[Aerroon]

>Making websites explicitly require permission to do (subjectively)

But that's already happening. Your browser just sends the data automatically. Putting this burden on the website just means that an actual nefarious actor will track you anyway. After all, how are you going to check that they actually don't save all that data your browser vomits at them?

If you want privacy then you have to make sure your browser doesn't send out that information in the first place. Once you've done that then GDPR is useful for plugging the holes for the non-bad actors.