Would it be a crazy move for an early-stage startup to block access from the EU till product-market fit is established and one can focus on expansion and more compliance?

I personally don't think you should.

The EU authorities have stated multiple times that they won't chase small startups and mom&pop shops with this. They explicitly target big-tech with this law (can't remember where I got this from, currently looking for a proof-link in another tab... will update the comment if I find one)

Currently the fines do seem to correlate with the company size. E.g. Amazon Ireland has paid 750 million, Google - 90 million... While this one-man webmasters form Germany and Austria - $50 bucks and $100 bucks

Not totally true. If you're working with public institutes (universities in my case), they will ask you to comply to the major points (and help you comply, they effectively gave us two man-day of an architect, which, for a company with 3 dev, is huge).

Which part of that post are you calling "not totally true"? I don't see any conflict between what they said and what you're saying.

That startup doesn't have to care. If you're b2b and have a public entity as a client, you should care.

They didn't say not to care, they said not to preemptively block the EU.

Unless you have nexus in the EU, there's nothing they could do anyway. Even if they wanted to fine you.

It's a startup, it'll want to write a term sheet at some point. Term sheets have to mention this kind of thing.

> The tricky part is that it's not just for EU citizens, but anyone in the EU.

Why is this regarded as tricky? Laws generally apply to everyone in the jurisdiction not just citizens; why should it be tricky or surprising that this is also the case for laws regulating activities on the Internet?

Correct me if I am wrong, but I believe this was meant to mean a technically more tricky problem.

If it was citizens I could see a case being made that protection implementation could be based on the inputted address that is required for billing or shipping. If it's solely based on if you're physically in a country, then you need to determine in your app if the user is currently in an eu country or not. Which to me at least is more technically difficult, than just going off of a user entered address.

Typically things like this go off the IP address. And while it is more difficult than going off of an inputted address, it isn't that difficult. But it is also what you need to do. As an American, if I travel to Europe I'm protected by gdpr laws (and one reason why I get spamed by the "accept cookie" popups even from sites I normally visit it have a US address associated.

Someone physically located in the EU using a VPN with an endpoint outside the EU is still covered by the GDPR. Just going off IP address will miss this.

FWIW:

- https://github.com/google/fonts/issues/1495

- https://github.com/google/fonts/issues/5537

That's funny, demanding the scammer pay more after finding out their scam site uses google fonts too.

That's the trick, make yourself bulletproof from lawsuits by having no money or assets and you can do as you like.

If you're worried about GDPR or your users' privacy when using Google Fonts, someone wrote privacy-friendly drop-in replacement at https://github.com/coollabsio/fonts

Using Google fonts is a type of fraud since most users don’t know that you’re giving Google some of their Pii.

Thankfully it’s easy to block with noscript. Too bad for people who don’t have technical knowledge or have other limitations that prevent them from protecting themselves from personal information theft.

nit: using Google CDNs is the problem, not the fonts. You can self-host the fonts without issue, AFAIK. Google even provides a guide for it: https://fonts.google.com/knowledge/using_type/self_hosting_w...

> In January 2022, a German court in Munich did establish a precedent - they deemed the use of Google Fonts a GDPR violation. The website owner had shared IP addresses with Google without getting users' consent first. And because IP addresses are apparently "PII" or Personally Identifiable Information, the result was... a whopping 50 euro fine for the webmaster.

As predicted. Busy bodies going after low hanging fruit and bullying small business while big corporations can basically ignore GDPR - the fines if ever comes to it is just a cost of running business.

> After all I'm actually in the European Union, while he's just a little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).

That’s a bad look. Swap “United States” for EU there to see what I mean. If you’d said “you’re not in the EU so you don’t have legal standing here”, cool.

You omitted the bit before this, which is crucial context:

P.S. Oh, but you bet I replied to that Bosnian scammer. After poking around on his "europedataprotection.com" site using dev-tools, guess what I found? You got it, network requests to fonts.gstatic.com

I shot back a message, letting him know HE owes ME a thousand euros. Or better yet, a million. After all I'm actually in the European Union, you little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).

What's especially bad about it? Swearing at someone who has just tried to commit fraud against you strikes me as perfectly reasonable. It's what swearing is for.

Swearing at them that they're wrong: good.

Swearing at them that they don't have the same nationality: not good.

It's about location, not nationality. And mostly the scammer's location, not the author's.

Also I choose to swap “United States” for Bosnian, because the mental image of sending a bunch of US swear words from google is quite funny.