A few things:KelliWolfe said:Are you willing to gamble 20 million Euros on that?
People keep throwing around that 20,000,000 Euro number, because that is the big scary number being thrown around by the media. Bu the entire system is set up on a scale with different levels, with the $20,000,000 being the highest level, not the floor, and actually is specific to the highest level types of infringement. The law is convoluted to all heck, but it doesn't mandate automatic 20,000,000 ACROSS THE BOARD. That figure is for high-level infractions. And it is UP TO, not MINIMUM OF. There are actually multiple levels and a lot of variables that factor into fees.
"Ambulance chasers" will take advantage of the fearful and stupid, but in reality have no power. Much like the Do Not Call list here in the U.S. or Can-Spam Act, enforcement depends on reporting. And the law says that reports must be for ACTUAL violations, not theoretical. So Jane Doe the ambulance chaser demands that you show her the information you've collected on her, but you never collected any information on her. They can file a complaint, which will then be investigated...assuming the governing agency actually puts enforcement behind one-off complaints. History tells me they will instead be looking for patterns of behavior, because that is how every...single...government...agency involved in this type of stuff works.
Because processing complaints costs money, and there is zero point spending money to go after individuals who you aren't going to collect anything from if you are the government. Generally, they will go after those they can "make an example of" and that will generate a lot of positive press.
I think complying to the best of your ability if you actually collect user data is a good thing. But I also think some people are screaming "the sky is falling" because they see the big scary number.