[vurpo]

The issue is that GDPR isn't fundamentally about online data collection or tracking, it's about all data collection in general. You can't ban everyone from collecting data about anyone in all situations, because there are many cases where people legitimately want or need their personal information to be collected and processed by someone else. For example medical records, magazine subscriptions, bank accounts, etc. These are all covered by the GDPR, in addition to illegitimate data collection for the purpose of ad tracking.

So how do you define, in law, when a person legitimately wants a company to process their personal information, and when it should count as illegal tracking? The GDPR actually makes an attempt at defining this (doesn't just leave it blank), but many adtech companies just ignore this and break that law. See the article for an example.