GDPR is the perfect example for OPs point. The whole thing is just stupid, protects nobody and thought millions of people to just click on Okay on any modal they are presented with.
There is a lot more to GDPR than cookie warnings. It ensures among other things that random companies won't get access to your data because of a purchase you made or a toll bridge you've crossed.
I go to the US every 2 or 3 years for a few days, and that's enough to end up on a bunch of American marketing lists. GDPR is here to prevent things like that.
It also prevents companies from holding my data hostage, and gives me a way to delete it.
There are other privacy-related laws that prevent companies from publishing a mugshot of me and extorting money from me to remove it.
No self-regulation doesn't work, mostly because people do not really care and do not incentivize companies for good behavior.
But the current legislation is spotty as best and doesn't really help, Google and Facebook are still collecting tons of data while SMBs will be the guys who get sued for not complying 100%.