> GDPR was supposed to regulate this and it is clearly failing to do so
How do you know? The fact that there's still crime doesn't mean that law enforcement doesn't do anything. Somebody reports an alleged violation, an investigation is started, and maybe the investigation will produce that Google is in violation (in which case a fine will "regulate" Google's behavior) or they are not (in which case it may be fair to criticize GDPR for allowing that behavior, or it may not be because the info wasn't correct).
> almost every site uses Google analytics which doesn't really comply with do not track all too well, and Google will then share their data with everybody else
Unless you have specific info, I believe you're mistaken here. GA is generally seen to be compliant if anonymizeIp is active and you're not pushing PII into it via customization. Google is, if I understand it correctly, not "sharing" GA raw data with anyone, but analyzing the data for their own research and providing the website owners with aggregate data (i.e. demographic information) without sharing data on individuals. I'm not a fan of GA, but I haven't seen any info that they're that obviously in violation.
> It was a pain for us to become GDPR compliant because that disables our metrics entirely and requires a bunch of banners and checkboxes everywhere even though we literally store nothing.
What was the specific pain? I get that having to add a privacy info sucks (and might cost money if you get a customized version), but I never found it to be that big a deal. If you don't store any PII, it's pretty straight forward, and so will the procedures be if anybody asks about the data you stored: just inform them that your systems do not store any data in general and also didn't store any data on them in particular.
How do you know? The fact that there's still crime doesn't mean that law enforcement doesn't do anything. Somebody reports an alleged violation, an investigation is started, and maybe the investigation will produce that Google is in violation (in which case a fine will "regulate" Google's behavior) or they are not (in which case it may be fair to criticize GDPR for allowing that behavior, or it may not be because the info wasn't correct).
> almost every site uses Google analytics which doesn't really comply with do not track all too well, and Google will then share their data with everybody else
Unless you have specific info, I believe you're mistaken here. GA is generally seen to be compliant if anonymizeIp is active and you're not pushing PII into it via customization. Google is, if I understand it correctly, not "sharing" GA raw data with anyone, but analyzing the data for their own research and providing the website owners with aggregate data (i.e. demographic information) without sharing data on individuals. I'm not a fan of GA, but I haven't seen any info that they're that obviously in violation.
> It was a pain for us to become GDPR compliant because that disables our metrics entirely and requires a bunch of banners and checkboxes everywhere even though we literally store nothing.
What was the specific pain? I get that having to add a privacy info sucks (and might cost money if you get a customized version), but I never found it to be that big a deal. If you don't store any PII, it's pretty straight forward, and so will the procedures be if anybody asks about the data you stored: just inform them that your systems do not store any data in general and also didn't store any data on them in particular.