The consent boxes are what GDPR will mean to most people in a few months. Deleting your data is a good thing, but that option has been available from the biggest data hoarders for years, and it's not exactly popular. In fact most users dont even know/care it exists.
But deletion hasn’t been available (and most “deletion” request functions have been in response to legal and governmental pressure already) and I recall seeing multiple stories about “deleted” material not being deleted.
Gdpr is a response to the prior attempts to let the industry “self regulate” not actually doing anything.
Does it over regulate? Personally I don’t think so - people talk about the complexity but that’s mostly due to the need to be absolutely explicit everywhere, and need to ensure that there aren’t loophole that can be abused by some company with enough lawyers.
The industry did do some things, for one internet giants are in a certain competition to appear privacy-conscious. For another, adtech did introduced some options (e.g. adchoices) but they were arguably too little. The thing is however people don't care about their privacy as much as their governments would like them to care, hence the regulation. But it's opinionated , extreme regulation meant to disrupt everything rather than fix the things that need fixing, and that never works.
The GDPR has a lot of clauses that seem nonsensical to an end user, but actually setup a situation where those data collectors must reveal the true extent of their data or risk massive penalties by having falsely disclosed..
Until now there was no way to guage the truth in anything they tell you and no penalties for lies.
I m not personally afraid of the data that commercial companies have collected on me , as i was consciously using their websites when i did . But it's more uneasy to think of the data collected by various security services. I am glad that GDPR is making people believe all their private data belongs to them (this is not true in modern states - government owns much of your data). At some point people are going to start asking questions about private data usage by governements. E.g. it is only a few years since governments started buying and using stolen private bank files to search for tax frauds etc.
The "consent or no dice" coercion will get fixed later on (2019 as it seems) with ePR [1]. Right now you have a choice to not use the platform. It isn't a fair choice (hence ePR) but its there. And, you have the choice to request your data. Its a big step up, but its not yet where it should be. Baby steps.
At least the EU does something about this data gathering mania (as for why, see Bruce Schneier's essay "Data is a toxic asset so why not throw it out?" [2]); the USA, for example, doesn't (yet). The USA just repealed net neutrality. Its good in a way because now we can watch the long term effects from the other side of the pond. I suggest Americans do the same with GDPR. Observe and learn from each other.
That's because they are so well hidden and not in the least bit advertised. We just all assume the worst of companies and generally are proven correct.
Last I checked one of the biggest datahoarders of all, facebook, did not actually delete your data when you told them to, instead the squirreled it away somewhere in a data warehouse just in case.