My bank phoned me last summer. I'd authenticated with my usual two factors but a new browser fingerprint, then transferred a large sum to a new recipient. The bank blocked the transfers I did thay day, then phoned me to check whether I'd been phished, suffered a keylogger attack or something.
Even if this were the case - which I don’t actually believe, but… - it would be straightforward for that law to also constrain these purposes and prevent data sharing with non-worthy operations. At present it’s basically a free for all.
That is literally what GDPR is. Somehow it got reduced to cookie banners in HN psyche, but the whole idea of GDPR is to make sure that the data can be collected and used for well defined purposes that are either necessary to provide a service (preventing CC fraud would qualify), or are explicitly consented to.
