Along with the dark patterns of “confirm my choices”, where my “choices” are an endless list of checkboxes hidden under expandable sections of complete gibberish.

Usually one button in the end is some vaguely stated "accept all spying" too that sounds like you don't accept. E.g. "Accept all choices" or whatever.

This is easily fined for non compliance, however the process is currently very slow but it depends on the country you signal it.

Those dark patterns are not GDPR-compliant. GDPR says, "it should be as easy to say yes as it is to say know" and on top of that those huge lists do not present informed consent.

NOYB has a bit on that: https://noyb.eu/en/where-did-all-reject-buttons-come

The main one is it’s not enforced.

It's a loophole because enforcement is a joke, but I would agree to say the basis is too vague to be useful.

I still don't understand what legitimate interest even means.

I think the preamble to the legislation sort of goes over it. I remember a section talking about marketing and it seemed to imply that businesses have a legitimate interest to market their own products to their own customers. For example, a Dutch company might look at address data and see that they get a lot of orders online to ship to Germany and they can use that to open a store there. Obviously the business is interested in selling to its consumers effectively and obviously those consumers are interested in those products. When they start selling that information to other people, it isn't really legitimate anymore.

Hmmm.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

Until I read that, I held the belief that GDPR was really pretty clear and easy to implement. But reading that, it seems to me that the ICO doesn't really have a clue how you're supposed to distinguish a legitimate interest from an illegitimate one.

Perhaps the "legitimate interest" base needs to be deleted. It looks like a deliberate loophole.