https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:
- make login as it is on Hacker News, you dont need email
- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)
- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server
The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.
This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.
For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.
I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.