[Nextgrid]

Agreed.

There is a lot of money to be made in GDPR-related consulting peddling non-compliant snake oil. GDPR compliance is actually quite simple, however it is often detrimental to the business, so it's near-impossible to do "honest" GDPR consulting because you'd be telling your client things they don't want to hear and they would rather go to someone else that tells them what they want to hear, even if they don't actually solve the underlying problem of compliance.

That's the only reason I can think of why non-compliant consent management solutions (such as TrustArc) are thriving despite even a casual read of the regulations would immediately point out that they are not compliant and thus do not help to achieve the desired goal of GDPR compliance.

Unfortunately there is no enforcement at present so there's nobody out there to set the record straight and scare companies into compliance (potentially getting them to sue the consultancies for their non-compliant solutions).

[p_l]

At the same time, looking at all "parties" trying to track me on random website, my core question ends up being "why the everloving fuck why?".

A lot of actionable data for many a business can be safely separated from PII. Simultaneously I have hard time understanding why a simple website might need 20-50 different tracking services, all 3rd party. In my experience, that's the typical kind of business that was targeted by dishonest "GDPR consulting".

For majority of businesses that I talked with, GDPR compliance could be handled by implementing a set of rules that fit, normal font, on A4 page. There are few that truly required more, but those also had that data as crucial data, and that's where good honest consulting could do a lot of good.