[reificator]

Yes opt in is obviously better for the end user[0], but don't let perfect be the enemy of good here. We don't have opt out yet.

[0]: Until opt in becomes mandatory for use of critical services like having a bank account or paying your power bill.

[mikekchar]

GDPR also has a concept of "objection". Even if you opt in, you can later "object" which will allow you to remove your consent. Although, in general, I really like GDPR, we've actually had a bit of a problem with this because it's quite unclear what you should do if someone opts in, then objects and then opts in again. For example, we have an opt in for us contacting the customer by email (which we do for marketing purposes). The customer can easily "object" and we'll remove them from the list. However, people frequently want to resubscribe. They thought they didn't want the marketing information and later changed their minds. It's not clear to us if it's legal for us to resubscribe them. I've actually thought that it's better for us to offer a separate service for marketing and get people to subscribe to that service under contract basis just to avoid this problem. That way they can terminate the contract and if they want to resubscribe, it's a new contract. I'm rambling here, but one of the things that really surprised me is that we have this horrible popup asking users to subscribe to our newsletter. I always opposed it because it's super annoying. However we were looking at analytics and it appears that a very large proportion of our customer base only go to the website to sign up to the newsletter (we're unusual in that most of our business comes through our call centre). So the newsletter really is a service that our customers want... It's a weird world ;-)