[BjoernKW]

If anything, GDPR has made this easier provided they have the users' consent. If the user agrees you're allowed to do pretty much anything with their data.

It has also become a lot easier, unfortunately, to get that consent.

Both the convoluted legal framework itself and the dark patterns that arose from it (such as the "Allow everything" button being the primary action button and "Privacy settings" being a small, obscure link) are prone to putting off users, who more often than not will just click on anything just do get rid of those annoying pop-ups and banners.