Re: Reminds me of PCI Compliance
Totally unfit for purpose, totally unenforceable, total bollocks.
I'm going to have to disagree with you there, chap. In fact I'd go so far as to say you're talking out of your arse.
The rules are easily enforceable and have hefty penalties attached, especially for wilful breaches. The reason the rules may seem vague (and from your comments I'm assuming you haven't read any of the ICO recommendations for instance) is that they're legislating for an outcome and not against a specific business model, which is the most sensible way of framing legislation, especially in an area as broad as data protection.
The reason you wont' find anything in the recommendations or legislation that specifically matches your use-case is because you're expected to do that work yourself. If you feel you need to hold data about a person the onus is on you to work out how to do so within what's legally permissible. I see that as a benefit and it avoids the whole stupidity of the EU cookie legislation which failed miserably because it didn't think far enough ahead to how people would implement it. GDPR is a lot more robust than that.
And it's not about "double opt-in mailing lists" it's about giving people control over how and where their data is stored, for what purposes and who can gain access to it. And also, (and this is the part I particularly like) a company can't refuse service to someone if they won't share their data. That part is what's going to make it harder for Facebook et al to keep the data hoover turned on. They can create whatever "privacy tools" they like but the simple fact that they can't opt people in to data sharing should cause them a massive headache. Think of it like this: Day 1 of GDPR, Facebook has to untick all the privacy and data-sharing boxes for all users in the EU. Most people (even if due to inertia alone) won't be bothered to go in and opt themselves in to all that shite, so the boxes will remain unticked. And Facebook can't refuse them access to their account if they don't opt-in. They can only refuse a service without data-sharing if that data-sharing is essential to the service functioning.
Now plenty of companies may think they can just get away with carrying on as before, but that just leaves them open to being hit with fines that should be a worry to any organisation, no matter how large or small.
To use the cookie situation as an example, currently the rules are utter bollocks. You just get told they're using cookies and have to accept it or not use the site (or block them with varying degrees of success and lost functionality). Under GDPR they'll have to ask, you'll have to opt-in (pre-ticked boxes and opt-out boxes are outlawed) and if you don't you'll still get to use the site anyway.
I see it as a massive step in the right direction. It won't be perfect but will be so much better than the current rules. And it should also help to reduce all the bullshit ad-targeting that goes on, and those shitty Facebook buttons that track everyone across every site they visit.
So you asked for some counter-examples, and I hope the above gives you something to think about.