I think one of the least wise things a person (or company) can do when faced with any law is to assume that it's "not complicated really."
Much, much wiser to assume "there be dragons" and only engage once qualified legal counsel has helped you understand what compliance means to you.
And along these lines... The second least wise thing to do in this scenario is listen to randos in a forum like this tell you, "but all you have to do to comply is..."
The problem with thinking like yours is that legislation like GDPR is _really_ made to be simple and straightforward, but since companies whose livelihood depends on them abusing your privacy will fight it tooth and claw, they will gladly make it look like it's more complicated and insurmountable than it really is. They will also devise ways to comply in such ways that's most cumbersome for the end user and will readily blame GDPR for it.
To devise such a way to comply, they definitely need a large and expensive legal department.
The privacy abusers are much like trolls on the internet who, upon seeing a code of conduct (previously known as "rules") consisting of only "don't be a dick", will spawn endless arguments about what a "dick" is and how it is or is not inappropriate word, what does it really mean to be one, or, indeed, to be, question the use of the indefinite article, and complain about "don't" being too assertive and arrogant.
> ...they will gladly make it look like it's more complicated and insurmountable than it really is
There are non-malicious explanations for the same pattern of behavior at large organizations - the motivation (malice or not-malice) that seems correct is a Rorschach test.
If I accidentally log IP addresses for EU users that opted out on some throw-away experimental page on my site, Brussels would never find out. If Google does it, it not only has to report the incident, but will most likely be fined. In order to avoid this outcome, they have internal review processes which makes ot "complicated and insurmountable", because how do you justify investing many hours of dozens of lawyers and technical reviewers time for a frivolous, niche AI demo?
Ok... Let's assume this is true (which I'll reiterate, that I contend assuming so is foolish). What happens when courts have interpretations of this "simple law?" Do the courts make an effort to keep things simple and in plain language? Or do lawyers and bureaucrats do what they can to drive unintuitive interpretations, but favorable to their cause, of otherwise plain language? Are European laws such as this subject to the interpretive lens of case law? If so, the best intentions of legislators may only be secondary relative to the actual rulings and unintended consequence of their laws. The problem with thinking like yours is that it dismisses all of this messy reality in favor maintaining the idealism that might have motivated public support of the law.
Those that have to follow those laws need to care about the mess.
You should probably do some trivial research. No, there is no case law in most of Europe, for sure in none of EU.
Second that. GDPR actually made those aspects clear and never caused a headache during implementations I've seen or participated in (more like a checkbox on a list). When I see any complaints, then it's clear some iffy user sniffing is happening.