The GDPR is broadly considered the global standard, but even it is really soft when it comes to the definition of legitimate use-cases for data processing. So-called legitimate use cases can entirely bypass consent.

The problem is that these legit cases are evaluated and argued by people that don't understand better alternatives than the status quo.

We could do a lot better.