this post was submitted on 18 Sep 2023
52 points (96.4% liked)

Explain Like I'm Five

14220 readers
4 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
52
ELI5: Legitimate-interest cookies (kbin.social)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
24 comments fedilink hide all child comments
 

So almost every GDPR cookie consent banner out there has a section for "legitimate interest" cookies that they can leave on by default and you will inadvertently accept even if you choose "Reject all" unless you go to the detailed settings and disabled those too.
Some of them have dozens of legitimate-interest cookies.
I read some articles about what they are and why it is allowed to keep them on by default, but they were very vague. So can someone explain it to me like I am five?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 16 points 1 year ago* (last edited 1 year ago) (2 children)

Yeah, it absolutely is vague. I had reason to read some GDPR stuff a while back - that phrasing is just lifted from there. Article 6 is about what reasons you could have to store private info. 1f is, apparently... yeah, you're just "legitimately" interested. Wonder what that means? So do I.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.)

[–] [email protected] 4 points 1 year ago (1 children)

Nice, this is also what I found. More from the GDPR website but still vague.

There are 2 more questions it sounds like OP is asking -

  • Why are Legitimate cookies allowed to be defaulted on?
  • Why are they allowed to be hidden in a different menu?

I didn't see any answers to these questions in my quick read-through. Nothing about default settings on the GDPR website and the menu thing sounds like obfuscation. Now whether it's to make the cookie menu more user friendly or gather more data for the company... or both? Don't know. The GDPR website does mention that

The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will be a continuous job.

So maybe the legal side for this is still in the works.

[–] [email protected] 1 points 1 year ago (1 children)

It's extra weird because by definition, whatever they thought "legitimate interest" really meant, they wouldn't need your consent for. That's a different letter or clause or whatever.

[–] [email protected] 4 points 1 year ago (1 children)

Sounds like a loophole to make unnecessary cookies bypass the opt-out choice.

[–] [email protected] 1 points 1 year ago (4 children)

OK, so all the explanations I saw were vague because the law itself was vague. That looks quite like a loophole to have passed!

[–] [email protected] 5 points 1 year ago

The rule itself is not a loophole.

To use legitimate interest as a reason to process data you need you be able to argue that you do actually have a good reason to do so and that the user would expect you to process it.

For example, I think that websites have a legitimate interest in anonymously tracking your browser behaviour to analyse performance data and errors so that they can improve their app.

The loophole is that advertisers use it to process way too much data (when they are pretty much the reason for the bloody law in the first place) and that nothing is done about it.

[–] [email protected] 3 points 1 year ago

I know right? Now, I'm not a lawyer, but it seems interesting because of what it isn't. 1a through e are consent, needed for business, legal obligation, (your) vital interests or another being, or public interest/authority.

So after all that, you have to figure... what legitimacy's left?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

GDPR is pretty airtight in general, so I'm guessing we're missing something.

Edit: Hmm, it looks like the definition is left up to the courts of individual countries. That's not great.

[–] [email protected] -1 points 1 year ago

Just a reminder that there's never such a thing as "a loophole". What there is is a carefully-worded, innocuous-sounding phrase that some corporation "helpfully" got added to a law or regulation (usually "for clarity"), and which the corporation already plans to mis-use in a given way should the appropriate circumstances arise (and in contradiction of all "we should never do that!" protestations they might make prior to the law or regulation taking effect).

Again, there is no such thing as "a loophole".