GDPR Headaches

The aforementioned GDPR regulations go into effect on May 25th, in 5 days from this post. Because of the headaches and intense amount of website work this is causing me, I do not have time to write a review this week – you can thank the EU. A quick summary of the sources of my current migraine:

• The GDPR requires separate opt-in consent for EACH COOKIE set on a site. My ad-network, because it’s a mish-mash of third-party ad networks, plants something like 23 cookies. That technically means I’m supposed to present 23 unchecked boxes to acquire consent.
• The GDPR applies to any visit from an EU resident. But, because I cannot guarantee that an EU resident isn’t visiting my site via a VPN that obscures his or her location, I cannot assume that EU IP addresses are the only ones that need to be handled under the law.
• The GDPR stipulates that I cannot block access to my content on the basis of not giving consent to tracking. That means I have to allow non-consenting EU residents (or anyone, really, see point above) to effectively steal (or, really, to access my site without me getting paid) my content, since I get paid via an ad network that requires the use of tracking cookies. (Hint: All of them do.)
• Technically, I’m supposed to STORE personal data (which I wasn’t doing before) in order to be able to PROVE under an audit that I properly acquired and stored a visitor’s consent to be tracked. I actually have to do MORE personal data tracking to adhere to the new law.
• If I were to get hacked (I’m not Google, I can’t afford the kind of industrial Internet security it would take to 100% guarantee this won’t happen), I could be liable for fines.
• If I miss something and end up getting reported to the appropriate EU authority, and the US (where I live) decides to honor the EU request to enforce the fine under international law, I could be fined up to 2 million Euros. I don’t have 2 million Euros.