It does require an active choice/opt-in on the part of the data subject where your legal basis is consent.

It defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.”

Pre-ticked boxes, for instance, are explicitly not allowed.

GDPR requires explicit opt-in for each type of data collection/processing which is not essential for the execution of the service: https://gdpr.eu/recital-32-conditions-for-consent/

> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. [...]