Comment by yoz-y

It's not any particular section, rather the tone and the breadth. One easy answer to such a letter is "please read our privacy policy and come back when you have more specific questions". Your company's privacy policy should cover almost all of the "concerns" covered in this letter. Bad faith comes from the fact that a sender of such a letter has, quite obviously, done zero due diligence. The spirit of GDPR is not to fuck with everybody around, it is to force companies to be more responsible overall.

This is why those OATH and similar dialogs are so jarring, the correct implementation should be opt out by default without being bothered every time one visits a website.