[SpicyLemonZest]

> A compliant consent form should make the "decline" option as prominent as the "accept" one - the vast majority of services currently don't comply (including big names like Google or Facebook) and entire businesses such as TrustArc have been built on providing non-compliant consent forms as a service.

Nothing in the text of the GDPR, nor of any regulatory guidance that I've seen, suggests that the "decline" option has any particular UI requirements beyond merely being present. Again, while I don't want to claim that this or any other regulatory process is perfect, I think the primary reason people in privacy circles find it so frustrating is that they keep trying to enforce things that aren't actually GDPR requirements.

[Nextgrid]

The following is from the ICO, which I don't think has any reason to interpret the guidelines any stronger than what they have to, since they aren't willing to enforce any of it anyway:

https://ico.org.uk/for-organisations/guide-to-data-protectio... :

> Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.

> Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.

> Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.

> Make it easy for people to withdraw consent and tell them how.

https://ico.org.uk/for-organisations/guide-to-data-protectio... :

> What is an unambiguous indication (by statement or clear affirmative action)?

> It must be obvious that the individual has consented, and what they have consented to. This requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree. If there is any room for doubt, it is not valid consent. [emphasis mine]

At this point you could already argue that unless the decline option is as prominent (if not more) than the accept option then the user didn't actually intend to consent and just couldn't figure out how to decline.

> Consent should be given by a clear affirmative act [...] Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

> The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent. [emphasis mine]

Seems like that's cut and clear.

[SpicyLemonZest]

What I would call "cut and clear" would be a specific description of how prominent the decline button must be. "Inertia, inattention, or default bias" is a very nonspecific phrase, and even if it does include UI, it's not obvious why the implied standard would be "as prominent" rather than, say, 50% as prominent.

Don't get me wrong, I'd really like companies to design this way on principles of general user friendliness, but I don't see much evidence that anyone involved in creating the GDPR intended to require it.