On top of that, the technical controls were actually expensive to implement. The issue is not that consent is hard to revoke or that data is hard to delete. It's that everything needs to be auditable. Under a strict reading, you need to have an audit trail of every processing activity. Anytime a user profile is edited for any reason, even just an automated removal of whitespace, is supposed to be auditable and made notifiable to the user. Anytime you refresh a user's Instagram stats, you need to have an audit of that. Most companies don't go this far, but it's a huge risk to do anything less because we don't know what fines are going to look like in practice yet.