[U1F984]

Yeah, it's a requirement by law, tracking must be disabled unless explicitly allowed. Accepting all must be as easy as denying. However a lot of sites offer an easy one-click accept all and the deny all is behind a two step "configure" + "confirm selection", sometimes even with a fake save timer.

[NelsonMinar]

Thanks! I looked for info on this and failed; is there some reference I can share with people about how this part of the law works? Maybe it's not completely obvious, apparently Google had failed to comply with it.

[matsemann]

Gdpr article 7 says it should be as easy to withdraw consent as to give it.

The rules are pretty straightforward, really, it's just Google banking on the fines for not doing it correctly would be less than the profit made.

[NelsonMinar]

Article 7 is pretty non-specific and does not discuss defaults. Recital 32, however, is quite specific and gives me the answer I was looking for https://gdpr.eu/recital-32-conditions-for-consent/

"Consent should be given by a clear affirmative act ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent."