This will be forced with a challenge. With clickwrap super-generic consent being disallowed under GDPR, it's only going to take a single challenge where FB doesn't have the explicit consent for gov to start levying fines.

Anyone can pull up a piece of data to claim they have consent, you need something like a signature otherwise it is words against each other. There is no way to verify consent with some click through, anyone can click a link in someone else's name or create a record in a db that says so.

Makes sense. Think of all of the spam e-mail messages you get with tiny text at the bottom reading something like "You are receiving this e-mail because you signed up for {$web_site_you_never_heard_of_before}."