Privacy legislation by itself does not solve the problem; what Flo did was already illegal. Effective enforcement is also necessary.

They need to make an example out of these companies. If your whole business model is built around handling sensitive data, and you are caught shipping off that data to brokers, you should be liquidated or at least fined to within an inch of bankruptcy, as basically all of your profits are a sham.

Fined into bankruptcy and all managers up to and including the CEO criminally charged.

There needs to be penalties that piece the "limited liability" because otherwise it's just "pay to get away with it" as we currently have.

I've been for a "corporate death penalty" (if companies are people, they can be executed) which would result in the shareholders losing everything along with executives being perp-walked.

Not just executives. They don't will these things into existence. Someone had to build functionality to send user data to Facebook.

Not to side with this behaviour, but I think if you consent to it in the Ts & Cs then it's legal. And that makes sense - otherwise how else do you agree to things or not agree to them?

The point of laws is that T&Cs don't matter if the law has something to say. If the law e.g. were to criminalize sharing health information in this way, then it doesn't matter if the users agreed; you still go to prison for doing it.

> if you consent to it in the Ts & Cs then it's legal.

No. In a paper contract, you can scratch off things you don't agree with. You can negotiate.

You can't do that in Ts & Cs. For example, Ts & Cs often unilaterally change with no ability for you to review or cancel or undo. It's trivially easy to write software which uses services without ever agreeing to Ts & Cs. So it's not really a legal contract.

> And that makes sense - otherwise how else do you agree to things or not agree to them?

Through a real negotiation. With a paper contract, that both parties sign, and both parties receive a copy of, and that can't be unilaterally changed.

They've been thumbing their noses at EU privacy legislation and fines for quite some time already.

What does thumbing their noses mean? They have been paying while continuing their behavior, or not paying at all?

The first seems like it could be resolved with an escalating fine schedule, and the second could be mitigated by requiring Apple/Google to remove it from the app store (one of the rare cases walled gardens are on consumers' side).

> What does thumbing their noses mean? They have been paying while continuing their behavior, or not paying at all?

Malicious compliance. For example: https://en.wikipedia.org/wiki/Epic_Games_v._Apple

"While Apple implemented App Store policies to allow developers to link to alternative payment options, the policies still required the developer to provide a 27% revenue share back to Apple, and heavily restricted how they could be shown in apps. Epic filed complaints that these changes violated the ruling, and in April 2025 Rogers found for Epic that Apple had willfully violated her injunction, placing further restrictions on Apple including banning them from collecting revenue shares from non-Apple payment methods or imposing any restrictions on links to such alternative payment options. Though Apple is appealing this latest ruling, they approved the return of Fortnite with its third-party payment system to the App Store in May 2025."

Or https://developer.apple.com/support/dma-and-apps-in-the-eu/

"UPDATE: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA."

(This one resulted in enough fuss they backed down.)

Ah you mean generally, not in this specific case.

"would just solve", lol.