The problem I have is that a site could tie acceptance with allowance.
e.g., I run a free, ads and promotion funded site, but I actually supplement revenue by selling the user's actions on the site to a third party. users can also have accumulated virtual currency as rewards, which can be used for premium sections of the site.
then along comes GDPR, and I tie acceptance of some virtual currency rewards with acceptance of the GDPR consent, with the threat of site access being cut off if they don't consent.
is that still legal?
No, that's not presumed to be freely given consent.
https://gdpr-info.eu/recitals/no-43/ "Consent is presumed not to be freely given if ... the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
If the data is actually needed to execute the contract (i.e. a delivery address if you're mailing stuff to the user), then you don't need separate consent; but if it's not (e.g. just revenue) then any "confirmation clicks" that are tied to site access being cut off would be just that - simply clicks that don't count as freely given consent.
Also, if you consider giving a reward for acceptance of GDPR consent, then you must also consider that consent can be revoked at any time (including 5 seconds afterward) and it must be literally as easy to withdraw consent as it is to give it.
e.g., I run a free, ads and promotion funded site, but I actually supplement revenue by selling the user's actions on the site to a third party. users can also have accumulated virtual currency as rewards, which can be used for premium sections of the site.
then along comes GDPR, and I tie acceptance of some virtual currency rewards with acceptance of the GDPR consent, with the threat of site access being cut off if they don't consent. is that still legal?