this post was submitted on 10 Jul 2024
245 points (98.4% liked)

No Stupid Questions

35719 readers
1399 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

How would a company decide that something should be “legitimate interest” vs “consent”?

EDIT: Definition of "Legitimate Interest", when hovering over the question mark.

How does legitimate interest work?

Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.

top 37 comments
sorted by: hot top controversial new old
[–] [email protected] 152 points 4 months ago (2 children)

Nothing. Having a toggle for "legitimate interest" is nonsense. The GDPR lists some exceptions to when you need to ask for permission, these are "legitimate interests". Things like remembering someones IP to keep track of bans is allowable without needing to ask for permission.

Of course advertising agencies promptly went to work trying to bend the language of GDPR so they can claim they are a legitimate interest and therefore exempt. It won't hold up in court.

The GDPR is surprisingly strict, and a LOT of the cookie popups you see in the wild are not at all compliant. To give an example: having your "accept" and "reject" buttons a different font size is explicitly not allowed.

[–] [email protected] 24 points 4 months ago (2 children)

Does the GDPR have anything on button colors? Because what I see more often is the "accept all" button visually distinct, while the "reject" or "confirm" button being very muted, almost blending with the background

[–] [email protected] 18 points 4 months ago

Sliiightly more debatable, but you're not supposed to emphasize one over the other iirc. Go read the GDPR, for legalese it's surprisingly readable.

[–] [email protected] 8 points 4 months ago

Yes

Declining needs to be as easy as accepting. So if one button is bigger or is easier to spot (like a different colour or font) then it isn't compliant with GDPR.

[–] [email protected] 2 points 4 months ago (1 children)

It may not be a pure nonsense. It might be that according to GDPR the company is eligible for some data use but according to telecommunication law needs still consent to even send this data.

Example: company X analyses their traffic on the backend by aggregating logs per user in a anonymised way because they want to know how many users in a given country uses their product Y. They can do it without any consent as the data is in their system anyway and it is a legitimate interest to know facts about their own product.

Now they want to enrich this by tracking whether the user clicked a homepage banner or a footer link in order to open that product page. This tracking is made on the browser with javascript by sending an AJAX request with a click event. This is still valid for GDPR but not for telecom law that says (German example from TTDSG) you're not allowed to send anything from a user device unless it's required for service or you have consent.

Then this kind of consent would make sense.

In the OP example I go with bullshit though. It's most likely pretending to be compliant while breaking the law.

[–] [email protected] 10 points 4 months ago (2 children)

My life is so much better ever since I’ve added an extension that auto rejects cookies

[–] [email protected] 4 points 4 months ago

I use Consent-o-matic.

[–] [email protected] 3 points 4 months ago (1 children)

What extension is that? Sounds like something I'd want.

[–] [email protected] 4 points 4 months ago

Look up for your specific device(s) but for safari on ios it is hush.

[–] [email protected] 66 points 4 months ago* (last edited 4 months ago) (1 children)

Copypasting here answer to similar question in superuser.com

https://superuser.com/a/1624773

Under GDPR there are 6 grounds based on which anybody can process personal data. Those are:

  • Consent

    You explicitly agreeing to it. This needs to be opt-in, informed, specific and freely given, but also gives the greatest freedom to a company.

  • Contract

    This is the basis which raj's answer confused with legitimate interests. This is the processing that is required to fulfil a contractual obligation (note that contracts do not always need to be signed, e.g. an order from an eshop).

    need to process someone’s personal data:

    • to deliver a contractual service to them; or
    • because they have asked you to do something before entering into a contract (eg provide a quote).

             Source: ico.org.uk

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

    Legitimate interests are the most flexible lawful basis for processing personal data. In the words of the UK's ICO 1:

    It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

             Source: ico.org.uk (worth reading!!!)

    The underlying text from the GDPR itself (definitions and links added are mine)

    processing is necessary for the purposes [=a specific minimal type of processing] of the legitimate interests pursued by the controller [=the company wanting to process your data] or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [=you] which require protection of personal data, in particular where the data subject is a child.

             Source: GDPR Article 6(1f)

    So basically a legitimate interest claim by a company is them saying 'we are convinced that our interest outweigh the negligible impact on the privacy of the people whose data we process'. This doesn't give them a free pass though, as GDPR also gives the right to object

    The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point [public interest] or [legitimate interest] of Article 6(1), including profiling based on those provisions.

             Source: GDPR Article 21(1)

    Which then require the company to either concede and stop the processing or justify their claim. Companies in practise have taken this to mean they can basically just do a bunch of processing and as long as they make the objection process (=opt-out) easy enough the theory is that they will get away with it.

Notes:

1 The UK left the EU, but they still have by far the best English language resource explaining GDPR and for the time being "UK GDPR" matches "EU GDPR" one on one as far as I am aware

[–] [email protected] 28 points 4 months ago (2 children)

Thanks for the explanation!

Legitimate interest makes complete sense with something like an online shop, but trying to read a news article/blog post, do I really need to have 100s of vendors claiming "legitimate interest"?

[–] [email protected] 20 points 4 months ago

Yeah "legitimate interest" seem to be abused a lot

[–] [email protected] 5 points 4 months ago (1 children)

Advertisers believe they are doing you a favour by using personal information to serve "better" ads that would be more "interesting" to you.

[–] [email protected] 3 points 4 months ago

I'll "legitimately" decline then.

[–] [email protected] 39 points 4 months ago

Nothing, but if you scroll at the bottom of the form, you have a link to all vendors, and under each one what they consider their legitimate interest is. At least gdpr forced them into transparency, although it is so hidden and there are so many that probably 0.0000001% of people go and check

[–] [email protected] 38 points 4 months ago (1 children)

I always read this as "legitimate for them, and not for me" and untick it.

[–] [email protected] 9 points 4 months ago (1 children)

The trick is, sometimes you can't untick it. Because legitimate interest.

[–] [email protected] 1 points 4 months ago

I've not seen that. I have seen all the boxes except legit interest unticked. So I untick all and "save" preferences (I mean, technically how can they save my preferences if I reject all cookies?) and they're all back next time, but just the legit interest ones.

Sometimes there's a lot of them.

[–] [email protected] 38 points 4 months ago

It isn't.

Block all tracking.

[–] [email protected] 31 points 4 months ago

You can say it's legitimate interest, doesn't make it true.

[–] [email protected] 22 points 4 months ago* (last edited 4 months ago) (2 children)

The "legitimate interests" are only legitimate for their and their advertisers data collecting, not your experience (never mind privacy and security). It's just a scummy workaround to avoid regulation.

Even so called "necessary" cookies are often bloated with shit that isn't really necessary (and often leave out necessary functions from where they belong and include them in a separate "functionality" category, where they can pile on extra trackers, especially social media ones).

The worst part is, that some "decline all" don't decline these so called legitimate trackers, so I double check to make sure they are all deselected (sometimes it's an "object to legitimate interests" other times you have to click through to the list and deselect them manually. If it's one of the latter and it won't let me deselect all at once, I leave the site. There isn't any piece of information worth unticking hundreds of boxes for). (ETA: I've found that one of the worst offenders of this is fandom wiki sites, which is where breezewiki comes in and saves the day! If their search function doesn't find what you're looking for, try looking for the fandom you're after + breezewiki on your search engine of choice and if it exists, it will come up)

Never trust companies to have anything but their own interests in mind.

[–] [email protected] 18 points 4 months ago (3 children)

I hate having to manually deselect all of the cookies/consent toggles, just to get to the end and they have the "accept all" look like the "confirm choice".

[–] [email protected] 9 points 4 months ago

These days if a site does that I go elsewhere - the trouble is, I really want to shout at them to tell them why I am going somewhere else but there is rarely a useful contact to do so.

[–] [email protected] 6 points 4 months ago

Omg, yes, that shit is enraging.

[–] [email protected] 3 points 4 months ago

One thing I've found to be useful is just having my browser clear all cookies upon closing. It's initially annoying while you set up all your exceptions for commonly used sites so you don't need to log in again there every time, but afterwards you don't need to worry too much, because once you close your browser, all the useless cookies are gone.

[–] [email protected] 2 points 4 months ago (1 children)

Just like adblockers, the internet has become unusable without tracker blockers like Consent-O-Matic, which automatically declines everything.

[–] [email protected] 1 points 4 months ago

I've heard of those, but while I can see adblock working, if me just clicking "decline all" doesn't actually decline the so called legitimate interests, I don't quite trust that an extension doing it will, so for now I'd rather still make the call of whether I trust a site myself..

[–] [email protected] 18 points 4 months ago

They're legitimately interested in spying on you and selling your data.

[–] [email protected] 16 points 4 months ago

Legitimate interest: "User has a pulse."

[–] [email protected] 8 points 4 months ago

This is a provision of the article 6 of the GDPR, which describes very broadly that you have to justify your legitimate interest with a fair reason to process user data. It is mostly there to allow for IT security, fraud prevention, but also marketing.

Unfortunately, the way the regulation is written is quite imprecise and subject to interpretation. You can read this page, it will give you an insight on the possible interpretations:

https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/

My understanding is that you have the choice between the following modes :

  • Consent = you allow for personalized data collection and ads integration can make use of any tracking information saved in your browser and on the servers of the third party provides
  • Legitimate interest = you allow for data collection without personalization, but the provider might still be context aware and provide for example ads based on broad information like your country, language etc
  • Nothing = you refuse any processing and connection to a third party server
[–] [email protected] 7 points 4 months ago (1 children)

What does it say when you hover/click on the question mark next to it?

[–] [email protected] 12 points 4 months ago* (last edited 4 months ago) (1 children)

How does legitimate interest work?

Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest.

[–] [email protected] 7 points 4 months ago

😂

That's a creative way to interpret GDPR

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago)

I wish there were more lawyers who would deal with companies that do this kind of stuff.

[–] [email protected] 3 points 4 months ago

This has been bothering me too. Hope you get an answer.

[–] [email protected] 2 points 4 months ago (1 children)

I'm assuming that whatever the law in each country consider legitimate.

[–] [email protected] 3 points 4 months ago

It’s a gdpr term of art.