It's not defined. It was left intentionally ambiguous in the GDPR so member states have some flexibility in definition.

I've got a call with a lawyer on Monday to clarify some bits of the GDPR. Number one Q for me is "how far can you take legitimate interests?".

Some lawyers are advising that marketing data and usage falls under legitimate interest, in a way that these higes drives for consent seem unnecessary.

If anyone else has any questions, I can ask and feedback. I'm sure I'll have those questions too.

Possibly but they are not "sensitive data" (aka "special categories of personal data"). Article 9 of the GDPR outlines what these special categories are:

"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation"

It really should be defined by company size or revenue. If I my site goes viral and a small web app suddenly has 2M lines of logs, but my revenue is small/non-existent, then there's no reason to comply. If that pushes my revenue over 1M euros a year, you now get pushed into a zone where you should be compliant, and you have enough revenue to afford it as well.