Actually, they're supposed to be opt-in. "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." [0]. I worked extensively on one of the big ad-network's GDPR compliance pub & advertiser tools and we took this seriously. If you blocked the message & you were detected to be in the EEA, that was "no consent" for data use. That said, I know many of the other players in the ecosystem actively overlooked or did not abide by this policy.
Shoot, you are correct, and I misspoke. I meant to imply that the default must be assumed to be rejecting all tracking, and that all tracking applied must be explicitly accepted.
What's a shame is that most companies hide behind the claim that if users block IP tracking, since they "can't" get geo without IP, you're opt-in by default. They don't make the best effort attempt to, using the data they have, determine opt-in/out default behavior. The regulators seem OK with that argument. So your point sort of stands (and I wish it didn't)
But is that the case in practice? It's my experience that there are countless media outlets showing me popups that have the tracking options activated by default.
Most companies hide behind the claim that if users block IP tracking, since they "can't" get geo without IP, it's opt-out. Oath in particular will use any excuse to opt-in by default, but so will most news sites. Regulators seem OK with that.
It is, and few care. "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." [0] Problem is that the authorities are too underfunded and understaffed to actually handle this, and the wording in the regulation is vague enough that big company lawyers have hemmed them in. I've seen it happen.