I don't believe that. If a compagny has no idea where does their data goes and what their use is, they have shitty practices and / or are incompetent. Good riddance
All you need is a privacy policy and the ability to delete / return customer data when requested. But that doesn't have to be in real time/automated, you can just set up an email address and respond manually. It's rare you'll even get a request if you're a company with such a small IT budget.
All the other things (double opt-in email, not contacting your customers in an unsolicited way) are process changes that can be implemented without IT cost.
Good riddance then. Not gonna cry for them like I'm not gonna cry for a restaurant that gets shut down because complying with health standards is too expensive.