To come back on your post as promised in DM:
Yes opt in is required under the GDPR. An opt-out option like common in the USA does not comply with the GDPR. Also, pre-ticked boxes are not allowed as this classifies as opt-ing out not in (How opt-in consent really works) GDPR requires what is called informed consent. (What are the GDPR consent requirements? - GDPR.eu)
In fact Google received one of the first fines under GDPR because they did not ask consent correctly: GDPR violations: What you can learn from the first 50 million € fine issued to Google - Blogpost
The ICO (UK’ DPA) who has pretty much the same regulation outlined the guidelines for compliance in nglish here: How do we comply with the cookie rules? | ICO
So in conclusion when websites place trackers without having received informed consent aka opt-in. They are in violation of GDPR as they cannot have received such informed consent. Now this doesn’t mean that this never happens. In fact, we all know that many companies still do not comply with the regulation. That’s why features like forgetful browsing are a good layer of defence.
Also, I like to add that even if you opt out of cookies commonly websites will just place them regardlessly. Often the cookie banners are not correctly configured. This is something I frequently see, and based on that I dare to say you cannot and should not rely on opting out.
GDPR will help Europeans to enforce their rights to companies that neglect human rights, but it does unfortunately not mean that opting out is giving you what you expect.
Why is it better to just block the banners:
Well simply typically the consent platforms besides being full of (illegal) dark patterns (https://archive.is/gjTuZ) are the services that actually load the third parties. F.x. Onetrust (https://my.onetrust.com/articles/en_US/Knowledge/UUID-301b21c8-a73a-05e8-175a-36c9036728dc) or Google Consent Manager (https://www.youtube.com/watch?v=MqAEbshMv84) gets consent. Google Tag Manager then loads in third party scripts (How to Install Meta Pixel with Google Tag Manager (Facebook Pixel) (2024)), and it can even proxy them (프록시 서버 라우팅 설정 | Google Tag Manager - Server-side | Google for Developers) so that you cannot block them. This is why you should block the entire Google Tag Manager.
It’s always good to keep track of the other side of things. It’s good to monitor how marketing works and familiarize with their techniques to improve your defenses.