Textbook illegal, but major high-street global brand names do this, and there's no easy way to make them stop - regulators just can't move quickly enough or show enough teeth. We would need thousands of convictions per day to even scratch the surface - I'd estimate at least 9 in 10 sites I visit breaks the law in one way or another around their cookies and consent prompt.
Perhaps we need a way to commercialise and earn revenue from identifying the sites breaking the laws as you describe? The law demands "opt in" for Europe, yet everyone tries to skirt this and use dark patterns like forgetting the cookie settings of anyone who dares not accept everything. Many of these dark pattern techniques are actually illegal.
If you could commercialise each of these findings, we would have everyone compliant in a matter of weeks. SEC style whistleblower model (albeit on a smaller scale)?