It can be enforced in multiple ways. For instance by going after the European ad business or just yesterday a ruling of the European Court of Justice was published stating that Europeans who run a "Facebook Page" take some of the responsibility http://curia.europa.eu/juris/document/document.jsf?text=&doc... (this s not about GDPR, but older rights, but shows how European organizations can go after US corps)
The plan is to use the big service providers ala Amazon, Google, MSFT, PayPal etc. to enforce GDPR compliance in the long run how well will it work in the long run is another question.
That said consent is not required under the GDPR it’s only one of the lawful bases for collection and processing.
A business interst or a contract are also valid reasons what they do need to provide is a policy that states what whey collect for what purpose and what is the lawful basis for it and that has to be done for each purpose e.g. marketing, billing etc invisibly.
As far as opt out goes then opt out only plays a role if you use consent as your lawful basis other bases do not implicitly require opt out; other allowances such as stop processing and right to be forgotten still have to be available unless there is a lawful basis to override them for example maintaining security logs or complying with local data retention laws.
You however need to be able to prove that you act in the best interest of the people and that is important since it’s not necessarily in the best interests on an invidual.
For example you can justify retention of user data if users would have an expectation to be able to use it to make a criminal or civil complaint e.g. UBER, dating sites, AirBnB and the likes can use the public’s safety as a reason to deny certain implicit rights like the right to be forgotten.
This however can be mediated through the DPAs and the courts system in the EU.
Do you think it should be enforced in this case? EU citizens can purchase services from companies that are present in EU if they want to be covered by EU laws.