1. Do we have to use consent for our product, or can we use legitimate interest as the basis for our processing?
2. If we use consent, are we allowed to deny the user the use of our service if they do not consent?
For some background, our product is an IoT device which communicates with our web servers hosted on GCP, to store user emails and device sensor data in order to send out email alerts and provide sensor data visualizations. It also allows user control over the unit.
You should use a contract as a legal basis to provide your service. The processing of data through sensors seems essential to make the device working and so it is necessary to provide the service. If you use a contract as a legal basis, and the user denies agreeing with data processing you can deny the use of service since the processing of personal data is necessary.
Here you can find more information on GDPR extraterritorial effect and on consent: