Re: Google: Do No Evil
This actually seems to be the norm, even for (relatively) small companies. We're conducting research into privacy notice standards, and so far the results are extremely depressing.
Practically speaking, it's impossible for a data subject to raise an objection based on the information in a typical "privacy policy" and a high percentage require the data subject to "agree" to them, thereby superimposing an unlawful version of "consent" on top of all other lawful bases fro processing declared. However, at least in the UK, the regulator doesn't seem particularly concerned. Indeed, when last examined the ICO specimen privacy notice for small businesses itself had some of the faults we've identified.
Two key points seem to have been missed by all and sundry:
[1] the GDPR is not data law - it's human rights law
[2] a privacy notice is not a contract with the data subject - it's a statutory unilateral and binding undertaking by the data controller to the data subject