You haven't seen all their effects yet, and you've only barely escaped some of the especially bad ideas like intrusive CSAM scanning.
I don't think people will like eg Cybersecurity Act discouraging open source usage, or AI regulations mandating whatever we happened to call AI in 2023.
GDPR has honestly been fantastic so far, the problem the old cookie law has that it's defacto unenforced and site owners aren't ever fined for dark patterns of having to uncheck a 2000 item list of trackers. If they properly cracked down on it with only compliant 'yes or no' banners left as the law actually states we'd be in a much better place.
It's very middling: Google Analytics still tracks the vast majority of the web, including some government sites. Targeted advertising is still a thing. The cost of vagueness is pretty huge.
And the issue of lawfulness of "safe harbor" is still unresolved. US companies can just transfer data to the US where the US intelligence services can spy on it, regardless of what the laws of either country say.
On the other hand, people said that nothing would happen to the likes of Google or Facebook, as they'll just work around it. Well, that prediction aged poorly, the lawsuits have been progressing, and it takes only one DPA from one country to change things. Like how it was deemed that Facebook's ads targeting isn't a legitimate purpose, so they'll be forced to ask for consent without denying service for those that refuse.
Meta knows that GDPR spells doom for their business model, which is why they abstained from releasing Threads in EU, as a sort of warning perhaps. But it won't work, because the EU market is too big to pull from, which is why EU legislation has teeth.
And GDPR actually works, even if it takes some time for DPAs to solve existing cases. And the "cookie law" works too. People complaining about banners miss the forest from the trees: banners are mostly needed when doing spyware shit, and they serve as a great warning to visitors. There are no cookie banners on Mastodon.
A key issue is that the Ireland DPA is understaffed and overwhelmed, because that's where historically most of the global internet megacorps have registered their EU part for tax reasons, and it seems plausible that Ireland's DPA was intentionally understaffed because Ireland wants to be friendly with them, no matter how they affect German/French/etc consumers.
There seem to be motions about adjustments to the GDPR process which would allow other DPAs to take action with respect to their people's data without having to wait on the "company-local" DPA for however many years it takes. If that happens, I'd expect the situation for Google, Meta and others to change relatively rapidly (though still taking a year or more).
I think that impression you mention about the banners being mostly for spyware trash is no longer the case. If next to every site you visit does the same thing, then it feels normal rather than giving a hint something nefarious is going on. The Google and YouTube websites have banners (at least when you visit for the first time/are in private browsing or incognito mode), and lots and lots of people use those everyday.
If next to every site does it, most people will think there's nothing unusual.
Alternatives like DuckDuckGo or Brave Search don't have cookie banners. Google is far more widespread, but just because Google does something, that doesn't mean it isn't wrong. I will give Google credit for their consent dialog which has a "Reject All" option, (seemingly, from a UI perspective) in full compliance with GDPR.
The websites needing cookie banners or GDPR consent dialogs are using personal data for serving ads or selling it to the highest bidder. It's not a sentiment, but a fact visible to anyone that cares to see it. And just because it's a widespread practice doesn't make it ok.
>And just because it's a widespread practice doesn't make it ok.
You're missing the point. The fact that nearly every website you visit displays the banner means that users become desensitized to it. It's just one more thing for them to click on, next to the dialog to permit notifications and whatever else. It's the same reason developers are encouraged to solve warnings, so that when a new one props up they will notice it quickly and decide if its a problem or not; if you normally get hundreds of warnings when building you quickly learn to ignore them, hiding any problems that might exist.
Desensitised? I think not. Every time I see one of these utterly pointless cookie pop-ups it enrages me further that my time (and everyone else's time) has been so thoroughly wasted by this pointless law which accomplishes precisely nothing.
And it's different from the crying wolf of leaving unfixed warnings. The cookie pop-up often cannot be ignored as it requires some action to dismiss in order to view the actual content that the user was looking for in the first place.
Yes, because you're not thinking about the site asking for permission to track you (which was the original intent of the law), you're annoyed about your time being wasted. Which, I agree, is a total waste of time, but it doesn't counter my point that it desensitizes you to the signal the GDPR was meant to enhance.
>The cookie pop-up often cannot be ignored as it requires some action to dismiss in order to view the actual content that the user was looking for in the first place.
The user often cannot ignore the dialog in the sense that they cannot avoid interacting with it, but eventually they ignore it in the sense that they learn to automatically dismiss it without even thinking about it, like EULAs in software installers. Thus the dialogs become pointless.
