GDPR is currently a grey area and until a precedence is set, general consensus is that a pre-selected opt in is no longer permissible.
Not having to double enter email addresses or to valid email addresses has been pivotal for businesses and marketing in bringing down the barrier to CRM sign up.
A key PoD however, between now and May 2018 when the act comes into play, is that the burden of proof will shift from user to business. Thus a data audit trail will be vital and a double opt in – email verification – will be advisable. The plus side is that it will give better data integrity.
The new GDPR also affects cookie policy and notification overlays and users will have a ‘right to be forgotten’ whereby users can request for their data to be deleted off the system.
Currently, cookie overlays or reference to, in the Privacy Policy are absent. This will affect features such as geo location and remembering 1st time vs new vs repeat visitors which may be used for segmenting and targeting.
Careful how you go though, even the best laid intentions have resulted in means tested fines. Poor Flybe.
https://www.theregister.co.uk/2017/03/28/ico_fines_flybe_honda/
https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent