this post was submitted on 25 Sep 2023
75 points (98.7% liked)
Asklemmy
43856 readers
2267 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There is necessary data processing. This is like the server knowing your IP address. Whilst the IP is personal data, it is required for network communication to work, and the server needs to know where to send the packets. But it doesn't necessarily need to be stored.
Legitimate interests are legit things like security and fraud.
With the IP example, this could be storing your IP address along with some server metrics for a few hours to make sure you aren't trying to DDOS the server. This is a legitimate interest that doesn't need consent, as it is protecting company assets.
Similar with fraud.
Legitimate interests that don't ask for consent have to be backed up in the privacy policy. And because it's all wishy washy wording, the privacy policy can be challenged. So it's a barrier of entry to stop companies making everything legitimate interests.
Where it gets funky are things like targeted ads, 3rd party ad companies etc.
An ad company's legitimate interests are at odd with the end user, indeed their whole business model is at odds with the end user.
They have similar concerns about security as above.
However, their product is delivering ads to users, proving they have been delivered, and proving that the delivered ad has influenced the users behaviour. That is their ideal business model.
So, whilst processing your IP for DDOS protection, they might also tack on some log monitoring to see if "ad on Y page made you visit Z store page".
This is using data already collected for a legitimate interest (DDOS protection), however it is processing it to track a user.... Which is also the company's legitimate interest, however it will likely be challenged. At which point, it's easier to have a consent option for the extra processing and save the hassle of having to legally defend the process.
Essentially, legitimate interests are processing user data.
They may be beyond the core functionality of the actual website/app (eg fraud prevention, DDOS protection), but required for the company to run the website/app. At which point they don't need consent, as long as their privacy policy is up to scratch.
Or they could be extra functionality that isn't actually required (like the log processing by an ad company) to serve the content, but might improve the experience (or generate the company more money)
How this all boils down in the wild is that a lot of tracking and processing still happens, consent popups have dark-pattern UIs with complex language hiding what it really means backed by a privacy policy full of legalese. A lot of these sites are probably still in breach of GDPR, but it's hard to prove and hard to prosecute.
Most of the time, if a website makes an effort it's enough. It's only the big companies/processors that really need to be on the ball with it.
Good summary, only one point: it is not legal under the GDPR to use data you get from one reason (DDoS protection) for another reason (ad tracking) without also specifying that that is happening and allowing that to stop.
I don't say that isn't happening, but it is not legal, if it is.
Yes, thanks for clarifying.
I was trying to say that, but I think I got lost in the words
No, legitimate interest goes further than functionally required cookies. Legitimate interest can be treated to mean almost anything, because it refers to the “legitimate business interests of the data processor”. If you’re on a news website, it’s their business to show you ads and to get them to click on them. Therefore, it’s their best interests to improve the click-through rate. This can be used to justify tracking cookies as legitimate interest.
Would it survive the test of a day in court? I don’t know, maybe not, but it probably will never go that far, so it basically doesn’t matter anyways.
I was trying to say that, where an ad company's legitimate interests are likely at odds with a user using another website.
Legitimate interests to do something sensible (like fraud/ddos protection) is easy to justify.
Legitimate interests for ad tracking is a lot harder to justify, so it's easier and less risky to just ask for consent.
But yeh, it doesn't really matter in the grand scheme of things. At the moment, at least.
It's only the big prolific companies that are going to have difficulty. Or if a particularly knowledgeable person (or lawyer) has a bone to pick with a company.
What's an illegitimate interest?
It does already come with some limitations, though they're also a matter of interpretation. For example "legitimate interests" cannot be applied to personal data of special categories and may thus not outweigh the rights and interests of the affected persons. This generally requires an assessment to be performed to ensure that is the case.
It's not a get out of jail free card (despite a lot of companies seemingly thinking it is).