[etripe]

It becomes clearer if you look at it in terms of core business. So yes, they can collect X and Y because that's their core business and directly related to the product.

When it's for marketing, telemetry or similar purposes, it's tangential data, which need not be illegal or immoral to be an "illegitimate" interest. It becomes more of a dark pattern when they present a selectable option for "legitimate interests" - at best malicious compliance. They might think it's legitimate because it makes them money?

Similarly in the vein of malicious compliance is offering a cookie consent banner. As far as I know, they only need to do that if they're tracking you or storing TMI/PII. Worse is, it works, too, because now everyone is complaining about the law and not the companies engaging in these dark patterns.