[isthisnametaken]

Thing I keep seeing and don't understand is "Legitimate interest" as a separate thing to consent.

"You opted out of our cookies, but we're going to say we need them anyway, but you can still opt out of that".

It's somewhere between underhand and downright disturbing ("our interests override your lack of consent"? Eww)

[Nextgrid]

If legitimate interest is actually legitimate then there is no reason to allow an opt-out. They allow it because the truth is that it wouldn’t actually fall under legitimate interests.

[buzer]

According to Finnish data protection ombudsman, data subject has right to object in case of legitimate or public interest. Data subject does not have right to object when it's based on contract or legal obligations.

https://tietosuoja.fi/en/what-rights-do-data-subjects-have-i...

Objection itself may or may not stop the processing of data. Usually it should, but there are some situations where it would still be allowed (e.g. "a task in the public interest that requires scientific or historical research or the compilation of statistics")

https://tietosuoja.fi/en/controller-s-legitimate-interests

Now I don't know if there has been any decisions or not based on what kind of tracking would actually be legitimate interest (the text on the website is very ambiguous)

[mandelbrotwurst]

So if the site operator has a contract with someone to tell them all your data the you’re out of luck?

[m_eiman]

It’s about time someone fined them a handsome amount for their deviousness.

[skinkestek]

Somebody told me about this the other day and it brightened my day a bit: https://www.enforcementtracker.com

Hint: columns are sortable.

[dylan604]

This site has a 3 item slider at the very top of the page promoting recent? decisions. 2 of the 3 have the same number of lines of text. The third one has an additional line of text. Every time the 3rd one comes/goes, the entire page is shifted up/down to accommodate causing the page to have a very slow bounce. tsk tsk tsk

[alpaca128]

I am not impressed. I clicked on my country and the four most recent fines are: 600(private indiv.), 150 (private indiv.), 100 (Bank), 0 (Post office).

I'm not opposed to GDPR. I just think it's ridiculous how they boasted about fines up to 20 million or 4% of annual worldwide revenue, and then we get an interpretation of "up to" that we otherwise only know from ISPs. I mean, a "fine" of 0 Euro, and 100 Euro for a bank? That is not how you make organisations respect user privacy.

At this rate we're going to have three different any% categories of this speedrun before we can hope for an announcement of a plan to tighten restrictions in an unspecified amount.

[iso1210]

https://ico.org.uk/media/action-weve-taken/mpns/2618524/marr...

Here's marriot being fined over €20m because they decided to save money by not having a secure computer system.

[skinkestek]

Sort by fine size ;-)

Just because your country doesn't take advantage of the new tool doesn't mean it isn't useful.

[etherealG]

I disagree, every company on the top fines list has more money in proportion to the fine than the examples the parent comment gave, except maybe the bank. These fines are so tiny no one will ever care about user privacy or data security.

[ckastner]

> If legitimate interest is actually legitimate then there is no reason to allow an opt-out.

No, that would be necessary interest, that's case (b) of the processing grounds [1] of Article 6 GDPR.

Legitimate interest is case (f). Basically, processing that is not strictly necessary, but beneficial to the processor.

[1] https://gdpr-info.eu/art-6-gdpr/

[okamiueru]

Isn't it still supposed to be opt-in? Seems strange to allow the data processor to define what is legitimate interest, and then bypass the otherwise clear requirement of opt-in and informed consent?

[lmkg]

If you invoke Legitimate Interest, you do not need consent (assuming your Legitimate Interest is valid). There are many common misunderstandings of GDPR, and one of them is that consent is always required. It is not.

To process data under GDPR, you need a Legal Basis. Consent is one Legal Basis. Legitimate Interest is a different Legal Basis. There are four others.

Consent is opt-in. That's the defining feature of Consent as a Legal basis, since that's what "consent" means. It can also be revoked.

Legitimate Interest is opt-out, as is Public Interest.

If your Legal Basis is one of the other three, then there isn't even an opt-out requirement. Which makes sense, because those cover essential or non-optional processing: Legal requirements (e.g. retaining credit card records), processing necessary to perform a contract the Data Subject has signed, and "Vital Interests" which means "literally life-or-death situation."

Note that cookies are regulated by the ePrivacy Directive in addition to GDPR. The ePD requires consent for cookies and does not have a concept of Legitimate Interest. If a company invokes Legitimate Interests for their cookies, they are Doing It Wrong.

[okamiueru]

I see. Thanks for the clarification.

What you describe makes sense, but the way it's implemented everywhere seems like a complete breach of GDPR. If I understand it correctly, "legitimate interest" would be the processing of data necessary to perform the service in question, of which extent must be properly informed?

If I can turn the "legitimate interest" options off, and the service / product remains the same, then... isn't that a clear indication that the grounds for it being "legitimate" don't hold up? For example, I'd consider a service feedback functionality to be "legitimate interest". It's obvious that for it to work, there is a legitimate interest for processing the data transmitted.

[lmkg]

Legitimate interest is very broad and very vague. It's the "wild card" Legal Basis, basically used to cover all of the cases that the law didn't explicitly address. The legal requirements are more-or-less "the company has a good reason, and the privacy impact is minimal." The validity of the good reason or minimal privacy impact are subject to regulatory review, but companies are trusted to make this decision on their own until a regulator gets involved.

A company can also decline opt-out if they have an "Overriding Legitimate Interest." This is true regardless of whether the original legal basis was Legitimate Interest or Consent. However the company must restrict processing only to that particular overriding interest.

"Fraud Detection" is the canonical example of an (Overriding) Legitimate Interest. To my knowledge, that's the only example that's actually given in the text of GDPR itself. Telemetry is generally believed to be another example, and in that case it's probably not Overriding.

Processing necessary to provide a service is kind of weird. If the service is part of a contract, then you use Performance of Contract as your Legal Basis. But if the use of the service doesn't actually form a contract, then you can't use that Legal Basis and have to use either Consent or Legitimate Interest. There are arguments for and against either.

[iamacyborg]

Legitimate interest can be opt-out but it’s definitely a dark pattern presenting the same processing under both options. It should be either one or the other.

[lmkg]

It's not just a dark pattern, it's straight-up non-compliant.

Article 7 "Conditions for Consent," paragraph 2:

> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters[...]

https://gdpr-info.eu/art-7-gdpr/

Most regulators have taken this to mean that requests for consent must be distinguished even from other noticies required by GDPR. I.e. it must be a separate request from the Privacy Notice itself.

[bogosmith]

I have always wondered how a site is allowed to offer you an opt-in for anything that doesn't fall under legitimate interest. It would be driven by an illegitimate interest by assumption.

[latk]

When using a legitimate interest (opt-out) as a legal basis, the interest must be both legitimate AND outweigh the data subject's rights and freedoms. This requires a balancing test between the various factors to be performed first.

Similarly, you can't just legitimize anything with consent (opt-in) – the consent must be valid, and of course can't override more specific laws. You can't consent to something illegal.

So no, failing to use legitimate interest doesn't mean it's illegitimate or that consent could always be used. It could also mean that the balancing test failed, or that laws prescribe a different legal basis. E.g. the “cookie law”prescribes consent for non-necessary cookies and similar technologies.

[etripe]

It becomes clearer if you look at it in terms of core business. So yes, they can collect X and Y because that's their core business and directly related to the product.

When it's for marketing, telemetry or similar purposes, it's tangential data, which need not be illegal or immoral to be an "illegitimate" interest. It becomes more of a dark pattern when they present a selectable option for "legitimate interests" - at best malicious compliance. They might think it's legitimate because it makes them money?

Similarly in the vein of malicious compliance is offering a cookie consent banner. As far as I know, they only need to do that if they're tracking you or storing TMI/PII. Worse is, it works, too, because now everyone is complaining about the law and not the companies engaging in these dark patterns.

[twanvl]

A legitimate interest is a use of personal information that is needed to fulfill a service. This would be something like a session cookie for storing the contents of a shopping cart, a site's preferences, or login information. Using a cookie is the only way to provide that, and the user is basically implicitly asking for something to be stored. It would be silly to have a consent checkboxes like "before you can shop with us we need your permission to register what you want to buy" or "you give us permission to share your address details with the delivery company so they can actually deliver stuff to you".

[GordonS]

Annoyingly, legitimate interest covers more than that - it also covers opt-in-by-default to direct marketing. Yes, if a customer registers an account or makes a purchase, you can opt them in by default on the basis of "legitimate" interest[0].

[0] https://ico.org.uk/for-organisations/data-protection-advice-...

[TuringTest]

Yeah, the problem with "legitimate interests" is they're being used for "build a marketing profile of you" and "send you targeted advertisements" anyway, with the excuse that they're interested in doing that as the basis of their business.

[s_fischer]

I'm not saying I agree with it, but just for the sake of playing devil's advocate - what if the business legitimately makes its revenue by serving ad content on it's site to it's users?

[thomastjeffery]

What if a business legitimately makes its revenue by polluting the air around it?

Maybe that business should fail.

[closeparen]

This seems like a respectable position as long as you don't ever complain about paywalls, geographical blocks, or the quality of journalism.

Seems like many commenters want the businesses to both fail and provide them with expensively produced content for free.

[marcosdumay]

Journalism survived quite well before a few companies started following every one of our steps and selling dossiers around.

In fact, its quality was better, and they did live mostly on advertisement.

[matheusmoreira]

Then it needs a new business model.

[ckastner]

> A legitimate interest is a use of personal information that is needed to fulfill a service.

No, it's not. If you need it to fulfill a service, then you are covered by (b) of Article 6 GDPR I cited earlier:

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Legitimate interest under (f) would be something that is not strictly needed to provide the service but (1) beneficial to the processor and (2) does not unduly negatively affect the data subject.

[ggggtez]

> Thing I keep seeing and don't understand is "Legitimate interest" as a separate thing to consent.

I think it's like this:

Legitimate interest means you've signed up to use the product. It then is assumed that you understand that by signing up/logging in/buying something that you want to be tracked and known (otherwise, how will they know you are the same person who signed up just now?).

Consent doesn't require you to sign up for anything, just click "OK".

But as a result, if you have Legitimate Interest, then companies don't need to ask your permission to track you.

[dsnr]

I guess we should ask the EU MPs who included this loophole in the GDPR law.

„Processing shall be lawful only if and to the extent that at least one of the following:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.“

[mqus]

This "loophole" is necessary to allow certain usecases not to need a banner or opt-in at all. E.g. If I want to buy something online, the shop has to know my adress to ship me something. It shouldn't have to ask to use it for that usecase. Otoh, if it does not ship me anything and still asks me for an address, that would not be legitimate interest anymore, except it can argue for it (e.g. needs the adress for the invoice).

I would argue that this loophole is for conveniency and was not a hot topic anywhere. How it used now however is a different thing.

[dsnr]

> This "loophole" is necessary to allow certain usecases not to need a banner or opt-in at all.

This use-case was already covered by letter b) of the same Article 6.

„b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;“

[pjc50]

The problem is that not having the legitimate interests clause in there potentially causes far more problems - suddenly the law has to enumerate what all the purposes for data processing might be, and new purposes are illegal by default. That would have produced even more HN outrage about GDPR.

[dsnr]

That's what consent is for. GDPR allows tracking with user consent (letter a) of article 6). No need to enumerate all the purposes in the law. The problem is that the GDPR allows companies to use hide tracking behind the concept of legitimate interest, and behind 1 million checkboxes that users now have to click in order to opt-out of tracking.

[TeMPOraL]

That's unrelated, except the fraudsters designing the cookie popups borrow the term "legitimate interest" from GDPR in order to confuse the users.

[dsnr]

That term is already confusing and not unrelated at all. It‘s an actual loophole which enables those abuses.

[matheusmoreira]

"Legitimate interest" is an euphemism for "it makes us money".