It is ridiculous that data protection officials focus on CDNs, third party resources and cookies. And at the same time it is totally legal for Google to collect advertizing data from some random websites so they can create a profile that follows you around. All that sites have to do is to put up obnoxious cookie banners that nobody reads.
If they were really concerned about my privacy, they would ban creating cross-product profiles for advertizing purposes. I don't care at all that some CDN gets my IP, or that some website uses cookies to count users.
Also I don't care if somebody stores my data on Google Docs or Office365. If Google or MS go rouge and employees there so shenenigans with my data, we have bigger problems. They control the OS anyway. It makes more sense to regulate the "happy path" assuming they are law abiding, and just say you can't do targeted ads for European users.
But as a user in Europe, I still see plenty of personalized Google Ads. That's not Google Analytics, that is Doubleclick.
My point is that Google Analytics (or Matomo or whatever visitor statistics you are using) is outlawed, while it is apparently completely legal for Google Ads to include dozens of "fourth-party" javascript files and everybody keeps records of what pages you visit.
It's totally backwards. Embedding content (using a basic HTML feature, sending basically only the IP address) can get you in legal trouble. But if I visit a website about say, lawnmowers, then ads for lawnmowers follow me around for weeks, because the site owners sold every mouse movement on that site for a fraction of a cent to advertizers.
Law is a code that needs to be interpreted by society. This interpretation is done by judge rulings. There is a growing number of rulings that Google Analytics, and in fact any sending of customer PII to US-owned legal entities, is illegal.
Naturally, smaller companies won't be sued, right now. But the more time passes, the clearer it becomes that given the current GDPR and US laws, it's illegal.
Most cookie content popups and forms that you see are also flagrantly illegal under the GDPR.
The problem is that enforcement is rare and small scale compared to the overall scope of the problem. In both of these cases it's a day late and orders of magnitude short.
The Schrems II stuff is a situation where many of the politicians and the businesses really don't want to have to do anything and so they just kinda ignore the law until privacy advocates force their hand. So enforcement is effectively non-existent; the hope being that they can just run out the clock until some sort of legislation magically fixes the issue.
If they were really concerned about my privacy, they would ban creating cross-product profiles for advertizing purposes. I don't care at all that some CDN gets my IP, or that some website uses cookies to count users.
Also I don't care if somebody stores my data on Google Docs or Office365. If Google or MS go rouge and employees there so shenenigans with my data, we have bigger problems. They control the OS anyway. It makes more sense to regulate the "happy path" assuming they are law abiding, and just say you can't do targeted ads for European users.