[MauranKilom]

> Can the "don't do evil things with user data" intent of this legislation not simply be subsumed under GDPR?

It already is. Processing personal data requires a legitimate basis. Freely given consent is one of those, and the reason these companies are being fined is because "freely given" requires symmetry in accepting/rejecting. Without the symmetry, the companies had no legal basis for processing the data, so they got these fines.

It is harder to prove "evil things" in general, but the first step is preventing users from being coaxed into agreeing to "evil things" (or rather, making clear that this is illegal and will be punished).