I’ve been hearing this since 1997 when the first Data Protection directive happened. The enforcement never happens unless it’s serving a political goal, such as singling out a Chinese company or whatever.
GDPR is the result of many lessons learned in prior attempts. The EU Commission put particular attention on not repeating the mistakes being made in the Cookies directive, which rendered it essentially useless and only annoying.
Fines are to be handed out by the national data protection agencies. In Germany, the data protection agency regularly goes after violators since the 1990s. They audit German administrations and companies with respect to data protection, and request changes where necessary. See here for yearly reports of one of the state agencies: https://lfd.niedersachsen.de/startseite/allgemein/taetigkeit....
So at least for Germany there is no foundation for your claim.
I have to concede that German regulators have set the pace, but the penalties are still negligible on the global or even regional scale. If every member state went in with as much conviction as Germany, we might see some results after two decades of mostly-empty promises.
It’s rather obvious it learned nothing. After seeing cookies banners, it was entirely evident and predictable that GDPR will result in more aggressive banners.
There's one important caveat you're missing: the vast majority of these cookie banners are illegal under GDPR. So yes, it's rather obvious the EU learned a lot.
The law forbids dark patterns, coercing into accepting, delegating opt-outs to third party sites, and requiring collection of more data than is strictly necessary to operate the site.
