GDPR allows processing based either on consent (which doesn't need to be "written" but does need to be explicit and informed) or legitimate interest (or some other reasons that tend to be irrelevant for this kind of thing).

Legitimate interest does NOT require consent, is murky, and thus often gets used to justify things that should not exist under GDPR but the most likely consequence is that the company gets to do it for 3+ years before being told "no, you can't do that anymore"...