[PeterisP]

No, this is not happening because they are clueless on what they can do - this is happening because they believe they can get away with this (by seeing that most companies do that). There is a clear global consensus on whether they are permitted do that (no, they can't), but there's also something resembling consensus that they'll keep waltzing over the boundary while they still can as regulators take their time with enforcement.

You don't have to worry about data laws unless you're trying to walk that line - and you should not. If you act reasonably and don't even attempt to track people unless they explicitly ask you to (which is what opt-in informed consent means) then you don't need to bother with the nuances. Megacorps are hiring privacy lawyers primarily because they want the lawyers to answer "what can we add/change to somehow keep doing this prohibited thing" instead of just stopping it.

When I hear from "unwillingly violated", most of the time it somehow comes from an organization blatantly and willingly violating the principles; indiscriminately harvesting data and basing their business model on that. Even for a startup, getting a quick 30 minute consultation on data privacy isn't a big deal, and compliance is trivial if you're willing to abandon prohibited ideas - GDPR compliance is primarily tricky for those who want to see what is the maximum amount of evil that is still legally permitted.