Isn't it still supposed to be opt-in? Seems strange to allow the data processor to define what is legitimate interest, and then bypass the otherwise clear requirement of opt-in and informed consent?
If you invoke Legitimate Interest, you do not need consent (assuming your Legitimate Interest is valid). There are many common misunderstandings of GDPR, and one of them is that consent is always required. It is not.
To process data under GDPR, you need a Legal Basis. Consent is one Legal Basis. Legitimate Interest is a different Legal Basis. There are four others.
Consent is opt-in. That's the defining feature of Consent as a Legal basis, since that's what "consent" means. It can also be revoked.
Legitimate Interest is opt-out, as is Public Interest.
If your Legal Basis is one of the other three, then there isn't even an opt-out requirement. Which makes sense, because those cover essential or non-optional processing: Legal requirements (e.g. retaining credit card records), processing necessary to perform a contract the Data Subject has signed, and "Vital Interests" which means "literally life-or-death situation."
Note that cookies are regulated by the ePrivacy Directive in addition to GDPR. The ePD requires consent for cookies and does not have a concept of Legitimate Interest. If a company invokes Legitimate Interests for their cookies, they are Doing It Wrong.
What you describe makes sense, but the way it's implemented everywhere seems like a complete breach of GDPR. If I understand it correctly, "legitimate interest" would be the processing of data necessary to perform the service in question, of which extent must be properly informed?
If I can turn the "legitimate interest" options off, and the service / product remains the same, then... isn't that a clear indication that the grounds for it being "legitimate" don't hold up? For example, I'd consider a service feedback functionality to be "legitimate interest". It's obvious that for it to work, there is a legitimate interest for processing the data transmitted.
Legitimate interest is very broad and very vague. It's the "wild card" Legal Basis, basically used to cover all of the cases that the law didn't explicitly address. The legal requirements are more-or-less "the company has a good reason, and the privacy impact is minimal." The validity of the good reason or minimal privacy impact are subject to regulatory review, but companies are trusted to make this decision on their own until a regulator gets involved.
A company can also decline opt-out if they have an "Overriding Legitimate Interest." This is true regardless of whether the original legal basis was Legitimate Interest or Consent. However the company must restrict processing only to that particular overriding interest.
"Fraud Detection" is the canonical example of an (Overriding) Legitimate Interest. To my knowledge, that's the only example that's actually given in the text of GDPR itself. Telemetry is generally believed to be another example, and in that case it's probably not Overriding.
Processing necessary to provide a service is kind of weird. If the service is part of a contract, then you use Performance of Contract as your Legal Basis. But if the use of the service doesn't actually form a contract, then you can't use that Legal Basis and have to use either Consent or Legitimate Interest. There are arguments for and against either.
Legitimate interest can be opt-out but it’s definitely a dark pattern presenting the same processing under both options. It should be either one or the other.
It's not just a dark pattern, it's straight-up non-compliant.
Article 7 "Conditions for Consent," paragraph 2:
> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters[...]
Most regulators have taken this to mean that requests for consent must be distinguished even from other noticies required by GDPR. I.e. it must be a separate request from the Privacy Notice itself.
To process data under GDPR, you need a Legal Basis. Consent is one Legal Basis. Legitimate Interest is a different Legal Basis. There are four others.
Consent is opt-in. That's the defining feature of Consent as a Legal basis, since that's what "consent" means. It can also be revoked.
Legitimate Interest is opt-out, as is Public Interest.
If your Legal Basis is one of the other three, then there isn't even an opt-out requirement. Which makes sense, because those cover essential or non-optional processing: Legal requirements (e.g. retaining credit card records), processing necessary to perform a contract the Data Subject has signed, and "Vital Interests" which means "literally life-or-death situation."
Note that cookies are regulated by the ePrivacy Directive in addition to GDPR. The ePD requires consent for cookies and does not have a concept of Legitimate Interest. If a company invokes Legitimate Interests for their cookies, they are Doing It Wrong.