"Legitimate interest" is a loophole for collecting your data without consent.
Many Internet users face intrusive banners about their consent to the use of cookies. It would seem that by clicking the opt-out button, you are protecting your privacy. However, the reality is much more complicated: even after a refusal, sites continue to track your data, justifying this with "legitimate interests".
Following the entry into force of privacy laws, websites began actively requesting consent to the use of cookies for tracking and storing user data. But do we really have a choice?
An experiment was conducted – several dozen random sites were opened on a new browser. Despite repeated failures and settings, each site saved dozens of cookies. This is especially noticeable on American websites, where there is often no choice but to agree.
Many websites claim to have "legitimate interests" that allow them to track data such as IP addresses, device characteristics, device IDs, browsing and interaction data, location, and user profiles. These "legitimate interests" are used for various purposes: personalized advertising, measuring the effectiveness of advertising or content, understanding the audience, and improving services.
Experts interviewed by Cybernews claim that the sites are abusing "legitimate interests" for extensive tracking, despite user opt-outs. Not all sites allow you to challenge "legitimate interests" in the settings – some require you to accept some or all of the trackers from dozens of vendors. The justifications range from ensuring security to preventing fraud.
Some sites complicate the opt-out process by hiding options deep in the settings and requiring you to manually disable trackers for each provider.
Legitimate interests are often interpreted too broadly. Industry experts point out that "legitimate interests" derive from the GDPR and relate to cases where a user may expect their data to be processed for specific purposes, such as fraud prevention or cybersecurity.
Marketing can also be a legitimate interest if the use of data is not surprising to people. Companies tend to collect as much data as possible, because it can be sold.
When it comes to cookies, the legal framework allows companies to collect and process user data without explicit consent. The company believes that it has a good reason for using your data, such as to improve services, marketing, or security, which outweighs the potential impact on your privacy. However, organizations must balance their interests with your rights and provide clear information about how the collected data is used.
Many companies use this as a loophole for data collection, violating the basic principle of the GDPR, which requires obtaining the user's consent to data processing. Some sites openly state that data collection is necessary to avoid requesting user consent. This action creates a gray area. However, it is almost impossible to prove what is necessary and what is not, even in court.
Users should be careful, as extensive data collection can lead to the identification of people and the global dissemination of information that they would prefer to keep secret. The European Data Protection Council is calling for improvements to "deceptive cookie banners" so that users have a real choice.
In Germany, courts are tightening the requirements for such banners based on the concept of "genuine choice". The Cologne Higher Regional Court clarified that users should be given a real choice – whether to accept the processing of cookies or not.
The collected data can be used to create detailed user profiles, which violates their privacy and creates security risks. In addition, the collected data is often shared with third parties, which increases the likelihood of unauthorized access or data leaks.
Experts note that it is easy for site owners to get confused by complex rules, and many may not know when to rely on legitimate interests. The Cookie Law requires consent not only for the use of cookies, but also for similar technologies, such as pixels embedded in emails. The basic rule is that if cookies are not necessary, then consent is required.
The GDPR adds additional requirements, which further confuses users. As a result, if a site uses cookies to track users, it can theoretically rely on legitimate interests, but at the same time it must obtain consent for the installation of cookies itself.
Experts recommend:
Remember that the best way to protect yourself is to assume that your data will inevitably be disclosed, and provide the minimum necessary personal information.
Therefore, it is important that regulators continue to work to improve the situation with cookie consent in order to protect users ' rights and ensure transparency in data use.
Many Internet users face intrusive banners about their consent to the use of cookies. It would seem that by clicking the opt-out button, you are protecting your privacy. However, the reality is much more complicated: even after a refusal, sites continue to track your data, justifying this with "legitimate interests".
Following the entry into force of privacy laws, websites began actively requesting consent to the use of cookies for tracking and storing user data. But do we really have a choice?
An experiment was conducted – several dozen random sites were opened on a new browser. Despite repeated failures and settings, each site saved dozens of cookies. This is especially noticeable on American websites, where there is often no choice but to agree.
Many websites claim to have "legitimate interests" that allow them to track data such as IP addresses, device characteristics, device IDs, browsing and interaction data, location, and user profiles. These "legitimate interests" are used for various purposes: personalized advertising, measuring the effectiveness of advertising or content, understanding the audience, and improving services.
Experts interviewed by Cybernews claim that the sites are abusing "legitimate interests" for extensive tracking, despite user opt-outs. Not all sites allow you to challenge "legitimate interests" in the settings – some require you to accept some or all of the trackers from dozens of vendors. The justifications range from ensuring security to preventing fraud.
Some sites complicate the opt-out process by hiding options deep in the settings and requiring you to manually disable trackers for each provider.
Legitimate interests are often interpreted too broadly. Industry experts point out that "legitimate interests" derive from the GDPR and relate to cases where a user may expect their data to be processed for specific purposes, such as fraud prevention or cybersecurity.
Marketing can also be a legitimate interest if the use of data is not surprising to people. Companies tend to collect as much data as possible, because it can be sold.
When it comes to cookies, the legal framework allows companies to collect and process user data without explicit consent. The company believes that it has a good reason for using your data, such as to improve services, marketing, or security, which outweighs the potential impact on your privacy. However, organizations must balance their interests with your rights and provide clear information about how the collected data is used.
Many companies use this as a loophole for data collection, violating the basic principle of the GDPR, which requires obtaining the user's consent to data processing. Some sites openly state that data collection is necessary to avoid requesting user consent. This action creates a gray area. However, it is almost impossible to prove what is necessary and what is not, even in court.
Users should be careful, as extensive data collection can lead to the identification of people and the global dissemination of information that they would prefer to keep secret. The European Data Protection Council is calling for improvements to "deceptive cookie banners" so that users have a real choice.
In Germany, courts are tightening the requirements for such banners based on the concept of "genuine choice". The Cologne Higher Regional Court clarified that users should be given a real choice – whether to accept the processing of cookies or not.
The collected data can be used to create detailed user profiles, which violates their privacy and creates security risks. In addition, the collected data is often shared with third parties, which increases the likelihood of unauthorized access or data leaks.
Experts note that it is easy for site owners to get confused by complex rules, and many may not know when to rely on legitimate interests. The Cookie Law requires consent not only for the use of cookies, but also for similar technologies, such as pixels embedded in emails. The basic rule is that if cookies are not necessary, then consent is required.
The GDPR adds additional requirements, which further confuses users. As a result, if a site uses cookies to track users, it can theoretically rely on legitimate interests, but at the same time it must obtain consent for the installation of cookies itself.
Experts recommend:
- use browser extensions that block trackers;
- use a VPN to hide your real IP address and location;
- when installing a new app, always grant the minimum necessary permissions for it to work;
- use DNS filtering tools to prevent trackers from loading.
Remember that the best way to protect yourself is to assume that your data will inevitably be disclosed, and provide the minimum necessary personal information.
Therefore, it is important that regulators continue to work to improve the situation with cookie consent in order to protect users ' rights and ensure transparency in data use.
