I am not convinced that GDPR will ever really be enforced. Severe breaches have mostly been ignored so far and the minor dark patterns that dominate GDPR compliance popups and wrong defaults are going to be the tail end of compliance enforcement. Just like cookie laws before it GDPR will probably just make websites annoying with obnoxious implementations and remain largely unenforced until the EU does something else to try and fix this class of data problems and the cycle will continue.
One really incredibly annoying trick that I see more and more is when they pre-check only the "mandatory cookies" option, but then when you want to confirm this selection you end up allowing all tracking cookies. It's because they make the confirmation button less prominent, and something that looks more like the typical confirm button is actually "allow all cookies". I guess a lot of people just click on it automatically.
There are a lot of dark patterns. The most common stuff I am seeing (and its basically everwhere) are:
1) Accept being brightly coloured and decline as white so its less prominent.
2) Having accept all be a simple thing but decline being a more information that requires turn lots of individual things off.
3) Requiring the decline to be individual across hundreds of individual cookies.
4) Clicking accept all is stored and used forever but decline is asked everytime you come back to the website.
5) Having the decline process take minutes to complete as if significant processing is required.
6) Having the default be acceptance.
I think breaches of GDPR are the normal, 95% of the websites I see these popups on is breaking the law in some way or another and at this point have been doing so for years.
