The thing is, our culture is different. We don't go for the jugular immediately.
Our DPAs (and our other authorities like the EU Commission in general) prefer to first say peacefully "hey, we see you got a problem there. You haven't been on our radar before so we'll give you a chance to fix this on your own, and you won't hear from us again". Most companies will say "hey, thanks for the notice, we got our stuff fixed, kthxbai" and that's it.
Fines or, as with the GDPR itself, USB-C or the DMA, actual legislation only comes when you either have repeat / intentional offenders like Meta, or stubborn companies like Apple.
Our DPAs (and our other authorities like the EU Commission in general) prefer to first say peacefully "hey, we see you got a problem there. You haven't been on our radar before so we'll give you a chance to fix this on your own, and you won't hear from us again". Most companies will say "hey, thanks for the notice, we got our stuff fixed, kthxbai" and that's it.
Fines or, as with the GDPR itself, USB-C or the DMA, actual legislation only comes when you either have repeat / intentional offenders like Meta, or stubborn companies like Apple.