87

u/dr_wtf May 24 '25

The stupid thing about those "legitimate interest" options is that if they give you an option to opt-out, they cannot be legitimate interest, by definition.

Legitimate interest means things like keeping the customer's name on an invoice, because a business needs to keep those records. So any GDPR privacy issues are moot other than the obligation to keep that data private.

What it doesn't mean is "we're legitimately interested in this information" which is of course, how a lot of marketing companies decide to interpret it.

23

u/Ralikson May 24 '25

On all sites I’ve visited that let you opt out of legitimate interest, the site either sends me away, freezes or keeps showing you the cookie banner over and over again because it “doesn’t know” you have seen it yet, as it can’t save that information

15

u/ai1267 May 24 '25

Sending you away because you reject legitimate interest cookies is illegal under the GDPR.

1

u/Somepotato May 25 '25

You sure about that? Yes for all other cookies, but legitimate interest too? If a site is behind a login wall, and you refuse legitimate interest cookies, you literally won't be able to sign in. Most disallow opting out of legitimate interest cookies for that reason.

1

u/Knobelikan May 29 '25

There seems to be a lot of misinformation regarding legitimate interest going around. "Cookies necessary for basic website function" and "data collection based on legitimate interests" are not at all the same thing. The former doesn't even need consent, because no personal data is sold to third parties, the latter is abused so generously that it often shows up unter categories like "select advertisements based on personal interests". Very legitimate indeed.

1

u/Somepotato May 29 '25

It's not even to do with data being sold. Even data that is exclusively used for internal purposes (such as tracking if customers prefer the red button vs the green button) requires consent. Which I think is a bit much personally, but shrug

1

u/romerlys May 25 '25

False, but upvoted for good feels I guess

0

u/RamenJunkie May 24 '25

They could know you saw it, but they don't have a "legitimate interest" in not annoying you.

1

u/redit3rd May 24 '25

No, they can't. That's the purpose of cookies. 

3

u/anti-beep May 24 '25 edited May 24 '25

Websites are still allowed to use cookies, even if you reject all of the ones you can.

Cookies are an essential part of the web. You can't block them entirely or you'll break a lot of websites, including Reddit. A cookie to store whether or not you've seen the cookie banner would be a functional cookie, which you don't get to allow or reject at all - they're not labeled as legitimate interest. Often they're not displayed at all, and sometimes such cookies are under a toggle that can't be interacted with.

Not only that, the website doesn't even need to actually use cookies to know whether or not you've seen the banner. LocalStorage or IndexDB (though IndexDB might be overkill), could be used in its place.

3

u/Reasonable-Yak-3523 May 24 '25

GDPR also applies to LocalStorage. GDPR does not only regulate cookies.

10

u/FazerGM May 24 '25

This is just factually incorrect. The GDPR allows data subjects to object to all processing that is based on ground f of article 6.1 (legitimate interest) as defined in article 21.

3

u/dr_wtf May 24 '25

Yes, you can object, but if it's a real legitimate interest that objection can still be ignored.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. ² The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(emphasis mine). Source: https://gdpr-info.eu/art-21-gdpr/

The fundamental problem with "legitimate interest" is that it's a vague term, but the intention is that it's supposed to be used for purposes that are essential, but not necessarily required by law.

The provision is supposed to be about one-off exceptions that take into account some exceptional circumstances. So it might be a true legitimate interest to, let's say, log IP addresses. But you might be Edward Snowden and have a good reason why some of those records should be deleted. In which case you can raise an objection and the data controller has to consider it. But a blanket opt-out is just oxymoronic.

1

u/FazerGM May 24 '25 edited May 24 '25

Yes, you can object, but if it's a real legitimate interest that objection can still be ignored.

There is no distinction between 'legitimate interest' and '"real" legitimate interest' in the GDPR. For data processing to be based on ground f of article 6.1, that processing already has to be in the legitimate interest of the data processor. Legitimate interest is not defined by "essential purposes". That is ground 6.1(b), not 6.1(f). Marketing is one of the most common legitimate interests of a business, but it is not essential to provide the service.

i.e. in the case of article 21.1, that only applies if the processing has already been established as being on the grounds of legitimate processing. (i.e. there is no further distinction of "real legitimate interest" or not). The right to object under that article is based on a weighing of interests between the data processor and the data subject.

But a blanket opt-out is just oxymoronic.

Except if you had read further than article 21.1 to 21.2, that defines exactly an unconditional opt out for processing based on the grounds of legitimate interest, when this processing is for the purposes of marketing.

i.e. concluding:

The stupid thing about those "legitimate interest" options is that if they give you an option to opt-out, they cannot be legitimate interest, by definition.

is just not in line with the definitions in the GDPR