Many websites have a - huge- part in their cookie wall, called ‘legitimate interest’. I never allow them and i wonder; is this just a loophole to be able to force certain cookies on us anyway?
I can’t imagine it is harmless, but i never hear anyone discussing these type of cookies.
EDIT: Everyone, thank you so much for taking the effort to answer. These replies were very helpful and often quite detailed. I’ve read them all and it certainly gives food for thought. I also read that EU page, which is indeed not really clarifying much.
I agree that we need to do as much as possible to block all these invaders of our privacy, though it is ridiculous that we have to make so much effort to protect ourselves. And i know many people around me, who just let it all happen and are sometimes not even aware of such things as trackers. And honestly, they shouldn’t have to be aware, it is infuriating that these things are either allowed, or those companies taking the - small - risk to get away with it, because most people won’t bother with law suits and what not, certainly not when so many websites have these shady practices…
Again, thank you; i’m glad i asked :-)
There is necessary data processing. This is like the server knowing your IP address. Whilst the IP is personal data, it is required for network communication to work, and the server needs to know where to send the packets. But it doesn’t necessarily need to be stored.
Legitimate interests are legit things like security and fraud.
With the IP example, this could be storing your IP address along with some server metrics for a few hours to make sure you aren’t trying to DDOS the server. This is a legitimate interest that doesn’t need consent, as it is protecting company assets.
Similar with fraud.
Legitimate interests that don’t ask for consent have to be backed up in the privacy policy. And because it’s all wishy washy wording, the privacy policy can be challenged. So it’s a barrier of entry to stop companies making everything legitimate interests.
Where it gets funky are things like targeted ads, 3rd party ad companies etc.
An ad company’s legitimate interests are at odd with the end user, indeed their whole business model is at odds with the end user.
They have similar concerns about security as above.
However, their product is delivering ads to users, proving they have been delivered, and proving that the delivered ad has influenced the users behaviour. That is their ideal business model.
So, whilst processing your IP for DDOS protection, they might also tack on some log monitoring to see if “ad on Y page made you visit Z store page”.
This is using data already collected for a legitimate interest (DDOS protection), however it is processing it to track a user… Which is also the company’s legitimate interest, however it will likely be challenged. At which point, it’s easier to have a consent option for the extra processing and save the hassle of having to legally defend the process.
Essentially, legitimate interests are processing user data.
They may be beyond the core functionality of the actual website/app (eg fraud prevention, DDOS protection), but required for the company to run the website/app. At which point they don’t need consent, as long as their privacy policy is up to scratch.
Or they could be extra functionality that isn’t actually required (like the log processing by an ad company) to serve the content, but might improve the experience (or generate the company more money)
How this all boils down in the wild is that a lot of tracking and processing still happens, consent popups have dark-pattern UIs with complex language hiding what it really means backed by a privacy policy full of legalese. A lot of these sites are probably still in breach of GDPR, but it’s hard to prove and hard to prosecute.
Most of the time, if a website makes an effort it’s enough. It’s only the big companies/processors that really need to be on the ball with it.
Good summary, only one point: it is not legal under the GDPR to use data you get from one reason (DDoS protection) for another reason (ad tracking) without also specifying that that is happening and allowing that to stop.
I don’t say that isn’t happening, but it is not legal, if it is.
Yes, thanks for clarifying.
I was trying to say that, but I think I got lost in the words
No, legitimate interest goes further than functionally required cookies. Legitimate interest can be treated to mean almost anything, because it refers to the “legitimate business interests of the data processor”. If you’re on a news website, it’s their business to show you ads and to get them to click on them. Therefore, it’s their best interests to improve the click-through rate. This can be used to justify tracking cookies as legitimate interest.
Would it survive the test of a day in court? I don’t know, maybe not, but it probably will never go that far, so it basically doesn’t matter anyways.
I was trying to say that, where an ad company’s legitimate interests are likely at odds with a user using another website.
Legitimate interests to do something sensible (like fraud/ddos protection) is easy to justify.
Legitimate interests for ad tracking is a lot harder to justify, so it’s easier and less risky to just ask for consent.
But yeh, it doesn’t really matter in the grand scheme of things. At the moment, at least.
It’s only the big prolific companies that are going to have difficulty. Or if a particularly knowledgeable person (or lawyer) has a bone to pick with a company.
What’s an illegitimate interest?
It does already come with some limitations, though they’re also a matter of interpretation. For example “legitimate interests” cannot be applied to personal data of special categories and may thus not outweigh the rights and interests of the affected persons. This generally requires an assessment to be performed to ensure that is the case.
It’s not a get out of jail free card (despite a lot of companies seemingly thinking it is).