I think you'll find legislators are less worried about something being "mathematically proven to protect privacy robustly", and more worried about just collecting money from someone publicly perceived as evil.
If they cared about actual privacy, they would go after no-name ad networks and data mining companies.
Do you have information showing that the FTC's ruling was unjust?
As far as the companies they go after, I think going after large brand-name ad networks and data mining companies like Google is at least as important as going after the no-name ones.
And why not start with the source? Google and Facebook sell your data to the ad networks, maybe Google and Facebook receive more complaints against then some unknown ad networks that we did not know even existed before GDPR forced the sites to disclose them.
Could you provide some source about Google selling your data to ad networks? Because Google explicitly says that they don’t do that and none of the fines received by Google is for selling your data. I’m curious to read about this.
Personally, whether or not Google actually sells raw data isn't that important to me. My objection is that they (and all other companies that do this) collect the data in the first place.
