How would a company decide that something should be “legitimate interest” vs “consent”?

EDIT: Definition of “Legitimate Interest”, when hovering over the question mark.

How does legitimate interest work?

Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.

  • Doxin@pawb.social
    link
    fedilink
    arrow-up
    156
    arrow-down
    4
    ·
    5 months ago

    Nothing. Having a toggle for “legitimate interest” is nonsense. The GDPR lists some exceptions to when you need to ask for permission, these are “legitimate interests”. Things like remembering someones IP to keep track of bans is allowable without needing to ask for permission.

    Of course advertising agencies promptly went to work trying to bend the language of GDPR so they can claim they are a legitimate interest and therefore exempt. It won’t hold up in court.

    The GDPR is surprisingly strict, and a LOT of the cookie popups you see in the wild are not at all compliant. To give an example: having your “accept” and “reject” buttons a different font size is explicitly not allowed.

    • I Cast Fist@programming.dev
      link
      fedilink
      arrow-up
      24
      ·
      5 months ago

      Does the GDPR have anything on button colors? Because what I see more often is the “accept all” button visually distinct, while the “reject” or “confirm” button being very muted, almost blending with the background

      • Doxin@pawb.social
        link
        fedilink
        arrow-up
        18
        ·
        5 months ago

        Sliiightly more debatable, but you’re not supposed to emphasize one over the other iirc. Go read the GDPR, for legalese it’s surprisingly readable.

      • Honytawk@lemmy.zip
        link
        fedilink
        arrow-up
        8
        ·
        5 months ago

        Yes

        Declining needs to be as easy as accepting. So if one button is bigger or is easier to spot (like a different colour or font) then it isn’t compliant with GDPR.

    • sznowicki@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      5 months ago

      It may not be a pure nonsense. It might be that according to GDPR the company is eligible for some data use but according to telecommunication law needs still consent to even send this data.

      Example: company X analyses their traffic on the backend by aggregating logs per user in a anonymised way because they want to know how many users in a given country uses their product Y. They can do it without any consent as the data is in their system anyway and it is a legitimate interest to know facts about their own product.

      Now they want to enrich this by tracking whether the user clicked a homepage banner or a footer link in order to open that product page. This tracking is made on the browser with javascript by sending an AJAX request with a click event. This is still valid for GDPR but not for telecom law that says (German example from TTDSG) you’re not allowed to send anything from a user device unless it’s required for service or you have consent.

      Then this kind of consent would make sense.

      In the OP example I go with bullshit though. It’s most likely pretending to be compliant while breaking the law.