How would a company decide that something should be “legitimate interest” vs “consent”?

EDIT: Definition of “Legitimate Interest”, when hovering over the question mark.

How does legitimate interest work?

Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.

  • Doxin@pawb.social
    link
    fedilink
    arrow-up
    3
    ·
    4 months ago

    Nothing. Having a toggle for “legitimate interest” is nonsense. The GDPR lists some exceptions to when you need to ask for permission, these are “legitimate interests”. Things like remembering someones IP to keep track of bans is allowable without needing to ask for permission.

    Of course advertising agencies promptly went to work trying to bend the language of GDPR so they can claim they are a legitimate interest and therefore exempt. It won’t hold up in court.

    The GDPR is surprisingly strict, and a LOT of the cookie popups you see in the wild are not at all compliant. To give an example: having your “accept” and “reject” buttons a different font size is explicitly not allowed.

    • I Cast Fist@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      Does the GDPR have anything on button colors? Because what I see more often is the “accept all” button visually distinct, while the “reject” or “confirm” button being very muted, almost blending with the background

      • Doxin@pawb.social
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        Sliiightly more debatable, but you’re not supposed to emphasize one over the other iirc. Go read the GDPR, for legalese it’s surprisingly readable.

      • Honytawk@lemmy.zip
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        Yes

        Declining needs to be as easy as accepting. So if one button is bigger or is easier to spot (like a different colour or font) then it isn’t compliant with GDPR.

    • sznowicki@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      It may not be a pure nonsense. It might be that according to GDPR the company is eligible for some data use but according to telecommunication law needs still consent to even send this data.

      Example: company X analyses their traffic on the backend by aggregating logs per user in a anonymised way because they want to know how many users in a given country uses their product Y. They can do it without any consent as the data is in their system anyway and it is a legitimate interest to know facts about their own product.

      Now they want to enrich this by tracking whether the user clicked a homepage banner or a footer link in order to open that product page. This tracking is made on the browser with javascript by sending an AJAX request with a click event. This is still valid for GDPR but not for telecom law that says (German example from TTDSG) you’re not allowed to send anything from a user device unless it’s required for service or you have consent.

      Then this kind of consent would make sense.

      In the OP example I go with bullshit though. It’s most likely pretending to be compliant while breaking the law.

      • mecfs@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        My life is so much better ever since I’ve added an extension that auto rejects cookies

  • BeatTakeshi@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    Nothing, but if you scroll at the bottom of the form, you have a link to all vendors, and under each one what they consider their legitimate interest is. At least gdpr forced them into transparency, although it is so hidden and there are so many that probably 0.0000001% of people go and check

  • hemko@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Copypasting here answer to similar question in superuser.com

    https://superuser.com/a/1624773

    Under GDPR there are 6 grounds based on which anybody can process personal data. Those are:

    • Consent

      You explicitly agreeing to it. This needs to be opt-in, informed, specific and freely given, but also gives the greatest freedom to a company.

    • Contract

      This is the basis which raj’s answer confused with legitimate interests. This is the processing that is required to fulfil a contractual obligation (note that contracts do not always need to be signed, e.g. an order from an eshop).

      need to process someone’s personal data:

      • to deliver a contractual service to them; or
      • because they have asked you to do something before entering into a contract (eg provide a quote).

      Source: ico.org.uk

    • Legal obligation

    • Vital interests

    • Public task

    • Legitimate interests

      Legitimate interests are the most flexible lawful basis for processing personal data. In the words of the UK’s ICO 1:

      It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

      Source: ico.org.uk (worth reading!!!)

      The underlying text from the GDPR itself (definitions and links added are mine)

      processing is necessary for the purposes [=a specific minimal type of processing] of the legitimate interests pursued by the controller [=the company wanting to process your data] or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [=you] which require protection of personal data, in particular where the data subject is a child.

      Source: GDPR Article 6(1f)

      So basically a legitimate interest claim by a company is them saying ‘we are convinced that our interest outweigh the negligible impact on the privacy of the people whose data we process’. This doesn’t give them a free pass though, as GDPR also gives the right to object

      The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point [public interest] or [legitimate interest] of Article 6(1), including profiling based on those provisions.

      Source: GDPR Article 21(1)

      Which then require the company to either concede and stop the processing or justify their claim. Companies in practise have taken this to mean they can basically just do a bunch of processing and as long as they make the objection process (=opt-out) easy enough the theory is that they will get away with it.

    Notes:

    1 The UK left the EU, but they still have by far the best English language resource explaining GDPR and for the time being “UK GDPR” matches “EU GDPR” one on one as far as I am aware

    • governorkeagan@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Thanks for the explanation!

      Legitimate interest makes complete sense with something like an online shop, but trying to read a news article/blog post, do I really need to have 100s of vendors claiming “legitimate interest”?