To add to that, we have the effect that some large $megacorps used these dark patterns in the beginning to see if they can get away with it and others unknowingly just copy it. I work as a webdev contractor and very often get requests by customers to implement the same (illegal) tracking popup, thinking they would be lawful as it is identical to what $megacorp uses.

> - that denying is easier than accept

> - that there has to be a single "no" button, but individual "yes" buttons for every single choice

GDPR requires neither of those explicitly, this is just the interpretation by most regional Data Protection Commissioners.

> but individual "yes" buttons for every single choice

This is misleading at best - there can be an "Accept All" Button.

You wrote:

> GDPR requires neither of those explicitly, this is just the interpretation by most regional Data Protection Commissioners.

No. https://gdpr-info.eu/recitals/no-32/ says:

> When the processing has multiple purposes, consent should be given for all of them

You wrote:

> This is misleading at best - there can be an "Accept All" Button.

No. https://gdpr-info.eu/recitals/no-32/ says:

> Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

The legal text of the GDPR explicitly bans pre-ticked boxes for types of consent. You have to manually tick each box individually.