For the marketing itself consent isn't needed, but for collecting/processing personal data for marketing I'm pretty confident it is. Why wouldn't that fall under GDPR?
Perhaps they are not storing the personally identifiable data (unclear whether the MAC addresses are logged on-site), but are merely passing it on to advertisers for their own use. Neat loophole if that is the case.
Not a loophole, clearly in violation. The collection itself is already problematic, passing it on makes it a lot worse. They will have to paint this as an oversight and fix it pdq or they might get themselves in real trouble.
