Like mentioned by sibling comments, GDPR explicitly does not allow this. It's just the fact that enforcement is spotty and complicated by the fact that the responsibility is shared across all EU member states with limitations what each country can do by itself, with some countries' data protection authorities intentionally dragging their feet to protect multinationals.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.