[TheCoelacanth]

It is well established that checking the box by default results in much, much higher conversion rates than leaving it unchecked. That clearly indicates that people are not really making a decision to consent when they leave it checked. That is exactly why the practice was disallowed by GDPR.

[Silhouette]

Maybe so, but that was still standard practice. If there was nothing deceptive or misleading about how the choice was presented, and if it genuinely was a choice that someone could easily turn off if that was their preference, I think it's quite a stretch to attach labels like "dark pattern" or claim that organisations weren't "following the spirit of the law".

There are going to be organisations wasting time and money on reconfirmation exercises for mailing lists they've been building up for a long time because despite using double opt-ins, only sending relevant messages to people who genuinely want to receive them, and providing readily accessible options to opt out again, they didn't record exactly what the wording said on their web site on 13 April 2008 when someone signed up to that list.

Clearly the GDPR sets out different requirements now, but my original comment stands: things are changing, and this is going to introduce significant burdens even on a lot of organisations that were following reasonable and honest practices when they collected personal data before.