The "compliance" is quite simple. Don't do this thing. Don't collect personal information without permission. Very, very simple.
If you do collect personal data,
with permission, it's only slightly more complicated. Let the individuals control their data, including deletion. Don't do anything with it without permission. Again, not hard to understand.
The "morass" is for people who are gonna try anyway. "Well, what about if we bury the permission under exhausting legalese?" No, that's unlawful. "What if we collect it but obfuscate it?" Not without permission. Etc.
So, "compliance morass" is not an argument. It's an extremely simple law.
