That's possible but would be completely and highly illegal, the EU regularly fines companies violating GDPR, and those fines are not trivial at all, they can be quite hefty.
I was talking about the reality of the US, but even if I was talking about Europe: how does the GDPR even enter this equation here? I was never asked for consent to have my face recorded when I get into a shop in Germany. Were you?
Its not. Especially when using US Cloud services. And people do that. Hell even government run schools us GDRP-violating software and force the students to BUY them. The law is nice, the reality is different...
Or, I should say, things are enforced after the fact, through the possibility of criminal charges or civil lawsuits. Enforcement doesn't mean that crime is made impossible, just that there is enough deterrent.
The big companies are still mining user data, they are just forced to use some extra dark patterns to trick people into compliance. Would-be criminals are not going to stop being criminals because of the threat of fines. And TLAs are not going to wait for due process to acquire access to data legally.
All that GDPR does is give the illusion that people are being protected and CYA for politicians and bureaucrats when asked "what are you doing about evil Zuckerberg?"
You're veering way off-course here. This started from "I was never asked for consent to have my face recorded when I get into a shop in Germany. Were you?", to which I replied that those recordings are radioactive and nobody's allowed to do anything with them except for intelligence agencies. We're not talking about generic web tracking and dark patterns.