How would a company decide that something should be “legitimate interest” vs “consent”?

EDIT: Definition of “Legitimate Interest”, when hovering over the question mark.

How does legitimate interest work?

Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.

  • Doxin@pawb.social
    link
    fedilink
    arrow-up
    153
    ·
    5 months ago

    Nothing. Having a toggle for “legitimate interest” is nonsense. The GDPR lists some exceptions to when you need to ask for permission, these are “legitimate interests”. Things like remembering someones IP to keep track of bans is allowable without needing to ask for permission.

    Of course advertising agencies promptly went to work trying to bend the language of GDPR so they can claim they are a legitimate interest and therefore exempt. It won’t hold up in court.

    The GDPR is surprisingly strict, and a LOT of the cookie popups you see in the wild are not at all compliant. To give an example: having your “accept” and “reject” buttons a different font size is explicitly not allowed.

    • I Cast Fist@programming.dev
      link
      fedilink
      arrow-up
      22
      ·
      5 months ago

      Does the GDPR have anything on button colors? Because what I see more often is the “accept all” button visually distinct, while the “reject” or “confirm” button being very muted, almost blending with the background

      • Doxin@pawb.social
        link
        fedilink
        arrow-up
        17
        ·
        5 months ago

        Sliiightly more debatable, but you’re not supposed to emphasize one over the other iirc. Go read the GDPR, for legalese it’s surprisingly readable.

      • Honytawk@lemmy.zip
        link
        fedilink
        arrow-up
        8
        ·
        4 months ago

        Yes

        Declining needs to be as easy as accepting. So if one button is bigger or is easier to spot (like a different colour or font) then it isn’t compliant with GDPR.

    • sznowicki@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      5 months ago

      It may not be a pure nonsense. It might be that according to GDPR the company is eligible for some data use but according to telecommunication law needs still consent to even send this data.

      Example: company X analyses their traffic on the backend by aggregating logs per user in a anonymised way because they want to know how many users in a given country uses their product Y. They can do it without any consent as the data is in their system anyway and it is a legitimate interest to know facts about their own product.

      Now they want to enrich this by tracking whether the user clicked a homepage banner or a footer link in order to open that product page. This tracking is made on the browser with javascript by sending an AJAX request with a click event. This is still valid for GDPR but not for telecom law that says (German example from TTDSG) you’re not allowed to send anything from a user device unless it’s required for service or you have consent.

      Then this kind of consent would make sense.

      In the OP example I go with bullshit though. It’s most likely pretending to be compliant while breaking the law.

  • BeatTakeshi@lemmy.world
    link
    fedilink
    arrow-up
    40
    ·
    5 months ago

    Nothing, but if you scroll at the bottom of the form, you have a link to all vendors, and under each one what they consider their legitimate interest is. At least gdpr forced them into transparency, although it is so hidden and there are so many that probably 0.0000001% of people go and check

  • r00ty@kbin.life
    link
    fedilink
    arrow-up
    39
    ·
    5 months ago

    I always read this as “legitimate for them, and not for me” and untick it.

  • DessertStorms
    link
    fedilink
    arrow-up
    22
    ·
    edit-2
    5 months ago

    The “legitimate interests” are only legitimate for their and their advertisers data collecting, not your experience (never mind privacy and security). It’s just a scummy workaround to avoid regulation.

    Even so called “necessary” cookies are often bloated with shit that isn’t really necessary (and often leave out necessary functions from where they belong and include them in a separate “functionality” category, where they can pile on extra trackers, especially social media ones).

    The worst part is, that some “decline all” don’t decline these so called legitimate trackers, so I double check to make sure they are all deselected (sometimes it’s an “object to legitimate interests” other times you have to click through to the list and deselect them manually. If it’s one of the latter and it won’t let me deselect all at once, I leave the site. There isn’t any piece of information worth unticking hundreds of boxes for). (ETA: I’ve found that one of the worst offenders of this is fandom wiki sites, which is where breezewiki comes in and saves the day! If their search function doesn’t find what you’re looking for, try looking for the fandom you’re after + breezewiki on your search engine of choice and if it exists, it will come up)

    Never trust companies to have anything but their own interests in mind.

    • governorkeagan@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      17
      ·
      5 months ago

      I hate having to manually deselect all of the cookies/consent toggles, just to get to the end and they have the “accept all” look like the “confirm choice”.

      • M0RVB@lemmy.radio
        link
        fedilink
        arrow-up
        9
        ·
        5 months ago

        These days if a site does that I go elsewhere - the trouble is, I really want to shout at them to tell them why I am going somewhere else but there is rarely a useful contact to do so.

      • CatLikeLemming
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        One thing I’ve found to be useful is just having my browser clear all cookies upon closing. It’s initially annoying while you set up all your exceptions for commonly used sites so you don’t need to log in again there every time, but afterwards you don’t need to worry too much, because once you close your browser, all the useless cookies are gone.

    • Honytawk@lemmy.zip
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      Just like adblockers, the internet has become unusable without tracker blockers like Consent-O-Matic, which automatically declines everything.

      • DessertStorms
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        I’ve heard of those, but while I can see adblock working, if me just clicking “decline all” doesn’t actually decline the so called legitimate interests, I don’t quite trust that an extension doing it will, so for now I’d rather still make the call of whether I trust a site myself…

  • morgunkorn@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    8
    ·
    5 months ago

    This is a provision of the article 6 of the GDPR, which describes very broadly that you have to justify your legitimate interest with a fair reason to process user data. It is mostly there to allow for IT security, fraud prevention, but also marketing.

    Unfortunately, the way the regulation is written is quite imprecise and subject to interpretation. You can read this page, it will give you an insight on the possible interpretations:

    https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/

    My understanding is that you have the choice between the following modes :

    • Consent = you allow for personalized data collection and ads integration can make use of any tracking information saved in your browser and on the servers of the third party provides
    • Legitimate interest = you allow for data collection without personalization, but the provider might still be context aware and provide for example ads based on broad information like your country, language etc
    • Nothing = you refuse any processing and connection to a third party server
    • governorkeagan@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      5 months ago

      How does legitimate interest work?

      Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.

  • Mora@pawb.social
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    5 months ago

    I wish there were more lawyers who would deal with companies that do this kind of stuff.

    • vzq
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      2 months ago

      deleted by creator