[kd5bjo]

Note that the GDPR isn’t just about cookies, it’s about all collection of personalized information, in any form. It also outlines plenty of scenarios that don’t require a separate permission request beyond simply doing business with a company.

We’re only in the midgame of this particular regulation— the rules changed “suddenly” and specified outcomes rather than methods. Regulators and businesses are in the messy stage of negotiating best practices as businesses change as little as possible and regulators give fines for misconduct.

The hope is twofold: that enough users will opt out to make problematic business models less profitable, and that the lower user friction of models that don’t require tracking will become relatively more successful. Neither of these goals is served by allowing a blanket permission setting.