The key part is that it's defined based on the intent and outcome. The company has to demonstrate that each user made an intentional, fully informed, freely given opt-in choice - that they knew what they agreed to and wanted to agree. If users did not intentionally want to opt in to you doing X with their data, then you don't have a valid legal basis for processing no matter what they clicked, since whatever system you built apparently did not truly capture what the user wanted.
If a site wants to use data in ways that need consent (by the way, most reasonable uses don't need consent because 'legitimate need' applies - it's pretty much only things like "use all your private data for targeted advertising" and "share your private data with these 1000 trusted partners" that need consent) then it's the burden of the site to ensure that the options are presented in a clear, nonconfusing way, that users get fully informed, etc, and demonstrate to the data protection agency that whatever they implemented achieves these goals.
"Just highlighting the ‘no consent button’ after a massive set of options" most likely is not effective to that goal, and a data protection agency can easily verify that (run a study with 10 new users signing up for the site and fill out a questionairre of what they wanted to consent) so it should invite administrative action from the DPAs, with mandates to change the system and/or fines depending on the circumstances. It's just that they're not really bothering with random websites (yet?) since the majority of their work is on how the all the EU non-web businesses (e.g. retailer loyalty programs, phone providers, banks, etc) handle private data.
> The company has to demonstrate that each user made an intentional, fully informed, freely given opt-in choice
How is this even possible without setting up a video meeting where a consent officer interviews you and quizzes you to make sure you understood your rights and what you were consenting to?
This seems like an exceedingly onerous thing to demonstrate
By giving them a dialog that clearly describes what they are opting in to, with a clear "I do not agree" button, that does not degrade the user's use of the website. What you should do to comply is literally in the guidance; both the old guidance and the newly published guidance.
The EU does not act like the US - if there's a piece of law, there is guidance on how to comply with that law. You follow it and you're safe, until someone publishes updated guidance.
A number of companies are betting that doing something short of what the guidance recommends will still result in a compliant website. They are in a situation where, if they attract the attention of a regulating body, they may be fined.
> By giving them a dialog that clearly describes what they are opting in to, with a clear "I do not agree" button, that does not degrade the user's use of the website.
And what if your cat walks across the keyboard and accidentally consents, but you never even realized it? Should there be a consent banner across the top at all times? Or what if you are drunk when you are surfing the web and didn't understand your rights when you accidentally consented (drunk people can't consent - the website raped your privacy)?
Then, assuming that you can evidence that you followed the guidance, and you implement the rest of the GDPR, which gives the person in question a mechanism to revoke their consent, you're pretty much definitely fine. You realise that we're not out on a witch hunt here, right?
If a user complains, the data protection agency will evaluate your process and evidence. As you say in another comment, "Here are the logs, here is the dialogue they were shown." - that's it, if you're compliant, that's all you need to do. But you need to be able to make a convincing case that the dialogue is reasonable, fits the criteria ("the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language") and the choices a reasonable person would make on that dialogue would reflect their intent.
But this discussion is full of examples of "consent" dialogues that clearly are made to trick users into making a different choice than what they want. In such cases showing the logs and dialogues would demonstrate that a valid consent was not obtained.
It's not a novel thing - for example, I recall that many years ago website opt-in patterns were being reviewed in the Ryanair case where the consumer rights agencies analyzed their website order process where a bunch of 'dark patterns' were used so that people accidentally "opting in" to things they did not want to. There's an administrative process that determines whether your process is honest or tries to cheat users into "agreeing" to things they don't intend to agree. In the latter case, you'll be forced to change how your stuff works.
if there's a process, why are dark patterns so prevalent? i might have seen a clear and straightforward choice once or twice; usually, it is hard to find the reject flow and hard to understand whether i am correctly triggering it.
i am sure there are many databases out there which i am marked as having consented it, although i did no such thing. the standard is to make it hard to express your desire to opt out despite the rules requiring entirely the opposite.
Mostly because enforcement has not gotten to them yet - lots of the really bad examples are from non-EU companies, and the priority of the enforcement has been mostly with local businesses, and most of that for all kinds of privacy issues with more real world impact.
E.g. at the launch of GDPR a local major supermarket chain tried to use a bunch of dark patterns for their loyalty card program (mostly offline) process so as to continue their tracking, they were forced to change last year. It's clear that issues like that have a much larger impact on privacy of people than some foreign news website, and that's prioritized accordingly.
For the major multinational social networks, the delays are (intentionally?) caused by the lack of capacity in the Ireland data protection agency, as many of these multinationals have their EU HQ in Ireland because of tax purposes, so all their cases are being handled there and that means that enforcement for them is going to take a long time. But if I look at random local websites today and compare it to what was happening a year ago, the dark patterns are not prevalent anymore. They appear occasionally, but they're really rare now locally.
You make it obvious and unambiguous so that if you argue your case in front of a judge they will agree with you. Same way as you demonstrate a paper consent form is valid.
If it was accidental (as in the form was clear, but my cat pressed the wrong button), then the user just needs to ask the company to remove the consent.
If the company refuse, or if the user claims he was tricked into agreeing, then there is cause for further investigation.
And it's not going to be a judge from the start, but whatever organism is charged with compliance.
Then, if they have a case, a judge gets involved.
I was on a mainstream site yesterday (can't recall now which) it had a cookie dialog with no options checked, and a "accept and go to site" button, so I assumed it meant "accept the above settings". Nope, it fills in all the unchecked options, then "accepts" those settings and goes to the site. It was so incredibly devious I was almost impressed as I immediately closed the tab.
It will likely be up to the courts to interpret around the edges, such as "can the modal have everything turned on by default?" That said, at a baseline it means that if you didn't click a "consent" button or some equivalent action, they can't assume they have your consent.
There's a lot of detail, but the most important part is this: "...inactivity should not therefore constitute consent."
While I'm not sure there's an EU-wide ruling, the Greek DPA has specifically called out the "Consent" option being more visually prominent than the "Not Consent" option. They also mention the anti-pattern of bugging for consent daily but not bugging for un-consent afterwards, but that probably runs more afoul of "consent must be as easy to withdraw as to give" rather than "freely given."
