[hnbad]

GDPR did mandate defaulting all of those toggles to "decline" though, even though some are trying to get clever and add additional toggles for "legitimate interest" (which isn't how that works legally but AFAIK nobody has been sued over that yet).

The follow-up privacy legislation also bans the current dark pattern of making the "accept all" button more prominent and obvious than "decline all" at least requiring both to be equally prominent. The flow of having to go through "manage" or "see options" or other shenanigans as links in order to decline all has always been in violation of the GDPR and could theoretically open you up to the fines as it demonstrates intent.

[secondcoming]

Legitimate Interest is a separate Legal Basis.

[hnbad]

Yeah but providing an opt-out toggle for "legitimate interest" is a good indicator that the interest is actually not legitimate enough to require manual opt-out. And in practice I've seen it mostly used as a gotcha to make it harder to opt out of every single advertising partner individually.

"But we want to show you ads to finance our website and our advertising partners want to abuse your privacy" is not a legitimate interest.

[lmkg]

This gets back to GP's point about GDPR vs ePrivacy Directive. Legitimate Interest is a separate Legal Basis under GDPR (and does in fact allow opt-out). But the ePrivacy Directive does not recognize Legitimate Interest. You cannot use Legitimate Interest as a basis for making a cookie opt-out.