I’d argue that that’s a little too kind on the people making these decisions. The default was to give no thought what so ever to what they were collecting and how they used it, but to read a BBC headline and tell us to stick a cookie notice on their site. And it was hard to push back against that, because doing it properly required at least some thought that they didn’t want to do or pay us to do.
I don’t think that you don’t need to know the ins and outs of data privacy legislation if you actually have a respect for your users’ privacy. Because if you have that then you’ll probably find that you’re well within its boundaries just by designing something that you wouldn’t be uncomfortable with.
In my opinion, the GDPR is impressively ambitious and well thought out considering the number of stakeholders it had to get past. Cookies were directly regulated by PECR (which long preceded the GDPR) but for some reason most people paid no attention to the issue until the GDPR came in. But yes, when it comes to cookies PECR has lead to a lot of terrible implementations that help nobody, and enforcement is nonexistant.
The proposed update to PECR is aiming to improve that though. ^^