The IAB consent dialog is the worst, as it makes you consent to the entire advertising industry.
Those legitimate interests, however, are bullshit. Just because they claim it, doesn't mean it's true.
For instance, a DPA just claimed that Facebook can't claim a legitimate interest for behavioral advertising, so they'll have to ask for consent. Which will be interesting, because they won't be able to refuse service to those that decline.
The "legitimate interest" part of GDPR is just horrifically abused by so many companies, who act like it's a magic two words which allow them to collect personal information without consent because they said "ooooh we really do have a legitimate reason for this data" which is against both the spirit and the wording of the GDPR.
I really hope to see a few big cases where the EU fines companies for that, so that everyone else gets the picture and stops hiding behind legitimate fucking interest. But I don't know why that hasn't happened yet, hopefully it's just slow moving rather than a case of the laws implementing GDPR being fuzzy enough that countries are worried they wouldn't win the case in courts. (But if that were the case, hurry up and update the law!)
/side note: apologies on behalf of my profession, since it's largely marketing people who've led to these shitty practises. We're not all assholes, some of us do respect people's data, rights, and (lack of-)consent.
Meta also broke the record for the biggest fine this year (1.2 billion). The fines are coming, and if they go after the biggest players first (e.g., Meta, Google), it will send shockwaves through the entire industry.
When GDPR came into effect, being close to the advertising business then, I know some companies that closed shop in EU. But enforcement has been very moderate, at least in the beginning. There's also the issue that some DPAs are more active than others. On the other hand, it doesn't take a lot to set precedents, and EU countries may find that these fines are a nice way to add to the public budget.
Those legitimate interests, however, are bullshit. Just because they claim it, doesn't mean it's true.
For instance, a DPA just claimed that Facebook can't claim a legitimate interest for behavioral advertising, so they'll have to ask for consent. Which will be interesting, because they won't be able to refuse service to those that decline.