Could you elaborate on GDPR being opt-out? The main point I keep reading about seems to be unambiguous separate consent for every use you use any piece of data for. (on mobile, but I’ll come back with references if needed)
Consent is one basis for collection. “Legitimate interest” is another. You need consent when you don’t have a strong enough argument under legitimate interest or another lawful basis.
IANAL either, but my research confirms this also. A lot of companies up to now have used opt-out as their skewed version of consent. GDPR raises that barrier much higher, however, some of those use cases of "older style consent" may very well fall into legitimate interests or performance of a contract.
One of the main things about GDPR though is getting companies to give a monkeys about the rationale for the data collection - even if they use the legitimate interests argument, part of it is that they now have to actively prepare for that, show the legitimate interest and rationalise it to regulators.
Thank you for the keywords, that actually makes some sense.
I guess the crux of the question is in ambiguous terms like "personal freedoms", etc. that the regulation says should be weighted against "Legitimate Interest" of whoever collects data.
