I feel like a reasonable tweak to GDPR is to require that if a site has an "accept all" button, it needs an equally (or more) prominent "reject non-essential" button.
GDPR regs in fact already require exactly this, and all "consent" acquired without one has no legal basis. One or two national regulators have belatedly started to pursue it.
It's pretty much a requirement already. The website can't make it hard to reject or make it seem like accepting is the only way ahead. Many popular sites had made rejection easier after GDPR complaints (smaller ones often still didn't because nobody cared enough to complain, I guess).