[lmkg]

If you invoke Legitimate Interest, you do not need consent (assuming your Legitimate Interest is valid). There are many common misunderstandings of GDPR, and one of them is that consent is always required. It is not.

To process data under GDPR, you need a Legal Basis. Consent is one Legal Basis. Legitimate Interest is a different Legal Basis. There are four others.

Consent is opt-in. That's the defining feature of Consent as a Legal basis, since that's what "consent" means. It can also be revoked.

Legitimate Interest is opt-out, as is Public Interest.

If your Legal Basis is one of the other three, then there isn't even an opt-out requirement. Which makes sense, because those cover essential or non-optional processing: Legal requirements (e.g. retaining credit card records), processing necessary to perform a contract the Data Subject has signed, and "Vital Interests" which means "literally life-or-death situation."

Note that cookies are regulated by the ePrivacy Directive in addition to GDPR. The ePD requires consent for cookies and does not have a concept of Legitimate Interest. If a company invokes Legitimate Interests for their cookies, they are Doing It Wrong.

[okamiueru]

I see. Thanks for the clarification.

What you describe makes sense, but the way it's implemented everywhere seems like a complete breach of GDPR. If I understand it correctly, "legitimate interest" would be the processing of data necessary to perform the service in question, of which extent must be properly informed?

If I can turn the "legitimate interest" options off, and the service / product remains the same, then... isn't that a clear indication that the grounds for it being "legitimate" don't hold up? For example, I'd consider a service feedback functionality to be "legitimate interest". It's obvious that for it to work, there is a legitimate interest for processing the data transmitted.

[lmkg]

Legitimate interest is very broad and very vague. It's the "wild card" Legal Basis, basically used to cover all of the cases that the law didn't explicitly address. The legal requirements are more-or-less "the company has a good reason, and the privacy impact is minimal." The validity of the good reason or minimal privacy impact are subject to regulatory review, but companies are trusted to make this decision on their own until a regulator gets involved.

A company can also decline opt-out if they have an "Overriding Legitimate Interest." This is true regardless of whether the original legal basis was Legitimate Interest or Consent. However the company must restrict processing only to that particular overriding interest.

"Fraud Detection" is the canonical example of an (Overriding) Legitimate Interest. To my knowledge, that's the only example that's actually given in the text of GDPR itself. Telemetry is generally believed to be another example, and in that case it's probably not Overriding.

Processing necessary to provide a service is kind of weird. If the service is part of a contract, then you use Performance of Contract as your Legal Basis. But if the use of the service doesn't actually form a contract, then you can't use that Legal Basis and have to use either Consent or Legitimate Interest. There are arguments for and against either.