Hardly anyone with an email address, or browser, could have missed the flurry of activity in the lead up (and beyond in some cases) to GDPR day on May 25th, 2018. Many organisations suddenly came to the realisation that their carefully collected lists of email addresses or their cookie policies may no longer be legal. The potential to be fined up to €20m or 4% of global turnover (whichever is greatest) for GDPR infringements, was probably a motivator, too. Some US based websites even took the extraordinary step of completely blocking users with EU IP addresses, until they worked-out how they were going to handle the situation.
The GDPR issue isn't limited to newsletter lists and cookie policies, but extends to the holding of any personal information relating to EU citizens or residents. It is probably just that organisations were a bit more slack in their privacy policies for email and cookies and rushed to shore-up the situation.
User consent is just one of the lawful bases for holding personal information, The others are: Contract, Legal Obligations, Vital Interests, Public Tasks and Legitimate Interests. However, consent is probably the most common lawful basis, and the most publicly visible.
European Commission, Berlaymont building, Brussels
Even though the UK is scheduled to leave the EU on 29th March, 2019 the regulations will remain in force, as they have been adopted by the Data Protection Act 2018. In fact, GDPR implications may become even more complex, depending on the UK's negotiated settlement with the EU. Recent reports have suggested that the UK government wants to have a legally-binding data protection agreement with the EU so that data can flow freely between the EU and UK. However, if a deal isn't agreed, the UK would be designated as a third country and would have to get an "adequacy decision" from the EU Commission on the suitability of the UK's data protection framework. That might be an additional bone of contention in an already fractious relationship.