When the GDPR was first becoming law/being talked about a lot, I recall there being a lot of posts from people in Europe explaining to us Americans one of the major differences between the European system of regulations and ours, which I will paraphrase to the best of my understanding:

When the EU sets a maximum fine level, that's there to give their courts discretion to drop the hammer on companies that have clearly been abusive. Expected practice there is more generally to lead with something that's more of a warning. Then, if they do it again, they can escalate toward the maximum.

The 32.3 billion figure there was the maximum possible fine for the combination of Microsoft, Google, and Amazon. Personally, I'm unclear on whether anyone besides IAB is currently being fined, but in either case, the point here appears to be to send the message "what you're doing isn't OK, clean it up now" rather than "all your revenue are belong to us".

For now.

That's pretty much it. Intent matters. A lot. Unless there's evidence suggesting they deliberately broke the law, the fine is going to be rather low.

If they keep doing it, they can't say they intended to follow the law, and they'll be punished more severely.

System is very broken if they can avoid liability with this.