[guitarbill]

The GDPR is not fluffy language per se, just for people used to the overworked American style of legal documents where everything needs to be explicit.

Also, people seem to get hung up on consent. There are several lawful basis for processing data, consent is one of them. It's also the most abused, so it's the most heavily regulated in the GDPR. Ad-tech and the scummy parts on the web rely on "consent" (or lack thereof).

Normal website usage like eCommerce or even posting a comment can use other bases, like most legitimate interests - that's why they call it that.

Right to erasure is also fairly obvious as far as deletions go. Right to restrict processing is a bit trickier. Server location is also much more interesting, due to the infamous and rather shaky Privacy Shield.