It became painfully obvious over time that the people who drafted the legislation did not think through either the ways malicious compliance could work against their goals or the incentives of all actors in this story.
I think the possible forms of malicious compliance were considered, and are explicitly forbidden by the GDPR. The GDPR requires that consent be freely given, and be as easy to withdraw as to provide. The various end-runs around that requirement, such as redirects on rejected consent, click-through to privacy policy, click-through to a list of 3rd-parties, and so on, are all violations of the GDPR.
They aren't a form of malicious compliance at all, because they aren't compliant at all.
Naively, I'd expect a lot more enforcement action if so many sites were non-compliant. Did the EU create a policy it couldn't enforce, and that's the larger issue here?
From the gradual ramp-up of enforcement, my optimistic view is that they are closing out the deliberate "misunderstandings", establishing precedent for each one. I really should start collecting links as they come out, as they're a pain to track down later, but they've established things like "Targeted advertising is not a legitimate interest for the purpose of Act 6, and requires consent."
