I usually don't like new tech regulations.

One reason is that technology changes so fast that new regulations tend to protect yesterday from last Thursday.

Another reason is that lawmakers tend to know little or nothing about tech. One former high U.S. government official once told a small group of us, roughly, "There are two things almost nobody in Congress understands. One is technology and the other is economics. So good luck."

Still, I had high hopes for the GDPR (the EU's General Data Protection Regulation), which famously went into effect one year ago. I suggested that we re-brand 25 May "Privmas Day" (hashtag #privmas), since I expected the GDPR would go far toward protecting personal privacy online, which prior to that date had been approximately nil. Back in 2017, I said (onstage, in front of thousands) the GDPR would be "an extinction event for adtech in Europe."

Here in Linux Journal, I put up an FUQ for the GDPR (the U meaning "Unanswered"), meant to provide guidance toward new developments that could give each of us many new forms of agency online, as well as some privacy. Because I really did expect the GDPR to encourage both.

Alas, mostly it hasn't. Worse, most of its early effects have been negative. For example,

And that's the pickle we're in now: if you want to talk privacy, ya gotta talk #GDPR. And that means assuming that personal privacy is entirely a grace of what others don't do to us, rather than what we can do for ourselves.. This is a very blindered view: one that locks everybody into thinking about how to protect 2015 from 2012.

Fortunately, we don't have to wear the GDPR's blinders.

For example, if you're not spying on people, don't bother with a cookie notice. They're all roughly the same as putting one of these on your house:

And start working on stuff that increases not only our privacy online, but our agency: the ability to get things done. New things. Better things. For example, terms that we can proffer and the sites and services of the world can agree to. (As we've promised to do here at Linux Journal.) There's a good list in An FUQ for the GDPR, and a continuously updated one in this punch list at ProjectVRM, which I run.

Meanwhile, we're not going to stop the lawmaking. So let's help lawmakers think and work outside the GDPR box. That means they should stop assuming that personal privacy is entirely the responsibility of potential violators. Here are four pieces that should help: