I think this interpretation of the EU directive is getting a little “over the top”. The directive, which is not a binding legislative act, is designed to protect the interests of people who may provide information to websites which could personally identify the individual. Furthermore, it only applies to websites who SYSTEMATICALLY intend to process or monitor that data on a large scale. For most website owners, this is not the case. For website owners who have the INTENT of gathering and processing such information on a large scale, it is for THEM to seek proper legal advice on how to deal with the issue. This will involve them in disclosing to legal counsel the type and scale of information they intend collecting, and how that information may be processed, stored or made available to third parties. It is not the responsibility of a contracted website developer/designer to ensure compliance with any applicable regulations, in much the same way as it isn’t the responsibility of a Graphic Designer to ensure that their clients printed material meets with the requirements of advertising standards regulations.
The directive as it stands only requires a user to provide “explicit” consent if the data collected is sensitive, personal data. Explicit consent is given by a specific “opt-in” declaration on your forms. For non-sensitive information which is not intended for processing or distribution to others, a simple “unambiguous” consent is all that is required. This can be in the form of simply submitting a form to the website owner with the intention of getting a response of some sort or another. Ultimately, it’s all down to what your form is being submitted for, and what you intend to do with the submitted data once you receive it.
You should also be aware that simple checkboxes alone will not suffice where you need explicit consent. It must be accompanied by a statement on the form of what exactly people are consenting to. As such, a pre-checked tick box may put you in breach of the regulations.
If the intent of the website owner is to collect, process and possibly utilise information submitted for reasons other than responding to a product or service enquiry, then they must state clearly and in unambiguous terms what the intent is. By doing this, site visitors can choose to submit the form, or not. Where specific intent is important, it may even be better to have two submit buttons. One which gives explicit consent to use the data submitted, and one where consent for anything other than a response is denied. In either case, the response to the enquirer should reiterate what the visitor has consented to and to give them the option of having their data, including their email address, removed from the website contact database.
As for Portugal, They have not yet implemented any specific national regulations regarding the GDPR adjustment laws. In fact, the only country to implement specific national law is Germany. Most other EU member states are still in draft bill stage.