Comment by AnthonyMouse

Malicious compliance is a result of incompetent drafting. It's common because incompetent drafting is common, case in point GDPR. It's definitely possible to screw it up less than that -- there are many laws that nobody complains about.

You pass a law prohibiting any entity from conditioning the use of their service on the user providing them with a phone number. Even services that actually use SMS or voice calls are required to provide an alternative like email or the web with no reduction in functionality and for no additional cost.

You pass a law stating that any device which is sold or leased to anyone who takes physical possession of it cannot contain a private key the customer is unable to both read and extricate at no cost.

What does malicious compliance look like there? Anyone can give them an email instead of a phone number and if that doesn't work they're in violation. Remote attestation is the only reason for devices to come from the factory containing an inaccessible private key, which is thereby prohibited and unable to be used as a tracking ID.