But that is exactly the bullshit that I was referring to! No, if you haven't mistreated your customers before, there is no need to change anything, and there are plenty of businesses that haven't. There was never any necessity to spy on your customers, and thus there obviously is also no necessity to get consent for the spying that you are not doing in the first place.
Consider a site that sells digital goods for download. They need to store information that provides evidence of your physical location, such as IP address [1], in order to satisfy tax authorities that they collected the right jurisdiction's VAT or sales tax.
I doubt that you are going to explicitly ask sites to store your IP address, so how do you think that should be handled?
[1] IP address alone doesn't prove location, but it is evidence. The EU, for example, for requires for internet sales that you justify your choice of whose VAT to collect by providing two non-contradictory pieces of evidence for the location you chose. IP address can be one of those pieces. Billing address of the card used for the purchase can be another, and for most people that and IP address is enough.
That is an entirely different matter than what this decision is about? I would think this probably doesn't even need explicit consent, as it is stored in order to fulfill a legal obligation that results from the sales contract.
Now, maybe it would be preferable to ask for permission in those cases as well (just put a checkbox in the order form?), but my point (though maybe not stated clearly enough) was not that I expect only data to be stored when I explicitly ask for it for be stored, but that it is only stored when I explicitly ask for something that necessarily requires the data to be stored. So, if I order some digital goods, it might be required that the shop stores my IP address, so that's probably OK. But my point is that that does not include the permission to use it for anything other than fulfilling the legal obligation, and most certainly not to also store my navigation behavior on their website, or to keep it once they don't need it for tax purposes anymore.
This sounds like a "legitimate interest"[1] and/or "legal obligation"[2], which is a lawful basis for processing personal data under the GDPR, even without explicit consent. Explicit consent only enters into the picture when no other lawful basis for processing personal data exists. You can find a full list of lawful bases at [3].
I did not mean businesses would become unviable, just that everyone needs to change the way they present GDPR relevant information.