I can't figure out how this will hit EU startups. Actually, this is promoting transparency and I really like it. I won't be suspicious if the site is gathering some data from me or not; if it is, it'll just display a friendly warning.
This is actually beneficial for users; and the ones who refuse are probably not the users you are looking for.
"It clearly makes UK companies less competitive because sites we build will need to be plastered with warnings – and our competitors will not. It is a well known fact that at each stage of a signup process you lose customers – if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user wont read that detail – they will just think your a privacy nightmare and wont sign up."
If I read it correctly, the law addresses the cross-site cookies particularly, which I have been keeping disabled in all my browsers ever since the option was introduced (Accept cookies ... Only from sites I visit). And honestly, I don't care about "startups" that are trying to take advantage of ad cookies (edit: and Facebook tracking me via its ubiquitous thumb, and so on). Let alone that I use an ad blocker, too. Fuck that, you know.
In theory yes, but in practice not really. Consumer doesn't care, doesn't know.
On a side note, In theory if you are EU company you cannot use a CRM which hosts your data outside of the EU. For a USA CRM company only way to get around this "Safe Harbor Policy". Do you know how many SaaS CRMs apply Safe Harbor Policy? AFAIK Only 1, SalesForce.
But obviously there are thousands of Europan users of these CRM companies which violate this EU law.
I'm not sure about CRM specifically, but certainly various serious companies are aware of the EU data protection rules and take specific steps to comply. For example, I've been looking at off-site back-up for one of my companies recently, and while talking to Mozy they confirmed unambiguously and with specific details that any data from my company (in the UK) that was backed up using their service would be held in various protected ways in specific data centres within the protected area.
If you're in a business like that, where people are trusting you with that kind of sensitive information, I think you expect that serious customers are going to ask and they're going to need straight answers. I would agree that this is a barrier to entry for start-ups, but I think if you're trying to enter that kind of market but you aren't in a position to provide that level of service, you're already dead anyway.
Many would probably just not care, but the global players (Amazon, eBay..) would have to comply. Potentially it can affect everyone, just like introduction of EU RoHS directive phased out much of lead-containing products worldwide.
This is actually beneficial for users; and the ones who refuse are probably not the users you are looking for.