[dogma1138]

The plan is to use the big service providers ala Amazon, Google, MSFT, PayPal etc. to enforce GDPR compliance in the long run how well will it work in the long run is another question.

That said consent is not required under the GDPR it’s only one of the lawful bases for collection and processing.

A business interst or a contract are also valid reasons what they do need to provide is a policy that states what whey collect for what purpose and what is the lawful basis for it and that has to be done for each purpose e.g. marketing, billing etc invisibly.

As far as opt out goes then opt out only plays a role if you use consent as your lawful basis other bases do not implicitly require opt out; other allowances such as stop processing and right to be forgotten still have to be available unless there is a lawful basis to override them for example maintaining security logs or complying with local data retention laws.

You however need to be able to prove that you act in the best interest of the people and that is important since it’s not necessarily in the best interests on an invidual. For example you can justify retention of user data if users would have an expectation to be able to use it to make a criminal or civil complaint e.g. UBER, dating sites, AirBnB and the likes can use the public’s safety as a reason to deny certain implicit rights like the right to be forgotten.

This however can be mediated through the DPAs and the courts system in the EU.