A year and a half after GDPR became enforceable, it might seem to the average user that not much has changed, and indeed, many companies just considered it as "just another consent to click by".

If there was any doubt, the grace period is over, and good faith, best intentions and collaboration with authorities just won’t cut it anymore.

As the author notes, maybe the most interesting part of this decision is that the DPA (Data Protection Authority) acted from its own initiative, without any specific complain raised by a data subject.

Now this might take some time to travel East and West outside of Europe, but legal precedents are coming. Privacy is by design, not conditional.