This is very strange. Actually, the system does make changes to the current user not yet authenticated (even when cookies are excluded in general setting). Then, if the user authenticates (login/signup) by the session timeout, the changes made meanwhile will be joined to the user db.
I would doublecheck the whole thing, putting a text element on the page displaying the value of the “current user > opt-in” field. I have just made it for test (see below screenshot): once a new user land on a page, the system is able to display its creation date, and when you make a changes to this user, the system store the change and display it to you:
Tested it in my environment, and it does not appear anymore once the condition is met.
I would say that your set up concept is correct (at least I have replicated it and it does work: so probably there is something to fix in the properties of the various elements/actions.