The consent form situation did not get this bad until GDPR was passed. Prior to GDPR cookie-consent forms were simple "Yes" or "No" buttons without all the insane pages of toggles.
GDPR did mandate defaulting all of those toggles to "decline" though, even though some are trying to get clever and add additional toggles for "legitimate interest" (which isn't how that works legally but AFAIK nobody has been sued over that yet).
The follow-up privacy legislation also bans the current dark pattern of making the "accept all" button more prominent and obvious than "decline all" at least requiring both to be equally prominent. The flow of having to go through "manage" or "see options" or other shenanigans as links in order to decline all has always been in violation of the GDPR and could theoretically open you up to the fines as it demonstrates intent.
Yeah but providing an opt-out toggle for "legitimate interest" is a good indicator that the interest is actually not legitimate enough to require manual opt-out. And in practice I've seen it mostly used as a gotcha to make it harder to opt out of every single advertising partner individually.
"But we want to show you ads to finance our website and our advertising partners want to abuse your privacy" is not a legitimate interest.
This gets back to GP's point about GDPR vs ePrivacy Directive. Legitimate Interest is a separate Legal Basis under GDPR (and does in fact allow opt-out). But the ePrivacy Directive does not recognize Legitimate Interest. You cannot use Legitimate Interest as a basis for making a cookie opt-out.
Just because that correlated in time doesn't mean it's what the law actually implies.
Informed consent about cookies was a law that predated the GDPR.
The consent boxes only got worse because, with GDPR, you suddenly have regulators who care about these things and are empowered to impose hefty fines. So people stopped ignoring the whole space of privacy, as they had been before.
One of the declared goals of GDPR is to reign in "profiling". So the industry started trying to desparately weave a narrative on the grounds of consent: they wanted to create an electronic paper trail that would somehow support their claim that people were consenting under the rules of the GDPR to being profiled.
But consent under the definition of the old cookie directive does not meet the standard required under the GDPR for consenting to profiling [1]. People like Max Schrems are actively engaged in trying to get the industry to turn away from their noncompliant ways [2]. Especially the use of certain UI dark patterns has already lead to hefty fines [3].
My hope is that, when this has all played out through the legal system, it will become clear to the industry that the stuff they are trying to get you to consent for them to do, is just outlawed altogether, thus scoring a victory for privacy on the web and rendering that consent-stuff moot.
If not, regulators may need to get involved to make it more clear, that this is the intended outcome, which I have no doubt they eventually will.
I also have high hopes that, eventually, GPC will become enshrined in law [4]
The follow-up privacy legislation also bans the current dark pattern of making the "accept all" button more prominent and obvious than "decline all" at least requiring both to be equally prominent. The flow of having to go through "manage" or "see options" or other shenanigans as links in order to decline all has always been in violation of the GDPR and could theoretically open you up to the fines as it demonstrates intent.