How would a company decide that something should be “legitimate interest” vs “consent”?
EDIT: Definition of “Legitimate Interest”, when hovering over the question mark.
How does legitimate interest work?
Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.
Nothing. Having a toggle for “legitimate interest” is nonsense. The GDPR lists some exceptions to when you need to ask for permission, these are “legitimate interests”. Things like remembering someones IP to keep track of bans is allowable without needing to ask for permission.
Of course advertising agencies promptly went to work trying to bend the language of GDPR so they can claim they are a legitimate interest and therefore exempt. It won’t hold up in court.
The GDPR is surprisingly strict, and a LOT of the cookie popups you see in the wild are not at all compliant. To give an example: having your “accept” and “reject” buttons a different font size is explicitly not allowed.