive and interesting exchange of views - I find that too often conversations on EU regulations on HN devolve into caricatures and trolling, its been nice to have a substantial conversation with you.

Ironically, I have the opposite read on the same situation: "Just do what the law wants from you" seems like a pretty straightforward thing that even the smallest startup can follow.

In the case of GDPR that would be roughly "don't store any personal data you don't strictly need for the feature, ask for consent, delete data when asked".

Checkbox-lawyering on the other hand requires just that, lawyers. Expensive ones. Ideally entire legal departments.

If you're a huge incumbent, you can afford that. Meta finds the neatest little ways to technically comply without actually doing what the lawmakers wanted. The little startup? No chance.

The other concern is addressed by the judicial system. If a competitor got some exception you didn't get, that's your correction mechanism. The CJEU exists precisely to ensure consistent application across member states and cases. The purpose is the same for everyone; the implementation differs based on context, but the purpose doesn't change.