I'll be pretty happy to "lose out" from being tracked and profiled.

Right, you speak for yourself (and probably the overwhelming majority). That is my point.

How do citizens lose out from "don't be tracked"?

See GP's comment. The lose out on companies that have now chosen not to operate there. Like small companies that don't want to risk being fined €20 million. It's not that they are companies that track you, it's that for many smaller/early companies that don't need EU customers yet, why even risk a mistake? And why risk the amount of that mistake on non-codified promises and subjective enforcement levels (i.e. "we promise only to use that number on the big players)?

If I were a VC, I'd tell my companies that didn't need EU customers yet not to sell to them until they are large enough to make sure they won't fall afoul of rules. Regulations almost always benefit the larger companies, even if they are well-intended. Smaller, more nimble companies almost always thrive in more open environments. Citizens of more open and less restriction/regulation encumbered environments often get a larger variety of businesses to use (sometimes to a fault, like tracking).

It's the "yet" that'll kill them. With the focus on growth, a VC backed company will not be able to ignore the massive EU market forever. Can it pivot, quickly, to be respecting of privacy? If you've build your whole business on collecting and using personal data, how can you change?

You're missing my point. They haven't built their business collecting data. They were just mitigating risk. I am not talking about businesses collecting personal data. Just a normal company that doesn't want to worry about compliance in the early days (even though they are probably compliant). I specifically said "It's not that they are companies that track you".

When ready, they will be able to enter the EU market quite easily, but at least with capital and size they can do the work necessary to feel comfortable in their compliance. Until then, EU citizens don't get access to the company. This is what I mean about regulations favoring the larger companies. It's almost always the case.

Can Facebook operate if they don't track people to the degree they are doing now? Can they offer good adverts? Can Google?

Again - what are citizens possibly losing if the company Connor do business without tracking and selling their data? Because that sounds like it’s not those citizens losing - it’s US citizens losing.

Again - because they aren't tracking and selling their data, they are just managing risk. When doing business, it's not a blind "well, we're doing nothing wrong, we have nothing to worry about", it's "we're doing nothing wrong, but a mistake can bankrupt us in this market that is not required for us to sustain growth." Nobody wants to trust even-handedness application by regulators when it's just a ridiculously high penalty ceiling...well, nobody except those large companies that can absorb it. Citizens lose because they don't get to use products by otherwise well-intentioned companies that are scared of penalties because they are so high and subjectively enforced.

If I'm following your hypothetical situation correctly, you're claiming that an international company would rather not do business than to email the privacy commission for feedback? Which is standard procedure when in doubt...

It's not about doubt of the rules. Though there is extreme subjectivity, that's not my point in these posts. It's about risk mitigation (i.e. the extreme size of the penalties coupled with potential subjective enforcement). I'm not claiming anything about an international company, I am talking about small startups that might not even go completely international at first. Why, if I have all the customers I can handle right now as I grow would I subject myself to more regulations for no reason?

It's not that hypothetical as I've been in this with young companies where we were deciding where to launch first (for beta or actual launches). Granted there was nothing then precluding EU users in those times, in fact we preferred it to help w/ i18n vetting. Nowadays, I'd just as soon leave EU countries off of the select box on my signup form, and not worry about GPDR compliance (again, even though I am probably compliant and believe in the spirit of the rules).

Exactly. To a large extent, I - a citizen of an EU country - can already see the effect. Just look at how many electronics companies don’t sell in EU. There’s a Swiss company making great routers that outright says it’s because of RoHS.

And as of the earlier arguments like “no loss” or “competition would step up” - look how few EU tech companies there are. There’s a reason for that.

The armchair commenters here aren’t EU business people, and it shows. Around here, GPDR is considered a disaster, in the usual style of EU’s heavy-handed, poorly thought-out regulations. It adds so much bureaucracy and expenses - even for companies that do nothing shady - that it is absurd.