It also requires trivial opt-out and readability of the opt-ins.
And it gives enough power to really control what companies are doing with people's data. And the fines are huge (up to 3% of the company's global gross amount) compared to what exists today.
There are some things that must have a separate opt-in from the bare minimum that's necessary to provide the service.
Typically, there are three bullets on European privacy forms: handling personal data to provide the service, handling personal data for commercial and advertising purposes, sharing personal data with third parties (usually for commercial and advertising purposes). Pre-printed forms can only have the first ticked to yes, the other two must be filled in by the customer.
Just wait to see how the lawyers game these. my bet is no major corp ever pays a penalty that high, ever. there may be some egregious offender that gets caught with this, but not one of the big boys.
If I'm in debt to somebody 10.000, he owns me. If I'm in debt 10.000.000, I own him. Huge fines for behemoths will always be negotiated.
Nevertheless, it's a strong incentive for even the biggest companies to follow the law. EU has the capability and desire to enforce huge fines to make sure data protection laws are obeyed.
Fines in antitrust cases can already be huge so I would doubt that those fines could be gamed if regulators take it seriously. The alternative to paying a fine is being banned from the market, which for the EU is a big deal.
And it gives enough power to really control what companies are doing with people's data. And the fines are huge (up to 3% of the company's global gross amount) compared to what exists today.