The only thing that a banner "by scrolling down you opt in to something" means according to GDPR is that the people who wrote that banner are liars.
Quoting GDPR definitions (Art 4.12), '‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes [..]'.
If the site owner wants to assert that the user provided consent, it's up to them to demonstrate that they fulfilled all these criteria. If they assert that a particular action (e.g. scrolling in this case) indicates consent, then they have the burden of proof to convince the regulator or the court that the action was unambiguous, that it's clear that reasonable people would only take that action with the intent to opt-in, and not because of some unrelated reason such as wanting to read the content below. The legality of various opt-in 'dark patterns' has been tested in EU courts already before GDPR, and it's not considered legally valid if it systematically misrepresents the actual user intent and wishes.
The appropriateness of any technical measure can be trivially tested with a user survey - get 100 random people to use the site for 5 minutes, and after the "opt in" action is completed, ask them whether they know that they "opted in", whether they know to what they opted in, and whether they really intended to opt in or not - and if not, then your method for "collecting consent" does not work and the things you recorded - actions, clicks, even physical signatures in a 'meatspace' setting - do not give you any legal permission whatsoever, they're meaningless.
The one thing they can do with that banner and scrolling is to cover their information requirements, where they have the right to do some thing even if the user disagrees (much less opts in), but they are required to notify the users that they are doing that thing. But there it makes all sense that the user can choose to delete that banner if they want to, it's like the notifications in supermarkets that they have cameras - they're required to display them, but the users don't need to read them if they don't care.
I really hope that courts start striking down the various non-compliant banners and DPAs are secretly making a list and will start fining the shit out of them.
The law is pretty clear, nobody should be surprised that their banners are non-compliant.
A good way to do what? Clearly stating something does not make it true, because, to make it really clear, by reading this you definitely agree that you owe me $100.
The GDPR approach is that processing personal data by companies is prohibited by default, unless they can point out one of the specific GDPR subsections that permits that particular purpose of processing. They are not allowed to use my personal data for marketing unless specific conditions are met. Scrolling past a statement 'By scrolling, you are agreeing to use of cookies for marketing' does not meet these specific conditions, no matter how clearly its said, so the banner legally makes no difference whatsoever, it does not mean that I'm agreeing to anything, it's exactly as if it wasn't there, and that clear statement is simply a lie.
And the "good,easy way to opt out" does not matter, after the opt-out it's just as illegal for them to use data as before the opt-out, since I did not opt-in. If they're using my data without an intentional opt-in, then they're untrustworthy cheaters anyway, there's no reason to try to opt-out of something that I didn't opt-in to, this should be handled by the regulator who will be able to audit them to verify if they have actually stopped using the data.
Furthermore, if had opted in, the legal requirement (Article 7.3) is "It shall be as easy to withdraw as to give consent." So if opting in happens on the main page by scrolling but opting out happens in a settings menu requiring two clicks, then that may be good but it's not good enough, because it's not as easy as it was to opt in.
> You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent
Quoting GDPR definitions (Art 4.12), '‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes [..]'.
If the site owner wants to assert that the user provided consent, it's up to them to demonstrate that they fulfilled all these criteria. If they assert that a particular action (e.g. scrolling in this case) indicates consent, then they have the burden of proof to convince the regulator or the court that the action was unambiguous, that it's clear that reasonable people would only take that action with the intent to opt-in, and not because of some unrelated reason such as wanting to read the content below. The legality of various opt-in 'dark patterns' has been tested in EU courts already before GDPR, and it's not considered legally valid if it systematically misrepresents the actual user intent and wishes.
The appropriateness of any technical measure can be trivially tested with a user survey - get 100 random people to use the site for 5 minutes, and after the "opt in" action is completed, ask them whether they know that they "opted in", whether they know to what they opted in, and whether they really intended to opt in or not - and if not, then your method for "collecting consent" does not work and the things you recorded - actions, clicks, even physical signatures in a 'meatspace' setting - do not give you any legal permission whatsoever, they're meaningless.
The one thing they can do with that banner and scrolling is to cover their information requirements, where they have the right to do some thing even if the user disagrees (much less opts in), but they are required to notify the users that they are doing that thing. But there it makes all sense that the user can choose to delete that banner if they want to, it's like the notifications in supermarkets that they have cameras - they're required to display them, but the users don't need to read them if they don't care.