What I think is a big problem this stuff about requiring consent. This is a big issue at the moment for website owners and app developers who have on line advertising from vendors such as Google (Admob/Adsense) and use e.g. Google Analytics for development support. These guys do not record individual user details and have no interest in doing so.
Specifically for such people there is an issue where personalised advertising (according to to Google and others) needs an opt in, fine but for app developers and web site owners they don't have any user details other that maybe ip address so if they put up a pop-up and record consent how do they know who the user is if they don’t have any other users info.
This is leading to absurd discussions re for example Google Analytics used by millions of websites and apps. There is something called client id which GA uses to identify unique "users” or website visitors. Now apparently as it is unique this is personal data so should require consent according to some experts I have read. But as it anonymous how can it be identified who it “is”. If a user demands to know what data a website/app has and mentions the client id info well who knows for sure what any client id represents in the real world ?
More to the point what is the likely legal/financial consequence if a user claims that the website id did not ask for consent for this client id to be recorded (how would they be able to prove which one it was that was theirs anyway) ?
Would they be able to sue ? I presume not. So is the IC going to be interested in this apparent breach ? And if the developer/website owner had a data breach where they GA account was compromised would they have to inform all the Client ID individuals ? Again obviously not but you see how these discussions are going !