I agree but is this a Google specific thing? So many companies gather data on people without letting them see anything... I feel like we need legislation regarding this for all of them.
How is legislation going to fix this unless you mandate region locking of the internet? The moment a website loads some script from a Chinese site all bets are off from a legislative protection standpoint.
Under GDPR, an EU website owner is responsible for the Chinese scripts they load onto their site, as part of the Controller-Processor relationship. That doesn't help for Chinese companies without a locus of business in the EU, but it covers the hypothetical case that you raised.
In practice, legislation goes into effect globally by being in a large enough market that companies would rather comply than lock themselves out. Several companies have rolled out their GDPR compliance updates globally rather than just to the EU. It's the same reason that lots of products in the US comply with standards that only exist in California.
GDPR already requires all that data access and control even for people that don't have a formal account and haven't agreed to your ToS. No additional legislation in the EU needed.
That's because DPAs understand that if they reinforced GDPR properly then half the companies, particularly small businesses, in Europe would have to be fined. I'm not just talking tech companies either.
That's also because fining isn't the first step, its pretty much the last. You will have received a warning that you are not compliant and been given a deadline ito fix it in most cases.
All those small businesses mostly have data about subjects they are conducting business with. In general this is a valid reason to have that data and GDPR compliance is merely about implementation details.
The data subjects of ad networks however are completely different entities from their customers, which makes it a very different compliance problem. It might not be possible at all to conduct that kind of business in a compliant way.