Well, we'd probably agree on most things... and re the photography example, afaik model release forms work similarly in the EU and US, right?

Now website code does typically run on your device, but I'd say that once you're a paid logged in user you clearly accepted to run it, under the conditions of it staying in its browser sandbox so... if you think it's "malware" then just stop being a customer. Otherwise software has a right to monitor its own operation.

...but yeah, maybe I missed the context a bit, a tracking pixel style tool will likely be used to track not customers but leads, so I do get your point, it gets trickier there and maybe privacy laws have a point there (as long as they stop there... hint: they usually don't!)

> under the conditions of it staying in its browser sandbox so

I consider fingerprinting my browser, by running programs and measuring the timings and characteristics of the browser to be a side-channel attack on the browser sandbox.

> Otherwise software has a right to monitor its own operation.

If websites would only "monitor its own operation", we would hardly have any discussion.

> if you think it's "malware" then just stop being a customer.

Easier said than done, when >90% of websites do this. Show me a mainstream corporations website, that work without Javascript. You can hardly pay for a train ticket and make an appointment to government services, without these crap.

Also there must be some rules what software vendors are allowed to do, since the average user can hardly reverse-engineer all the websites they (need to) visit. This is what regulations like GDPR try to enforce.

> and re the photography example, afaik model release forms work similarly in the EU and US, right?

It's not about contracting a model, it's about doing a random photoshot in public. People have the right to their own picture here, irregardless of who takes that picture and who posses it.