[donohoe]

After sitting in on more legal meetings than I care to recall, this isn't as weak as it sounds.

The big arguments you can make 'Well I need to collect lots of user data for ad targeting because it is a legitimate interest that I make money to support the costs of the site' have already been clarified (you can't without explicit consent).

The data authority in each EU country has some freedom to rule on this as necessary but they feedback from the EU is that they will err on the side of telling you to justify in string terms your need for data.

[cm2012]

The explicit consent being the pop-ups no one reads, I assume.

[matt4077]

No, actually. Even before GDPR, it was illegitimate to use a pre-checked checkbox, or any other process that required out-out from the user.

This requirement was generally respected–I actually don't remember a single instance of it not being followed by European organisations.