Source: all those websites with annoying "cookie banners" where it's easier to accept than to decline.

The GDPR does not approve of that (it should be as easy to consent as it is to decline, otherwise the consent is void for GDPR purposes). Not to mention a lot of them aren't even implemented properly and personal data is leaked to third parties before any consent is given.

But everyone does it and keeps doing it (there's an entire ecosystem of those "consent management platforms" that include built-in features to breach it, including per-country variations so you can vary your non-compliance depending on the ferocity of that country's DPA and your risk-appetite).

And this is just the tip of the iceberg - I've seen things inside organizations that are not compliant either, but there's no point even talking about those if even the basic and obvious things like online consent flows not being enforced.

Here's a report from Noyb exposing the reality on the ground, quite a contrast with the tech-bros' fear-mongering: https://noyb.eu/en/data-protection-day-only-13-cases-eu-dpas...