Everyone claims to care about privacy these days. So let’s talk about what that actually looks like in the real world.
The illusion of privacy
If you’re using a smartphone and paying with a card, your privacy is already dead.
You’re carrying a government-and-corporate-grade surveillance device in your pocket – voluntarily. GPS, GSM, Wi-Fi, Bluetooth – it pings your location, habits, and contacts constantly.
Here’s a detailed breakdown of how that works, written together with a trusted tech expert:
GPS, GSM, Wi-Fi, and how you’re being tracked
Then you swipe your bank card – digital signature complete. Every transaction timestamped, geotagged, and permanently recorded. Still think you’re anonymous?
And if you log into Gmail, TikTok, or Instagram?
You’ve handed your soul to the data gods.
Not even a VPN can save you – not when you’re logging into services that are the tracking system (it’s like wearing a mask, while flashing your ID card). You are the product, and you’re already sold.
But then you come knocking on my door – a guy running a free forum – demanding to “see all your data” and “have it erased”?!
Get real.
Note: This critique focuses on the practical effects of the GDPR – not its stated intent. Yes, data abuse and privacy violations are real problems. In practice, however, this regulation disproportionately burdens small website owners while leaving the largest data harvesters largely untouched.
When a phone-distracted driver runs me over, I don’t care if his intentions were good – “just to get home.”
What GDPR claims to do
GDPR is marketed as a privacy law.
You’re told it gives you rights – to see who has your data, to ask for it to be erased, to take back control online.
Sounds nice on paper. Like someone’s finally standing up to the surveillance capitalism of Big Tech. But here’s the thing:
If you look at what it actually does – and who it actually burdens – it’s hard to believe it was written with good intentions (unless it was written by utter idiots). It doesn’t really stop Google, Meta, or your mobile provider from profiling every move you make (any problem solved by money – i.e. paying fines – is not a problem for them!).
What it does do is dump absurd levels of legal and technical compliance onto small websites and independent creators – the ones who aren’t even tracking you in the first place.
It forces them to show you pop-ups about cookies you already have full control over in your browser settings – as if the Internet is broken until you’ve clicked ten “Got it” buttons.
If you’re gonna piss on me, don’t try convincing me it’s raining.
This isn’t privacy protection. It’s red tape, theatre, and control.
And when you realise that the EU still wants access to its own population’s data – GDPR insists it is kept local, within reach of its own laws, its own servers, its own surveillance infrastructure – it becomes clear:
GDPR isn’t about protecting your privacy. It’s about making sure they stay in control of it.
And if you think that sounds conspiratorial – consider this:
The same EU that insists your data must stay within its borders (for your “safety”) is now pushing to break encryption and grant state access to private messages. The ProtectEU proposal – a 2.0 rebrand of the failed “Chat Control” law – would mandate backdoors into secure communication platforms.So, first they centralise your data within their legislative reach – then they try to legalise reading it.
These aren’t the actions of people who accidentally undermine privacy. They’re the moves of a system that wants control – and knows exactly what it’s doing.
Read more:
Chat Control 2.0? Experts urge the EU not to undermine encryption with new ProtectEU plan
What GDPR actually does
Spoiler: it’s not stopping Google! It’s not stopping Facebook. And it’s definitely not stopping your telecom provider – with your local police warrant already sitting in the drawer.
Big Tech has lawyers. Compliance officers. Automated consent platforms. To them, GDPR is just another line item in the budget.
- They keep tracking you.
- They keep profiling you.
- And when they get caught, they pay a fine – then keep doing it.
Meanwhile, people like me – running a modest site with Google Analytics, a few ads, and a forum – are expected to:
- Display cookie consent pop-ups, even though users already have full control in their browser.
- Keep a log of every bit of data collected – even if it’s just an IP or an email.
- Respond to legal-style emails from random users demanding to “see all data held” or “be erased.”
- Rebuild parts of the site to satisfy laws that weren’t designed for anyone running on a budget of zero.
Let’s be clear: I’m not selling anyone’s data. I’m not tracking them across the web. I’m not building shadow profiles.
But under GDPR, I’m treated the same as Meta – only without the legal team, the revenue, or the army of compliance consultants.
This isn’t about privacy. It’s about power, paperwork, and keeping control over who gets to run a website – and how.
It’s not often that I’m glad to be (left) outside the EU.
But when it comes to GDPR, I bloody am!
The cookie banner circus
Let’s talk about the most visible “achievement” of GDPR: the cookie banner.
Because obviously, the biggest threat to your privacy isn’t your phone bleeding data, or Google reading your emails. No – it’s whether a random blog told you about a harmless little cookie that remembers your dark mode preference.
So now every website is legally forced to slap a pop-up in your face the moment you visit – often before the page even loads properly. Half of them don’t even function.
The other half are designed to trick you into clicking “accept.”
Technically, that last part violates GDPR – but enforcement is lopsided. Big Tech either pays the fine and moves on, or throws a team of lawyers and engineers at it to patch things up. Small publishers? They can’t afford the fine, and they sure as hell can’t afford the fix.
And here’s the kicker:
You’ve had full control over cookies in your browser this whole time.
Delete them. Block them. Set exceptions.
The tools are built in – and have been for decades.
But instead of educating users, GDPR forces site owners to waste time on banners that annoy practically everyone (I know a few neurotic folks who enjoy those, but that’s for the psychiatrists to deal with), solve nothing, and train users to blindly click “Accept” just to get to the bloody content.
That’s not privacy. That’s box-checking nonsense designed by people who either don’t understand how browsers work… or don’t care, as long as it creates the illusion of control.
Want to actually protect user privacy? Teach people how to use browser settings. Stop making website owners build a second cookie settings menu just to make the EU feel productive.
Gluten free only?
GDPR isn’t protecting your privacy.
It’s just making it harder for small, independent creators to run websites without risking legal threats or wasting hours on pointless compliance theatre.
It punishes the people doing the least harm, while the ones collecting, selling, and exploiting your data keep right on doing it – legally, as long as they tick the right boxes.
Meanwhile, you’re still carrying a smartphone.
Still swiping your bank card (remote RFID is now more popular though, right?).
Still logged into Gmail, TikTok, and Instagram.
Your privacy was already gone. GDPR just gave the illusion of getting it back – and handed the paperwork to the wrong people.
Appendix: The GDPR fan-fiction section
Let’s take a moment to address the usual defences – the things people say when they want to believe GDPR is working, or at least that it’s better than nothing (a list of logical fallacies).
Yes, GDPR was created in response to real data abuse. And no, this article doesn’t argue that surveillance capitalism is fine. The problem is that GDPR doesn’t actually fix the problem – it shifts the burden to the wrong people and creates the illusion of control and accountability.
If you’ve ever pointed out the absurdity of GDPR, you’ve heard some version of these:
“It gives users control over their data”
On paper… maybe.
In practice? It gives users an endless stream of meaningless checkboxes, bloated privacy policies, and cookie banners that exist solely to protect the website – not the visitor.
The irony?
Real control already exists and has existed.
Modern browsers let you block or delete cookies, send Do Not Track headers, and sandbox scripts. That’s actual control – but no one teaches users how to use it.
Instead, GDPR offloads the entire burden onto website owners, forcing them to build redundant pop-ups to satisfy bureaucrats. Because nothing says “user empowerment” like clicking “Accept All” just to read a blog post.
“It holds Big Tech accountable”
Sure. Occasionally.
A billion-euro fine here, a forced banner update there. And yet they keep tracking you, profiling you, and monetising your behaviour – because they can afford to (and because you go out of your way to log into their platform, so no need for even cookies).
Fines are a speed bump. Compliance is a tax.
Meanwhile, the same rules apply to a guy running a cycling forum in his spare time – with none of the budget, lawyers, or infrastructure to “fix” things the GDPR way.
Accountability? More like selective enforcement.
“It’s not perfect, but it’s better than nothing”
When all else fails, this fallacy (we gotta do something) for the win! LOL 🙂
The default fallback argument.
Let’s consider this:
If a system punishes harmless actors, creates barriers for honest creators, trains users to blindly click consent forms, and does nothing meaningful to stop the real data vampires – is it better than nothing?
No. That’s actually worse – because it wastes everyone’s time while pretending the problem is solved.
Yes, GDPR inspired copycat laws worldwide – because nothing spreads faster than performative regulation.
Just like the Continuously Variable Transmission (CVT) bicycle hubs, GDPR might sound good if you read the brochure. But what it promises and what it actually delivers? Two very different stories!
So no – GDPR isn’t misunderstood genius or “a step in the right direction.”
It’s a bloated, performative mess that dumps the burden on the wrong people, solves nothing, and trains everyone to pretend privacy is a checkbox.
Big Tech shrugs it off. Bureaucrats pat themselves on the back.
And the rest of us get screwed – with a banner in our face.
Note for the “just skimmed it” crowd: This critique is focused on the practical effects of GDPR – not its stated intent. Yes, data abuse is real, but this law hits small site owners hardest while leaving the biggest trackers untouched.
Links and (re)sources
- Relevant LowEndSpirit forum discussion:
GDPR discussion
Last updated:
Originally published:
