A big thing in GDPR is that consent must be sufficiently specific and explicit. Long and generic T&C might no longer pass. Ultimately, I imagine the regulation will make a lot of lawyers richer as this kind of stuff gets hammered out in practice.
With GDPR, blanket "opt-ins", I.e. clickwrap, won't suffice. People need to give informed consent, meaning key uses of personal data must be explained in plain language. Hopefully this will lead to a lot less abuse of I Agree to Everything and any Future Changes type of TOS.
Yes, you did. This is just another clickbait headline. GDPR - when it becomes active - will outlaw the opt-out strategy. But there is nothing legally wrong with it today.
No, the existing privacy legislation already requires opt-in for processing of biometric data; GDPR makes many things stricter, but much of it is already a legal requirement.
Apparently Facebook's well-trained legal team disagrees with your assessment of European law. Facebook isn't stupid; they wouldn't have done this if it weren't legal.
