No, they're directly in violation. This is fully settled; it's just that some companies are counting on it not being "the thing that gets an enforcement action".

How is ease of opt out versus opt in objectively measured?

Most of the time both options are presented clearly and within a few pixels from each other, but opt-in is usually slightly more eye catching and/or more appealing. But the effort in terms of distance for mouse movement or number of clicks is the same. While that’s a design trick that will improve % of opt-in, how can it be argued that the opt-out was not as “easy”?

It is very common for there to be "accept all" and "more options" buttons where rejecting all requires multiple clicks via the latter. The sites which havea "Reject all" button right next to the "Accept all" one that's the same size and such aren't flagrantly violating the law.

The wording is such [0]:

> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

> ... It shall be as easy to withdraw as to give consent.

Your example does appear muddy, but I also doubt any enforcement targetting such sites.

What however is extremely common is an "Accept all" vs "Manage settings" which opens up another panel, where there is still no "Reject all" option, and only various settings where you can "Save choices" which might or might not default to what you want. Such cases are obviously blatant rule violations, both in amount of clicks and obfuscation of consent.

[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...

In recent pop-ups, you are technically opted out by default(or at least that is how it is presented, I have not actually checked their cookie activity).

It is two clicks to confirm that choice and dismiss the pop-up versus one to accept all cookies but if you choose to interact with the site and ignore the pop-up instead, you are supposedly non-essential cookie free by default.

Then how is it some websites (I think the one I'm thinking of is The Sun or The Mirror) paywall the decline option? Presumably this is just illegal?

Except there are plenty of websites that are: accept cookies (yes) (no - you must pay), which is an extreme breach of GDPR.

But GDPR is toothless and ill thought out.

The effectiveness will vary with how well it will enforce, which is up to EU states to decide at the national level.