I can see there are still major problems/loopholes in the GDPR.<p>First off, it doesn't mandate <i>technical</i> measures to prevent tracking. Most GDPR "consent management" solutions work by setting opt-out cookies - they do not actually prevent any of the tracking crap from loading, and thus rely on the trackers being honest (we all know how this ends, see "Do Not Track" for an example).<p>Second, it doesn't enforce tracking being opt-in at a technical level - again, most consent management solutions today set opt-out cookies, which means you have to enable cookies (aka trade some <i>real</i> security) to let the trackers know you don't want to be tracked (honest trackers - if such exist - will respect that and also disable non-cookie tracking like browser fingerprinting so it's good in theory - however this now exposes you to dishonest trackers who can abuse the fact you enabled cookies).<p>The second point becomes even worse when some tracker's answer to opting out is to disable cookies, making it impossible to <i>completely</i> opt-out on a site that uses both the kind of tracker that uses a cookie to opt-out and the kind that relies on the user disabling cookies to opt-out.<p>Also, it has no consideration for tracking companies that defy the law and (possibly) get away with it. A tracking company can claim they respect privacy/opt-outs and thus a product that uses their solution becomes GDPR compliant, even in cases where the tracking company has been caught lying many times (Facebook) or its business model is at odds with privacy. I want to be able to say "I do not want <i>any</i> of my data or metadata shared with Facebook - I don't care if you think it's legitimate interest because they claim they won't use it for advertising" - at the moment I cannot do that.<p>Finally, reporting non-compliance is <i>hard</i>. In the UK, the ICO (the privacy regulator) requires that 1) you contact the company directly (and try to make them understand the problem which is hard work - imagine throwing the points above at a typical customer support advisor) and after getting a final response from them (after a reasonable time, which I guess is <i>at least</i> a week) you have to 2) fill a PDF form, provide evidence of your contact with the company and send all of that by email.<p>That is a <i>huge</i> amount of effort. There should be a button in my browser or a simple form on the ICO's website where I can provide the URL of the offending page and be done with it.