The spyware is outlawed, and so is coercing users into "agreeing" with it.
The problem is that neither restriction is adequately punished to deter the behavior; as of right now, you're better off profiting off spyware because even if you get caught (which is a very big if), the penalty is merely to ask you to stop doing so (and future compliance isn't monitored, so you can get back to your usual shenanigans once the dust settles).
From a GDPR perspective, it doesn't matter whether you don't ask for consent or coerce users into it - both are outlawed, however, because of lax enforcement, an industry of snake oil has developed to sell companies non-compliant solutions (because actual compliance would put them out of business), along with spreading falsehoods and misinformation to promote said business which is blatantly visible on this very thread.
If you truly want to comply with the GDPR, the answer is to rethink your business model and fire a lot of people. But since it's uncomfortable, everyone would rather pretend they comply by paying for an expensive, not-actually-compliant "consent management platform" and otherwise continuing as usual.
The spyware is outlawed, and so is coercing users into "agreeing" with it.
The problem is that neither restriction is adequately punished to deter the behavior; as of right now, you're better off profiting off spyware because even if you get caught (which is a very big if), the penalty is merely to ask you to stop doing so (and future compliance isn't monitored, so you can get back to your usual shenanigans once the dust settles).
From a GDPR perspective, it doesn't matter whether you don't ask for consent or coerce users into it - both are outlawed, however, because of lax enforcement, an industry of snake oil has developed to sell companies non-compliant solutions (because actual compliance would put them out of business), along with spreading falsehoods and misinformation to promote said business which is blatantly visible on this very thread.
If you truly want to comply with the GDPR, the answer is to rethink your business model and fire a lot of people. But since it's uncomfortable, everyone would rather pretend they comply by paying for an expensive, not-actually-compliant "consent management platform" and otherwise continuing as usual.