It’s one of the conditions in the GDPR which *does* allow a company to store personal information on their users.
You’re allowed to do so if you hae a “legitimate interest” in doing so. That is, if you couldn’t provide the service you’re providing otherwise.
For example, a website might use a cookie to track when you’re logged in. If they couldn’t do that the website wouldn’t work. So they have a legitimate interest in storing *that* cookie on your computer, and are therefore allowed to do so without asking for your consent.
Rewriting a previous answer of mine on this question a bit.
“Legitimate interest” is one of the justifications for holding and using data under the General Data Protection Regulations. It’s probably the most vaguely defined.
I’d describe it as things that are reasonable for an organisation to do in connection with whatever they’re doing for the data subject. These should be things that people would generally expect, and that have limited impact on them.
For example, my company runs customer satisfaction surveys using legitimate interest as a basis. They have a reasonable purpose – improving product and service – they don’t have any significant impact on customers, and they’re the sort of thing people would expect a company to do.
To pick an internet example, here’s a bit from Tumblr’s privacy & cookies options. Note that they have a tickbox for consent (one ground for data processing) and another for legitimate interest (another ground for data processing):
>Select basic ads (on/off)
>A profile can be built about you and your interests to show you personalised ads that are relevant to you.
>Learn More (link)
>Some of your personal data may still be processed, even if you deselect this purpose, if we or our partners believe we have a legitimate interest in doing so. You can object to this legitimate interest processing using the corresponding toggle.
>Legitimate Interest: (on/off)
So Tumblr would presumably say that creating a profile to show personalised ads is fundamental to their business model, it’s something that most people expect of websites, and it has little impact on people. Which might well be true.
*That said*, the trend for websites to give you options for “consent” and “legitimate interest” is absolute bullshit, and solely there to make it harder to opt-out. Because why would anyone ever say “I don’t give you permission to do this based on consent, but you can still do it based on legitimate interest”? There’s an extra layer of bullshit in the above example because they say “you can opt out, but we might still do it unless you double opt-out, however we’re not going to tell you what the difference is.”
I’d go so far as to say it’s probably against the law; at the very least it’s against the spirit of the law.
Latest Answers