[Nextgrid]

More enforcement will force businesses to remove obnoxious consent flows as those are already in breach of the regulation and it just needs enforcement. Consent should be explicitly opt-in, you can't force it with annoyances, dark patterns or denying the service.

Some shitty businesses who outright can't be profitable without stalking will fold which is a good thing (less spyware in the world), most will adapt just fine - executives/shareholders may just have to forego that new yacht or supercar.

> A poorly written law, apparently designed to introduce additional friction into simple web browsing

It's not poorly written. It's written very well to explicitly outlaw the kind of malicious pseudo-compliance you're complaining about. Its objective is not to introduce friction, it's to outlaw spyware (which we've somehow normalized over the past decade).

> with porous and easily-evaded definitions and vague goals

The goals are not porous - in fact the law is intentionally broad enough so that the spirit of any data collection/processing can be taken into account, rather than a specific technicality (which is why focusing on cookies is stupid because GDPR doesn't care whether you do your tracking with cookies, IP addresses or the shipping/billing address your customer provides). The goal of the law is again to outlaw the business model of spyware.

> a tiny fraction of planetary inhabitants

Is the EU that small? Come on.

[orangecat]

Its objective is not to introduce friction, it's to outlaw spyware

Then why not just outlaw the spyware? Why go through the theater of "you can use spyware, but you have to get the user to 'agree' to it first, and you're not allowed to offer them anything in exchange"? That's just asking for the dark patterns and malicious compliance/non-compliance that we've gotten.

[Nextgrid]

> Then why not just outlaw the spyware?

The spyware is outlawed, and so is coercing users into "agreeing" with it.

The problem is that neither restriction is adequately punished to deter the behavior; as of right now, you're better off profiting off spyware because even if you get caught (which is a very big if), the penalty is merely to ask you to stop doing so (and future compliance isn't monitored, so you can get back to your usual shenanigans once the dust settles).

From a GDPR perspective, it doesn't matter whether you don't ask for consent or coerce users into it - both are outlawed, however, because of lax enforcement, an industry of snake oil has developed to sell companies non-compliant solutions (because actual compliance would put them out of business), along with spreading falsehoods and misinformation to promote said business which is blatantly visible on this very thread.

If you truly want to comply with the GDPR, the answer is to rethink your business model and fire a lot of people. But since it's uncomfortable, everyone would rather pretend they comply by paying for an expensive, not-actually-compliant "consent management platform" and otherwise continuing as usual.