The website accept button is not in the GDPR. [EDIT: it's a different law]
GDPR covers way more requirements regarding data management. You need complete control over the lifecycle of sensitive data, exhaustive documentation of data transformations, you have concrete obligations regarding disclosure of incidents, data removal, limitations of for what data is used, user consent management, and the obligation to have people personally liable (which is big, just look at AML regulations to see the effect when not only the fuzzy concept of "the company" is liable).
Yeah, that's what I was thinking - people are mixing up GDPR with the "cookies law" that mandated the [Accept All]/[Maze of Settings] choice on all websites that want to use cookies. The cookies mess was pre-GDPR.
It does not matter since it is a consequence of the GDPR anyway. Regulators can't just push aside negative consequences of their regulations by simply saying "that's not what we meant nor the outcome we wanted". This is why regulations fail. Regulators think they are providing incentives for good things and disincentives for bad things. In reality, they are just perverting incentives. To fix those problems more rules are added, and the cycle goes on. Pretty soon you have a foot high stack of regulations that small business owners can't afford to consider or follow so they just don't exist at some point.
Sorry for not being clear: my point was not "the law does not explicitly ask for the button, that's just a misapplication" but more something like "the button thing is another completely different law, GDPR has way more topics and thus when you say 'I love the ignorance of people over here thinking that GDPR is nothing more than just that accept button' I disagree wholeheartedly".
GDPR covers way more requirements regarding data management. You need complete control over the lifecycle of sensitive data, exhaustive documentation of data transformations, you have concrete obligations regarding disclosure of incidents, data removal, limitations of for what data is used, user consent management, and the obligation to have people personally liable (which is big, just look at AML regulations to see the effect when not only the fuzzy concept of "the company" is liable).