Apparently they are already GDPR compliant (FB). In their case it's actually easy to justify their legitimate interest because their entire business is the handling of private data. Ironically, even though GDPR is supposed to affect things like facebook more, it changes very little about the way they work.
Whether their business model is handling data is irrelevant; they must ask for consent to use that data for ads and such - and that's even if they already have collected the data to provide a service requested by the user.
They recently came out with a new screen asking users to consent to a bunch of things, so they weren't compliant until then, and I wouldn't bet they are now.