Under GDPR (data privacy law passed by the EU that went into effect in 2018), you must have a “Legal Basis” to process personal data. If you don’t have a Legal Basis, then processing the data is unlawful. The law defines six (6) possible Legal Bases.

Most of these are pretty rigid. Like “you are legally required to process this data by another law” (“Legal Requirement”). Or “literally someone will die if you don’t” (Vital Interest).

Two of them are basically “wildcard” legal bases that companies can use for processing that doesn’t fit into the very specific categories specified by the law. One of those, the most well-known, is “Consent,” i.e. the processing is lawful because the person said it was OK.

“Legitimate Interest” is the second “wildcard” legal basis. It basically means “we, the company, have decided there is a good reason to process this data, and it doesn’t invade the person’s privacy too much.” This covers a lot of legitimate data processing that isn’t explicitly authorized by law: things like fraud detection, load balancing, letting you stay logged in.

It also covers a lot of bullshit, since it’s so open-ended. Things like sending all of your data to Facebook. And there’s a middle-ground where some people think it’s a problem and others don’t, e.g. anonymous website telemetry, or personalized content recommendations (that doesn’t involve selling you out to Google or Facebook). Processing covered by Legitimate Interest is usually required to have an opt-out.

Note that cookies in particular cannot invoke Legitimate Interest, and companies that do that are Doing It Wrong. Cookies are governed by the ePrivacy Directive (PECR in the UK), which does *not* have a concept of Legitimate Interest.