[zucan]

I can't find a section of GDPR requiring these individual toggles for each "partner". From my understanding a website owner could just as well list all partners and give the user the option to consent to processing by all partners (or none) - the agreement is between the website user and the website owner ("controller"), the controller and their partners have a completely separate agreement.

As far as pre-ticked boxes are concerned, they do not signify consent [0], effectively taking the legal base [1] for processing PII in many cases. It's a bit more ambiguous in the actual law: "It shall be as easy to withdraw as to give consent." [2] If consenting can be as easy as clicking the "I agree, have my soul" button, withdrawing consent must not require clicking through dozens of checkboxes and should be just as easy.

[0] Recital 31, Sentence 3: "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." https://gdpr-info.eu/recitals/no-32/

[1] Article 6 (1) "Processing shall be lawful only if [...]" https://gdpr-info.eu/art-6-gdpr/

[2] Article 7 (3) Sentence 4 https://gdpr-info.eu/art-7-gdpr/

[vorpalhex]

> I can't find a section of GDPR requiring these individual toggles for each "partner"

This isn't happening because websites are falling over themselves to comply with GDPR. This is the case because websites explicitly want to make opting out as difficult as possible. Somehow a large portion of web content creators have gone astray and confused locking users in a metaphorical room against their will with "consent".