[ChrisSD]

Even with tracking you merely need a privacy policy in a place users can find. It's considered implied consent to continue using a site if the site makes a reasonable effort to make you aware that such a policy exists.

However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.

[simpss]

no such thing as implied consent in GDPR.

Here are the conditions for consent: https://gdpr-info.eu/art-7-gdpr/

Most sites don't adhere to that at all as there's pretty much no way to "not agree", which means they can not rely on consent as a legal basis for processing PII.

[kd5bjo]

I feel it's important to note that, although implied consent doesn't mean anything in a GDPR context, consent isn't necessarily required at all. It's only one of 6 different justifications a business can use to show their activities are legitimate: https://gdpr-info.eu/art-6-gdpr/

[Macha]

And they all have their own stipulations. Contract requires that the data is needed to perform your part of the contract, legitimate interests requires documentation proving you do need the data and weighed the risks to users