You know, that's not the sentiment I've been experiencing in the industry. There's certainly some uncertainty and risk-taking on the margins, e.g. what exactly constitutes "fair use", how do design user consent flows, and so on. But it's broadly accepted that you can't do anything with personal data without user consent, and I've found companies to be very careful in that regard.
Recently, Meta was fined $400MM for forcing users to consent to targeted advertising [0]. Note how Meta was careful to get consent (even if the way they did it was illegitimate). Sure, $400MM may not be a lot for a company that size, but I genuinely believe that the fines would be an order of magnitude higher if a company intentionally decided to do something with personal data without consent. GDPR fines may reach up to 4% of worldwide revenue, plus likely any proceeds from the illegitimate venture.
Recently, Meta was fined $400MM for forcing users to consent to targeted advertising [0]. Note how Meta was careful to get consent (even if the way they did it was illegitimate). Sure, $400MM may not be a lot for a company that size, but I genuinely believe that the fines would be an order of magnitude higher if a company intentionally decided to do something with personal data without consent. GDPR fines may reach up to 4% of worldwide revenue, plus likely any proceeds from the illegitimate venture.
[0] https://www.cnbc.com/2023/01/04/meta-fined-more-than-400-mil...