> The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.

So either you're lying or your lawyers are lying to you.

In 9 years you could've finally read and understood the rather small law yourself.

I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.

Before you get to a judge you will get plenty of warnings and anple time to fix whatever it is you're doing wrong.

For the absolute vast majority of companies GDPR compliance is trivial.

For the absolute vast majority of remaining companies GDPR compliance is simple.

There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).

I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy

No wonder you have "trouble complying with GDPR".

It costs money not earned by illegal selling of people's personal data, indeed.

> What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.

It's not a lawyer's job to answer that question because the answer is necessarily "yes" unless you intentionally did the illegal thing (i.e. intentionally did what the law explicitly tells you not to do) - and even then you might be able to defend it somehow.

The question is whether you have a good enough case for a ruling in your favor. And again, lawyers can't answer that because the question is always "it depends" - they're not in the business of fortune telling.

If you ask a lawyer for legal advice, it's their job to give you sufficiently good and accurate enough advice that if you tried to sue them over giving you bad or inaccurate advice they'd have a good enough chance of winning that lawsuit. How much they're willing to speculate about things like what's good enough for you and how high they'll set the bar depends on a variety of factors again.

There's literally no guarantee you can successfully defend something in front of a judge. The law is the law and the facts are the facts. If you end up in court, it helps if you have solid paperwork and a solid papertrail you can use to demonstrate you did everything correctly and in good faith - this is about creating facts that can be used to your advantage.

But the amount of expense required to do literally everything perfectly to the letter of the law and reliably document that you did so would make running a profitable operation impossible regardless of what laws we're talking about, so you necessarily have to strike a balance. And where you strike that balance is a business decision because it's about managing the risk of doing business. And that's not something your lawyer can decide for you - that's something you have to decide for yourself if you run the business. Because at the end of the day it's about your personal liability - whether through financial risk if your business is held liable or direct liability if you get personally held liable for your actions.

But this is not legal advice, I'm not a lawyer. I just know enough about (EU privacy and general German) law to be dangerous and accidentally trick actual lawyers into thinking I have a law degree.

By the way, that's also where that line comes from: it's saying "you can't hold me liable for decisions you make based on what I told you" - even when what a lawyer says is perfectly reasonable and sound to them they'll likely tell you it's "not legal advice" unless you are willing to pay the price tag of being able to hold them liable for what they said.