The problem with this approach is if you run a large or small company or are a sole proprietorship or simply have a hobby site, you can't write off legitimate fears of heavy handed enforcement. No one wants to be the example.
In the former cases, if your company is how people are feeding and clothing their children, do you want to be the person who says "Oh well we tanked the company this year because weren't worried. Someone on the internet told us they'd be gentle! How could we have known they'd be serious about levying the maximum penalty!?"
If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
I'm on my company's GDPA compliance team and it is serious business. Our European footprint is small but not insignificant. If we were an unreasonable bunch, we'd just shut the whole thing down and move on. The very expensive very well versed German legal counsel we're paying to help us do this right completely disagrees with what many are saying here. We have no reason to not believe them as they have a lot of experience with the German laws the GDPR is based on. We're paying them far more than the fines we'd see because we believe in doing the right thing. Ergo, we must take the "hard" regulator view rather than your "kid glove" view. Our lawyer's underlying point in every discussion is that this is really really serious business and that they're not fooling around. Adding to that is a GDPR like law is likely to be implemented in Canada and other jurisdictions in the future. We must be ready for that as well.
I think GDPR is great for consumers. I think we'd actually be in a better/easier place if it were a requirement in the US since everyone would have to follow the same rules. The problem is that implementing it takes time and effort to do well at scale. To not loose your competitive edge against other large competitors that do not serve the EU and can operate under only US law. These are real concerns that have nothing to do with the regulators and whatever their whims are.
So even if you're right, these are the real costs. You're going to be held accountable to the people you let down if you put your company in peril. You're going to be held accountable if you loose marketshare because you got this wrong and an unencumbered competitor outmaneuvers you. And most of all, you simply cannot assume the best case, kid glove, approach is what is going to happen. THIS is what people are frustrated with.
I do hope that the EU is fair and equitable (which is my belief) but it would be irresponsible for me to act as if that is the only possibility.
As for this part of your comment:
> If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
It's no big deal if you already had a user centric approach to privacy, if that's novel then you will probably have to change lots of procedures and some software too in order to get things right, even so I've seen far worse from a compliance point of view, look into fintech or healthcare compliance for examples.