GDPR covers more than cookies though. It covers different usages of the same data even, so it's not simply a matter of providing/not providing the data. For example, an e-commerce site needs your address to deliver your package (legitimate interest, no consent required), but if they want to send spam to it or resell that data to a data broker they still need to ask for consent first.
fair, but then don't ask me when the page loads. ask me when I fill out the order, and even better, put GDPR: <question>
asking up-front allows them the anti-pattern of giving me 40+ choices of what to opt-in or out of, and it allows the anti-pattern of using confusing language to confuse people (uncheck the box to revoke the widthrawal of refusal to copying your PI)
Doing it properly requires actually complying with the GDPR - deferring non-essential data processing until consent has been given, storing that consent status somewhere, etc.
Or, you can just do the fake-compliance approach by slapping the same cookie banner everyone else uses and call it a day.
> it allows the anti-pattern of using confusing language to confuse people
FYI, that is not compliant either, but again, we've already established 90% of the players out there don't bother with real compliance and just do what everyone else does - and it works, because enforcement doesn't really exist anyway.
