[mananaysiempre]

Not a lawyer. My impression is that you’re in any case allowed to record things in order to fulfil explicit requests (preferences, ongoing orders—like in your example), legal requirements (limited-time order history—ugh), or functional necessities (free trial used up), no explicit consent needed. Notably the bar is “required to work at all”, not “required to be profitable” or “required to use common out-of-the-box solutions”. Cloudflare or reCAPTCHA 3 would probably make interesting test cases here (my burning hate for them from the several years I needed to use a self-hosted always-on VPN aside).

The way to do this (both in ePrivacy and in GDPR, despite the different legal mechanisms they use) looks to be to write a phrase like “legitimate interest” into the main text, give illustrative examples of what that’s supposed to mean in the recitals before that, and let the courts figure out the details.