Alcune citazioni dalla legge GDPR:
[...] Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. [...]
[...] Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation [...]
[...] ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; [...]
[...] When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. [...]
GDPR richiede il consenso esplicito. Se un servizio raccoglie dati personali e non gli hai dato il consenso esplicito, deve chiedere nuovamente il tuo consenso, in modo esplicito. Credo che in teoria un servizio debba anche chiedere di nuovo il consenso esplicito ogni volta che modificano la loro politica sulla privacy, anche se non riesco a trovare una dichiarazione al riguardo. Quindi, credo che il tuo esempio di "pseudo-implicita rinuncia" non sia legale in ogni caso, anche se in precedenza hai dato il consenso esplicitamente in un modo conforme a GDPR (e ne dubito), perché stanno cambiando la loro politica sulla privacy e ti chiede di accettarlo implicitamente semplicemente continuando a utilizzare il loro servizio.