Its pretty easy: The law says, that you always have to set a willing action to opt in. There can be check-boxes, but they need to be unchecked by default ("privacy by default"). Simple. I have already received multiple communications from Banks and credit card companies, and they are all very explicit about it and it was very easy to see the choices and the effect of the law.
I guess I can't go forward without reiterating the argument, so I guess I'll stop. But, I think considering it easy is naive, considering the mountain of experience to the contrary.
At least in Italy, this has been the way it works for years. When I sign something privacy-related I get at least two boxes: one for the treatment of my information for functional purpose (that is, "we can't even take this paper back if you don't give us permission"), the other for research and marketing purposes (that is stuff not essential to the performance of the service). It's working quite well, in my case at least.
