As far as I remember, explicit consent is required for data collection and provision of services should not be contingent on consent.
Actually, it's a little more subtle than that. As stated above, only collecting what you need was already in the old data protection act - as was quite a bit of the consent rules.
But the GDPR doesn't actually want you asking for consent for everything. Consent has to be optional - refusal isn't supposed to kill the service. So you're supposed to use the consent model to gain data to use for optional extras like marketing of the company's other services and personalisation.
Where consent breaks the product/service on offer you're not supposed to ask for it. That's supposed to be in the legitimate interests bucket - and you're supposed to just tell the customer what data you're gathering and why - with most of the details in the privacy policy. That's where the "take-it-or-leave-it" consent is supposed to come from, with consent forms for the extras only.