I mean, every single tracking pixel on the web is a GDPR violation, unless they've established a legal basis to do so. As basically all of noyb's complaints being upheld by DPAs shows, most fail to do so, clinging on to legitimate interest when they fail the balancing test, or consent when the consent form is too deceptive or tipping the scale to count as freely given