Perhaps I was unclear. IMO someone picking "sure fine everyone track me" when setting up browser (DNT preference) first time should count as explicit consent for every site. And similarly choosing DNT for all should legally count as telling site not to track and not to ever prompt.
In addition to being explicit, consent must also be informed in order to be valid under the GDPR. This is not a blanket understanding of "I may be tracked on the internet." but a specific "X information may be used by Y data processors for Z purposes." If somebody is not informed of X, Y, and Z prior to giving consent, then it doesn't count. A browser-wide preference from years ago is not informed consent.
There is one and only one legal default under the GDPR: Do not track.
> There is one and only one legal default under the GDPR: Do not track.
This is immediately followed by every head of marketing (at least for US-based companies) asking "Okay, so how do we track those people?"
I'm not saying this is right. But it is reality. We normalized for two decades marketing leadership having the expectation that they can track every interaction, and prying that data away has been painful, especially for folks who really want to do the right thing but are told otherwise by their managers.
I agree, and that's why I try to avoid any prevarication on the point. Because the head of marketing will at some point ask developers to break the law. Treating privacy law as a grey area gives the marketers more room to pressure developers, and more room to throw developers under the bus afterward.
A user giving consent to <site|app...> A does not translate into consent for <site|app...>.
And yes, the default for such consent questions must be "no"