What do cookie warnings mean by "Legitimate Interest"?

internet cookies

I've had to decline/accept cookies for a while now. But something I've noticed on a handful of websites are now suggesting that the cookies have 'legitimate interest'? I have a legitimate interest in IRL cookies I can eat, but I do not know what it means for a website to share that interest for internet cookies?

What's more interesting/puzzling whereas most websites have all cookies opted out (where possible), the ones that do suggest 'legitimate interest' are always switched on.

What do these settings mean for me? Can I allow them, or should I have them all switched off as I do with other non-essential cookies?


Legitimate interest is a legal term from GDPR. You should read the GDPR to get a detailed explantion what it is :), but in short it's any legal reason that justifies the need to process your personal data by the site. For example, if you order something from an Internet shop, the shop's legitimate interest to process your data is the need to complete your order.

However, the legitimate interest concept is often abused by sites and they list for example tracking users in order to "protect from fraud" as legitimate interest. If there is an option to turn this off, turn off whatever possible. If there is something that is really needed for the site to function, you won't be able to turn that off :)


Under GDPR there are 6 grounds based on which anybody can process personal data. Those are:

  • Consent

    You explicitly agreeing to it. This needs to be opt-in, informed, specific and freely given, but also gives the greatest freedom to a company.

  • Contract

    This is the basis which raj's answer confused with legitimate interests. This is the processing that is required to fulfil a contractual obligation (note that contracts do not always need to be signed, e.g. an order from an eshop).

    need to process someone’s personal data:

    • to deliver a contractual service to them; or
    • because they have asked you to do something before entering into a contract (eg provide a quote).

             Source: ico.org.uk

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

    Legitimate interests are the most flexible lawful basis for processing personal data. In the words of the UK's ICO 1:

    It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

             Source: ico.org.uk (worth reading!!!)

    The underlying text from the GDPR itself (definitions and links added are mine)

    processing is necessary for the purposes [=a specific minimal type of processing] of the legitimate interests pursued by the controller [=the company wanting to process your data] or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [=you] which require protection of personal data, in particular where the data subject is a child.

             Source: GDPR Article 6(1f)

    So basically a legitimate interest claim by a company is them saying 'we are convinced that our interest outweigh the negligible impact on the privacy of the people whose data we process'. This doesn't give them a free pass though, as GDPR also gives the right to object

    The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point [public interest] or [legitimate interest] of Article 6(1), including profiling based on those provisions.

             Source: GDPR Article 21(1)

    Which then require the company to either concede and stop the processing or justify their claim. Companies in practise have taken this to mean they can basically just do a bunch of processing and as long as they make the objection process (=opt-out) easy enough the theory is that they will get away with it.

Notes:

1 The UK left the EU, but they still have by far the best English language resource explaining GDPR and for the time being "UK GDPR" matches "EU GDPR" one on one as far as I am aware.

Related

Screen recording without third-party software on Windows 7?
iTerm2 (version 3): Individual history per tab?
How do you configure a Windows machine for a Linux user? [closed]
tmux copy mode - select text block
How to install Autoconf, Automake and related tools on Mac OS X from source?
What is "Ticino" in my Windows 7 Explorer context menu?
How do I make an existing animated GIF loop repeatedly?
Can't rename a file the name of which starts with a hyphen
Why is my dual-core CPU recognized as a quad-core one?
Permanently highlight all occurrences of text in Notepad++?
How can I quickly open a mobile view of a page in a desktop browser?
Window in focus doesn't minimize when I click on its icon in the taskbar (Windows 10)