If I were to summarize the GDPR, I would do it this way: If the customer explicitly consents, (almost) everything can be done. Explain properly, ask questions and wait for approval. That’s what companies have to do. The reactions from the companies who contact me as a customer or user make me partly believe that it is not only American entrepreneurs who don’t care what your customers want. The question is never asked. Neither consent, nor rejection is given.