That's a false dichotomy - clearly there's more options than these two. There's definitely a better way to address this issue.
On the other hand, between those two, it arguably is worse, because we now live in worst of both worlds - we still get a ton of stalking but we now have those cookie banners on top of that.
I can block coockies using simple addons, which is WAY lower effort than clicking through a deliberate dark-pattern that is different on EVERY website (or using complex addons with lookup tables for every website).
It's not about cookies specifically, they're just one of the many ways you can be tracked.
You can't realistically block fingerprinting without serious effort, and you can't block your IP without using a VPN (which causes a bunch of other problems with sites not serving you).
the behaviour was already bad (sharing your personal information with 1000s of “trusted partners”), companies just want to keep doing it even if it inconveniences their users.
The correct analogy would be California’s toxic substance regulations.
They’re vaguely worded and enforcement is applied randomly based on whatever company is getting bad press at the time. So virtually everything sold in California carries a sticker saying essentially that “this product may cause birth defects.”
Even companies selling products that don’t contain any of these chemicals do so, out of fear of the asymmetric power wielded by the state.
Do a majority of train passengers jump the ticket barriers because they are afraid they might get fined billions of euros if they don’t?
The laws necessitating cookie banners came into effect long before GDPR. That would be the 2002 EU ePrivacy Directive. The GDPR (2018) concerns the handling and storing of personal information, the mandatory disclosure of how this is done, and the mandatory right users to ask what data is being stored and deleting that data. There aren't any cookie banners in native apps. But they still need to comply with GDPR. And you can get into trouble for mishandling privacy sensitive information.
That law has been pretty successful to the point where there have been debates in the US about adopting similar laws.
The common US media company interpretation to declare their websites an abusive UX disaster zone and put their contempt and complete disregard for their main product (users) on full display is entirely on them and their sleazy lawyers trying to find ways where they can still do their sleazy business. This is made worse by incompetent web designers deciding that this is apparently "the way things should be done" without questioning that. Most cookie banners are just the result of their (mis)interpretation of the law, lazy copying of some shitty website they once saw, and the perceived need to provide lots of legal ass coverage for what under GDPR is flat out just not allowed at all.
Worse, the jury is actually still out on whether the highly misleading language, dark patterns, etc. are actually not illegal in themselves. They might very well be. Lots of companies got some really bad advice regarding GDPR. And some EU companies have actually been fined for doing it wrong.
