I work for a very large US company and can assure you that GDPR is something we pay a lot of attention to. This isn't the opinion of my employer, but my personal experience is that the big players take it seriously and meet and exceed all their obligations because it's too risky not to, and they have the necessary local legal teams to understand the law as best as is possible.
I think it's the small/medium companies who are where most of the issues are. Small companies write a non-legalese privacy policy because they think that's better for their users, but in fact have written something legally meaningless that gives their users no protections. Some small companies just don't know their obligations because they think they won't apply as they're not in the EU.
Then there are the companies who are big enough to know better, but small enough to know they can get away with it because all the scrutiny goes to big tech. I was asked by a medium sized advertising network to implement a keylogger on our website at my previous company so that the network could enforce their revenue sharing by detecting all user data input into our site and match it against their records. I laughed them out of the room, but they made it very clear this was how everyone did it.
> Some small companies just don't know their obligations because they think they won't apply as they're not in the EU.
To be fair, unless a company has a business presence in the EU there is nobody to sue for GDPR violations. The EU cannot enforce its laws on an entity which isn't under its jurisdiction at all.
Okay, with "any bigger US company" I thought mostly about Facebook and similar companies, of which many does continuously break GDPR rules even after many decisions and fines (simply because their business model is incompatible with privacy / data protection).
But it is still true, that nothing happened after the Schrems II judgment, and many-many companies continued to transfer personal data to providers affected by FISA.
I work for a very large US company and can assure you that GDPR is something we pay a lot of attention to. This isn't the opinion of my employer, but my personal experience is that the big players take it seriously and meet and exceed all their obligations because it's too risky not to, and they have the necessary local legal teams to understand the law as best as is possible.
I think it's the small/medium companies who are where most of the issues are. Small companies write a non-legalese privacy policy because they think that's better for their users, but in fact have written something legally meaningless that gives their users no protections. Some small companies just don't know their obligations because they think they won't apply as they're not in the EU.
Then there are the companies who are big enough to know better, but small enough to know they can get away with it because all the scrutiny goes to big tech. I was asked by a medium sized advertising network to implement a keylogger on our website at my previous company so that the network could enforce their revenue sharing by detecting all user data input into our site and match it against their records. I laughed them out of the room, but they made it very clear this was how everyone did it.