The GDPR doesn’t allow default-checked opt-in checkboxes. They aren’t “clear affirmative actions”.
Article 4.11: ”'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
So now we have to go back to every site/service/app including unchecked but mandatory tick boxes about agreeing to their terms and privacy policy in the checkout process, thus both annoying just about everyone and potentially reducing conversion rates while making no practical difference to anything whatsoever? I guess we can file that with the "cookie" law and the consumer protection rules that say if you want to download any digital content you just bought immediately instead of waiting 14 days first then <insert scary legalese about losing a right to cancel under some law you never heard of here>. I think they're under "well intentioned but utterly lacking in practical understanding".
Those tick boxes can only be mandatory if the data is actually needed to provide the service - the user can't be forced to allow his data to be used for marketing purposes, for example. Also, if it's obvious for what purpose the data will be used (e.g. filling in your address for delivering a package), you don't need a tick box.
So there should be little need for mandatory boxes.
As ever with the GDPR, things are going to get subjective and you take your chances until the picture is clearer. A strict interpretation appears to be that, for example, a business that uses a customer's email address as an account ID on its web site and sends only essential messages to that email address doesn't need consent, because the legal basis for the processing is performance of a contract, but if the email address is also used for other form of communication (even if the message is genuinely relevant and something the customer would almost certainly want to receive) then that may require active consent. That could lead to a lot of places adding those checkboxes back in just to make sure they're covered, even if they aren't strictly necessary.
Actually, they can't add those checkmarks, because consent must be specific (use this data for this purpose), so a generic tick box about agreeing to their terms and privacy policy won't fly.
Well, at that point, all semblance of reality would have been lost anyway. It seems highly unlikely that any businesses, even huge ones that have data-hoarding business models, are going to start itemising opt-in consents in their sign-up process rather than just having a compliant privacy policy and a single active consent to processing under it.
Unless they really want to play chicken over something that is clearly an unreasonable interpretation of the rules, I doubt it.
Using the GDPR to go after one big player that seriously screwed up is one thing. I certainly wouldn't be comfortable if I held Facebook stock right now.
But going after all the big players, just for not complying with something that is probably impractical for any of them to comply with, is something else entirely. How long do you think public sentiment is going to support government regulators and the GDPR if the likes of Facebook, Google Mail, WhatsApp, Instagram and SnapChat all go dark across the EU for an hour, or a day, or a week?
There's nothing unreasonable about it, it's the plain reading of Article 7 (2).
Regarding the big sites, I don't see how is that relevant to your initial point about whether "every site" will have mandatory checkboxes, and so I'll let someone else read the magic 8 ball.
Article 4.11: ”'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”