Most EU data privacy provisions, which are not optional, are satisfied if:
1. You tell the right people what data you are collecting and why
2. You don't collect other data or use the data for other purposes
3. You don't share the data except for the stated purposes.
4. You give people access to data about them.
5, You do not transmit the data to anywhere without similar legislation.
Note that 5 means transmitting non-anonymous data to the US is usually illegal. There are also exceptions for outfits like the police and spies. So if commercial spyware properly registers the data in question, and does not send to places like the US, then legal problems are improbable.
The current legislation does not make it illegal to collect personal data for marketing purposes provided you register it properly.