Many websites have a - huge- part in their cookie wall, called ‘legitimate interest’. I never allow them and i wonder; is this just a loophole to be able to force certain cookies on us anyway?
I can’t imagine it is harmless, but i never hear anyone discussing these type of cookies.
EDIT: Everyone, thank you so much for taking the effort to answer. These replies were very helpful and often quite detailed. I’ve read them all and it certainly gives food for thought. I also read that EU page, which is indeed not really clarifying much.
I agree that we need to do as much as possible to block all these invaders of our privacy, though it is ridiculous that we have to make so much effort to protect ourselves. And i know many people around me, who just let it all happen and are sometimes not even aware of such things as trackers. And honestly, they shouldn’t have to be aware, it is infuriating that these things are either allowed, or those companies taking the - small - risk to get away with it, because most people won’t bother with law suits and what not, certainly not when so many websites have these shady practices…
Again, thank you; i’m glad i asked :-)
No, legitimate interest goes further than functionally required cookies. Legitimate interest can be treated to mean almost anything, because it refers to the “legitimate business interests of the data processor”. If you’re on a news website, it’s their business to show you ads and to get them to click on them. Therefore, it’s their best interests to improve the click-through rate. This can be used to justify tracking cookies as legitimate interest.
Would it survive the test of a day in court? I don’t know, maybe not, but it probably will never go that far, so it basically doesn’t matter anyways.
What’s an illegitimate interest?
It does already come with some limitations, though they’re also a matter of interpretation. For example “legitimate interests” cannot be applied to personal data of special categories and may thus not outweigh the rights and interests of the affected persons. This generally requires an assessment to be performed to ensure that is the case.
It’s not a get out of jail free card (despite a lot of companies seemingly thinking it is).
I was trying to say that, where an ad company’s legitimate interests are likely at odds with a user using another website.
Legitimate interests to do something sensible (like fraud/ddos protection) is easy to justify.
Legitimate interests for ad tracking is a lot harder to justify, so it’s easier and less risky to just ask for consent.
But yeh, it doesn’t really matter in the grand scheme of things. At the moment, at least.
It’s only the big prolific companies that are going to have difficulty. Or if a particularly knowledgeable person (or lawyer) has a bone to pick with a company.