Re: Much a do
Nope those are not the rules. The rules simply say you have to have specific permission up front
It's a tad more sophisticated than that, but unfortunately vague enough to leave some margin for "errors" in interpretation.
You will always have to seek explicit permission (i.e. not buried in associated terms), but you may pre-tick the box if what you are gathering is not deemed "sensitive" such as contact details, i.e. a default opt-in posture is allowed.
However, when you go into details classed as "sensitive" such as health, you are no longer allowed to default to opt-in, the opt-in must be explicit too. The vagueness lies in "sensitive" because that depends on who you are, and your definition of where the "sensitive" boundary lies is likely to differ from any "gimme all your data so I can lose it" commercial recipient..