The sum total requirement for reporting taxes on a hobby project in the US is filling out a single 1099-MISC at the end of the year, during a process that you'll already be doing anyway. It's not an onerous burden which introduces significant friction to the process of bringing a new idea to fruition.

I'm not saying "hobbyists shouldn't have to comply with the law", I'm saying "the law is disproportionately punitive to hobbyists in terms of burden imposed".

If, and only if, you don't know what you're doing with your data. Most cases can be covered with a bit of forethought and some documentation.

"Hey, I need to be able to query and delete data" is not a huge cognitive overhead when creating a MVP.

It's not just querying and deleting data, though.

You have to be able to demonstrate audit trails of consent, including what the user consented to and when. You have to be able to demonstrate audit trails proving deletion requests. You have to have audit trails of who has ever accessed this data. You have to have a means to exclude pieces of your dataset from aggregate statistics on demand. Also, your audit trails can't contain PII because then your audit trails are in violation of the deletion requests, so you have to have mechanisms of proving that you processed deletion requests without actually identifying the data processed. You're also now obligated to respond to data inquiries in perpetuity, even to people for whom you have no data. Article 32 appears to impose a requirement for encryption at rest, high availability, disaster recovery, and regular penetration testing - all good things, to be sure, but completely impractical for the small hobbyist. Your "querying and deleting" is, by the letter of the law, now required to be a full-blown production-ready architecture with a business's worth of documentation.

And all because you wanted an email address to keep your login form from getting spammed?

I realize that in practicality, this is unlikely to ever be leveraged in any significant scope against most hobbyists, but the law is merciless and it is foolish to assume that you won't be caught in its crosshairs just because you weren't its intended target.

> And all because you wanted an email address to keep your login form from getting spammed?

No, all this because companies were selling your email address to spammers.

Also, your reading of the law seems at odds with most other readings I've seen. I'm sure it will come down to a lawyer - but I'm also sure that hobby programmer who take reasonable steps won't ever be in the crosshairs of the EU.

> It's part of the cost of doing business.

In a jurisdiction. GDPR means a dollar can buy more MVPs outside Europe than inside. Keep in mind that this has no bearing on the privacy stance of the ultimate product. Just the fixed cost of iteration.

I hate to break it to you, but the idea behind the GDPR is gaining traction outside the Europe. Fighting this trend is only going to hurt more in the long run.

> the idea behind the GDPR is gaining traction outside the Europe

I hope it does. Europe, however, has a unique penchant for unnecessary bureaucracy. Nobody is complaining about GDPR’s requirements. It’s the ancillary administration which is destructive.

What enforces compliance if there is no administration - the administration is the teeth of the compliance.

Companies have had years in which they were receiving warnings and recommendations for best practices - they ignored them. This is the piper coming with the bill.