– After Cookie consents became mandatory, some websites have suddenly added “legitimate interest” to their consent boxes, which are opt-out. What does “Legitimate interest” cover, and why is this allowed?

227 views

– After Cookie consents became mandatory, some websites have suddenly added “legitimate interest” to their consent boxes, which are opt-out. What does “Legitimate interest” cover, and why is this allowed?

In: Technology

“Legitimate interest” is literaly what is written in the actual law, so its hard to know what counts as legitimate and what not at this point of time. There will be lawsuits and court roulings that will make it more clear in the future, but for now, noone can say for sure.

There are cookies that are clearly needed for the page to work, like if you login you need some kind of identification cookie.

Legitimate interest is one of the legal grounds for collecting and using personal identifiable information.

It’s also the least clearly defined. Here’s an explanation from the UK’s ICO:

* the processing is not required by law but is of a clear benefit to you or others;
* there’s a limited privacy impact on the individual;
* the individual should reasonably expect you to use their data in that way; and
* you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

Number 1 is pretty easy. #2 is not too hard. 3 and 4 are where it gets a bit slippery. So for example, in the Guardian website’s section on legitimate interest it says:

>We have a need to use your data for this processing purpose that is required for us to deliver services to you.

>* Personalised ads and content, ad and content measurement, audience insights and product development

with the option to opt out of this.

Now some questions: do most people reasonably expect their personal data to be used to provide personalised ads? This is particularly true if that data is being passed on to third parties, which is allowed by legitimate interest.

Are people unlikely to object to this processing? Given that this information and opt-out is in the same form as all their other cookie consents, is putting it on its own tab less “disruptive”? Is it not arguable more disruptive, making customers look at a second tab, rather than putting all information in one place?

So yeah, things are open to debate, and the details law and good practice on this will only be developed over time.

Under GDPR (data privacy law passed by the EU that went into effect in 2018), you must have a “Legal Basis” to process personal data. If you don’t have a Legal Basis, then processing the data is unlawful. The law defines six (6) possible Legal Bases.

Most of these are pretty rigid. Like “you are legally required to process this data by another law” (“Legal Requirement”). Or “literally someone will die if you don’t” (Vital Interest).

Two of them are basically “wildcard” legal bases that companies can use for processing that doesn’t fit into the very specific categories specified by the law. One of those, the most well-known, is “Consent,” i.e. the processing is lawful because the person said it was OK.

“Legitimate Interest” is the second “wildcard” legal basis. It basically means “we, the company, have decided there is a good reason to process this data, and it doesn’t invade the person’s privacy too much.” This covers a lot of legitimate data processing that isn’t explicitly authorized by law: things like fraud detection, load balancing, letting you stay logged in.

It also covers a lot of bullshit, since it’s so open-ended. Things like sending all of your data to Facebook. And there’s a middle-ground where some people think it’s a problem and others don’t, e.g. anonymous website telemetry, or personalized content recommendations (that doesn’t involve selling you out to Google or Facebook). Processing covered by Legitimate Interest is usually required to have an opt-out.

Note that cookies in particular cannot invoke Legitimate Interest, and companies that do that are Doing It Wrong. Cookies are governed by the ePrivacy Directive (PECR in the UK), which does *not* have a concept of Legitimate Interest.