How would a company decide that something should be “legitimate interest” vs “consent”?
EDIT: Definition of “Legitimate Interest”, when hovering over the question mark.
How does legitimate interest work?
Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.
Nothing. Having a toggle for “legitimate interest” is nonsense. The GDPR lists some exceptions to when you need to ask for permission, these are “legitimate interests”. Things like remembering someones IP to keep track of bans is allowable without needing to ask for permission.
Of course advertising agencies promptly went to work trying to bend the language of GDPR so they can claim they are a legitimate interest and therefore exempt. It won’t hold up in court.
The GDPR is surprisingly strict, and a LOT of the cookie popups you see in the wild are not at all compliant. To give an example: having your “accept” and “reject” buttons a different font size is explicitly not allowed.
Does the GDPR have anything on button colors? Because what I see more often is the “accept all” button visually distinct, while the “reject” or “confirm” button being very muted, almost blending with the background
Sliiightly more debatable, but you’re not supposed to emphasize one over the other iirc. Go read the GDPR, for legalese it’s surprisingly readable.
Yes
Declining needs to be as easy as accepting. So if one button is bigger or is easier to spot (like a different colour or font) then it isn’t compliant with GDPR.
It may not be a pure nonsense. It might be that according to GDPR the company is eligible for some data use but according to telecommunication law needs still consent to even send this data.
Example: company X analyses their traffic on the backend by aggregating logs per user in a anonymised way because they want to know how many users in a given country uses their product Y. They can do it without any consent as the data is in their system anyway and it is a legitimate interest to know facts about their own product.
Now they want to enrich this by tracking whether the user clicked a homepage banner or a footer link in order to open that product page. This tracking is made on the browser with javascript by sending an AJAX request with a click event. This is still valid for GDPR but not for telecom law that says (German example from TTDSG) you’re not allowed to send anything from a user device unless it’s required for service or you have consent.
Then this kind of consent would make sense.
In the OP example I go with bullshit though. It’s most likely pretending to be compliant while breaking the law.
My life is so much better ever since I’ve added an extension that auto rejects cookies
I use Consent-o-matic.