Many websites have a - huge- part in their cookie wall, called ‘legitimate interest’. I never allow them and i wonder; is this just a loophole to be able to force certain cookies on us anyway?
I can’t imagine it is harmless, but i never hear anyone discussing these type of cookies.
EDIT: Everyone, thank you so much for taking the effort to answer. These replies were very helpful and often quite detailed. I’ve read them all and it certainly gives food for thought. I also read that EU page, which is indeed not really clarifying much.
I agree that we need to do as much as possible to block all these invaders of our privacy, though it is ridiculous that we have to make so much effort to protect ourselves. And i know many people around me, who just let it all happen and are sometimes not even aware of such things as trackers. And honestly, they shouldn’t have to be aware, it is infuriating that these things are either allowed, or those companies taking the - small - risk to get away with it, because most people won’t bother with law suits and what not, certainly not when so many websites have these shady practices…
Again, thank you; i’m glad i asked :-)
is this just a loophole to be able to force certain cookies on us anyway?
Absolutely. The phrase itself is a weasel phrase expressing that they’re legitimately interested in giving you tons of malware to increase their profit potential but trying to trick you into thinking it means that the purposes of that malware are more legitimate than that which is easier to refuse.
Most of them won’t even give you the option to reject it like othercookies, only letting you “object” to the fact that you’re getting it whether you want to or not.
It’s infuriating and should be illegal for sure.
The legitimate interest section often has a clause like “improving user experience” and “statistical analysis”.
Those are basically tracking cookies.
And measurement cookies and ad personification cookies etc etc. They basically do everything the other cookies do, the only difference being that you (usually) can’t refuse them, only object to the fact that they’re forcing them on you 🤬
I love that it implies that they also have illegitimate interests that they’ll still try to weasel in because 🤷💩
The legal definition in the GDPR is:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The European Commission has a page expanding on it.
As you can see it’s very vague, and it will probably take several court cases to define the boundaries.
Edit: there’s currently a request to ECJ from a Dutch court to define the main boundaries (Case C-621/22) and there was already another (c13/16) setting some limits.
True but the GDPR is not the primary legislative instrument here since it deals with general rules for processing personal data. The ePrivacy directive (or PECR in UK) is more important when it comes to cookies since it deals with electronic communication.
The ePrivacy directive states that cookies and similar tracking technologies can only be dropped on a user device after obtaining consent, i.e. no other ‘GDPR’ legal bases such as legitimate interest are available. There is an exception for cookies that are essential or strictly necessary for the website to work. In such cases no consent needs to be obtained. This exception is narrowly interpreted by most EU supervisory authorities.
This may be subject to change though since the ePrivacy directive is in the process of being replaced by the ePrivacy regulation which is said to outline new rules for cookies.
The practical way this seems to be implemented is that sites report the bulk of cookies and default to off to comply with GDPR, then list a subset of cookies as legitimate interest-based and default those to on with an ambiguous “object” setting.
Guessing the idea behind it is legal advice that legitimate interest swaps from one ruleset to another, but like the previous poster said I’m not sure how well any of this is tested.
Big companies are not to be trusted. That has never changed and probably never will. So yes, this is definitely a loophole that is probably exploited a lot.
And as is so often the case - as annoying as it is - anyone with enough knowledge bypasses all this crap.
In this particular case: an add-on that automatically accepts all cookies and one that automatically deletes all cookies after closing the tab or browser, excluding a defined list of exceptions and specific rules defined therein. I don’t need to mention adblockers and DNS obfuscators; everyone with half a brain uses them anyway. The same applies to mobile browsers. Firefox is currently still one of the last remaining defenders against the Chrome epidemic (it has unfortunately lost in the iPhone world due to technical K.O. ).
Legitimate interest is the phrasing used by the legislation, which is why companies use it. The wording of the law is pretty lax so a lot of companies put whatever they want in there. I think the intent of the law is to have those cookies be the kind that the website needs to work. For example, they might use that to store which cookies you chose to enable. If you don’t want analytics cookies, the site would make a note of that in those necessary cookies.
Personally, I have my browser set up to clear cookies when I close it, and I have a few sites set up as exceptions.
So, I’ve been asking myself what “legitimate interest” is supposed to mean.
I think the intent of the law is to have those cookies be the kind that the website needs to work. For example, they might use that to store which cookies you chose to enable
Companies actually don’t need to ask you to allow cookies which are strictly needed for the site to work. They will usually still show a category “required cookies” as part of the cookie list but you generally can’t disable them.
However, the “legitimate interest” stuff is usually deselectable and paired with another regular check box for the same third party.
Could be
There is necessary data processing. This is like the server knowing your IP address. Whilst the IP is personal data, it is required for network communication to work, and the server needs to know where to send the packets. But it doesn’t necessarily need to be stored.
Legitimate interests are legit things like security and fraud.
With the IP example, this could be storing your IP address along with some server metrics for a few hours to make sure you aren’t trying to DDOS the server. This is a legitimate interest that doesn’t need consent, as it is protecting company assets.
Similar with fraud.Legitimate interests that don’t ask for consent have to be backed up in the privacy policy. And because it’s all wishy washy wording, the privacy policy can be challenged. So it’s a barrier of entry to stop companies making everything legitimate interests.
Where it gets funky are things like targeted ads, 3rd party ad companies etc.
An ad company’s legitimate interests are at odd with the end user, indeed their whole business model is at odds with the end user.
They have similar concerns about security as above.
However, their product is delivering ads to users, proving they have been delivered, and proving that the delivered ad has influenced the users behaviour. That is their ideal business model.
So, whilst processing your IP for DDOS protection, they might also tack on some log monitoring to see if “ad on Y page made you visit Z store page”.
This is using data already collected for a legitimate interest (DDOS protection), however it is processing it to track a user… Which is also the company’s legitimate interest, however it will likely be challenged. At which point, it’s easier to have a consent option for the extra processing and save the hassle of having to legally defend the process.Essentially, legitimate interests are processing user data.
They may be beyond the core functionality of the actual website/app (eg fraud prevention, DDOS protection), but required for the company to run the website/app. At which point they don’t need consent, as long as their privacy policy is up to scratch.
Or they could be extra functionality that isn’t actually required (like the log processing by an ad company) to serve the content, but might improve the experience (or generate the company more money)How this all boils down in the wild is that a lot of tracking and processing still happens, consent popups have dark-pattern UIs with complex language hiding what it really means backed by a privacy policy full of legalese. A lot of these sites are probably still in breach of GDPR, but it’s hard to prove and hard to prosecute.
Most of the time, if a website makes an effort it’s enough. It’s only the big companies/processors that really need to be on the ball with it.Good summary, only one point: it is not legal under the GDPR to use data you get from one reason (DDoS protection) for another reason (ad tracking) without also specifying that that is happening and allowing that to stop.
I don’t say that isn’t happening, but it is not legal, if it is.
Yes, thanks for clarifying.
I was trying to say that, but I think I got lost in the words
No, legitimate interest goes further than functionally required cookies. Legitimate interest can be treated to mean almost anything, because it refers to the “legitimate business interests of the data processor”. If you’re on a news website, it’s their business to show you ads and to get them to click on them. Therefore, it’s their best interests to improve the click-through rate. This can be used to justify tracking cookies as legitimate interest.
Would it survive the test of a day in court? I don’t know, maybe not, but it probably will never go that far, so it basically doesn’t matter anyways.
It does already come with some limitations, though they’re also a matter of interpretation. For example “legitimate interests” cannot be applied to personal data of special categories and may thus not outweigh the rights and interests of the affected persons. This generally requires an assessment to be performed to ensure that is the case.
It’s not a get out of jail free card (despite a lot of companies seemingly thinking it is).
I was trying to say that, where an ad company’s legitimate interests are likely at odds with a user using another website.
Legitimate interests to do something sensible (like fraud/ddos protection) is easy to justify.
Legitimate interests for ad tracking is a lot harder to justify, so it’s easier and less risky to just ask for consent.But yeh, it doesn’t really matter in the grand scheme of things. At the moment, at least.
It’s only the big prolific companies that are going to have difficulty. Or if a particularly knowledgeable person (or lawyer) has a bone to pick with a company.What’s an illegitimate interest?