Marcin, I’m very familiar with the Article 29 WP opinion on legitimate interests. Certainly, to determine that the balance of interests justifies personal data processing, companies who do it properly will need to take care. However, I think that most companies will follow this path unless they are faced with categoric requirements for consent.
The interplay of the ePrivacy requirements for consent (if they stay the same as in the proposed regulation) and the GDPR are interesting. Also, once a business has implemented portability for some of its activities and customers, they’ll probably find it makes sense for all cases.