Very simplified, you can not use or give personal data to someone else without optin given consent (where you must state in non legal, non tech speech for what they will be used) and same goes for enabling others (ad networks, google,..) to get those data. Or you are breaking the law. Further, user must be allowed to view, change or delete those data and remove consent to use them in whole chain (your site, ad network used on your site,...) Furthermore the consent must be freely given (forget trackwalls).
And also, there's also the slightly grey-area requirement that (if you're using it as your legal basis) consent should not be required in order to utilise your product, merely to utilise the feature set that requires the data.
If you need everything, then you'll need to use "fulfilment of a contract" as the basis, and in that case, you probably need to make your ToS pretty tight too.
Question about the freely given consent -
Say I'm a car company like Tesla and I collect telemetry from the car to train a self-driving car model. I ask the user for consent to collect this data to train the self-driving model.
For the users that refuse this consent, can I prevent them from accessing the self-driving feature of the car? If not, how would the company deal with the free-rider problem - nobody opts in because they want their privacy but they also want the feature?
In that instance, I (personally, IANAL) wouldn't use consent as the legal basis. You could (esp with a legal team like Tesla could afford) pretty easily work that into either fulfilment of a contract, or legitimate interests.
AI and ML have to be careful [0], as you need to be explicit about the data's use and impact on the end-user. The most given example for this is ML algos that determine eligibility for financial products, but we could probably twist that Tesla example to fit a similar to be "my data is used to inform an algo that determines what the car does in a dangerous situation", so you might have to abide by rights to explanation and data editing.
The number of potential free-riders is tiny, so there's no reason to retaliate against them. The same problem exists in Internet services. If blekko (a startup search engine) saw a DNT do not track header from a user, we wouldn't even include their queries in our anonymized dataset. That slowed our learning-to-rank process, but only by a little.
