I'm not sure but for a while WeChat (the app) would not let you login if you did not give it location permissions. I think they've changed that but they still unscrupulously scan your Wi-Fi networks from time to time.

I haven't yet seen a website do that, but they conceivably could.

Lots of media presences that either clearly didn't get the memo on "how to implement GDPR correctly" or who still are determined on selling out their users, for one.

Technically speaking, at least in German jurisdiction the way to completely be in compliance with GDPR is to not even load a single library or other asset from any third party servers (the point being that the third party receives the datum of the user's visit timestamp, their IP address, and the referrer) without the user's explicit consent. Anything else opens you up for issues.

I don't personally believe anyone needs to actually implement GDPR unless they have a company registered in the EU.

I do believe in privacy and the general intent of GDPR, but EU laws shouldn't take effect outside their jurisdiction any more than Iranian laws or Chinese laws.