"GDPR has done bugger all to end spying..."
No law works unless it is complied with. Although it's arguably not perfect, the GDPR per se is not the problem. The problem is non-compliance. The Regulation is not policed, so most organisations effectively ignore it after making some token gestures such as publishing an incomprehensible "privacy policy", and the regulators are only interested in "big cases" and data breaches, so the groundswell of abuse across the entire web (and in the offline sphere) goes unchallenged. It thus becomes habitually accepted as a norm, making it even harder to challenge.