Reject all cookies but get them anyway? Websites abusing “legitimate interest”


The twisted logic of cookie consent banners doesn’t work as you might expect. Despite pressing the opt-out button, dozens and sometimes hundreds of vendors on a single website still think they have the “legitimate interest” to track your data. Here’s what you can do.

Since e-privacy laws took effect, websites have bombarded visitors with cookie consent banners, asking for permission before tracking and storing online activities and personal data. But is there really a choice?

For an experiment, I opened a few dozen random websites on a newly installed web browser. Despite rejecting all, denying, not accepting, unticking and confirming my choices, withdrawing consent, objecting, managing preferences, etc., each website still saved dozens of cookies. Sometimes, I didn’t have a choice at all but to accept, especially on US websites.

ADVERTISEMENT
cookies-present

Even after pressing the opt-out button, many vendors claim they have a “legitimate interest” to justify tracking many data categories, such as IP addresses, device characteristics, device identifiers, browsing and interaction data, location data, users’ profiles, and others.

“Legitimate interest” is used for many purposes, such as personalized advertising, measuring advertising or content performance, “understanding audiences,” or developing and improving services.

Many experts who spoke to Cybernews argue that websites abuse the “legitimate interest” for extensive tracking despite user opt-outs.

legitimate-interest

Not all websites allow users to object to “legitimate interest” in the settings – some leave no choice but to accept a part or even all of trackers from dozens of vendors. The justifications range from ensuring “security, prevent and detect fraud” to “legitimate business interest.”

no-choice

Many other websites make the opt-out process difficult by burying the “legitimate interest” options deeper in the settings and requiring users to manually deselect multiple categories or even dozens of vendors one by one.

ADVERTISEMENT

“Many users are numb about their privacy until it is too late. Without strict regulations on this front, users must protect themselves with awareness, data protection, and the implementation of tools to protect their privacy,” said Zarik Megerdichian, Founder and CEO at Loop8, a personal data protection firm.

objected

Can everything be a legitimate interest?

According to Dr. Brian Callahan, the Graduate Program Director for the Information Technology and Web Science Program at Rensselaer Polytechnic Institute, “Legitimate interest” originates from GDPR and covers when the user might reasonably expect some of their data to be processed for specific reasons, such as fraud prevention or IT security.

“Marketing could even be a legitimate interest if the use of that data isn’t something people would be surprised about,” Callahan said. “Companies are going to try to collect as much data as they can. Why wouldn’t they? That data can be mined and sold, so it has value!“

When it comes to cookies, this legal basis allows companies to collect and process your data without explicit consent, explains Zarik Megerdichian, Founder and CEO at Loop8, a personal data protection firm.

“This means the company believes it has a valid reason for using your data, such as improving services, marketing, or ensuring security, which outweighs any potential impact on your privacy. However, they must balance their interests with your rights and interests and provide clear information on how your data is used,” Megerdichian said.

He also confirmed that some companies use it as a loophole to collect data without meeting specific guidelines.

“Yes, websites are abusing this exception. Companies with data-driven business models have exploited the ‘legitimate interests’ clause for quite some time. This is a perfect example of the Charlie Munger quote: Show me the incentive, and I'll show you the outcome,” said Josh Amishav, Founder and CEO at Breachsense.

While bypassing users’ cookie preferences this way may be legally allowed, Amishav believes that it goes against the core principle of the GDPR, which requires obtaining user consent for data processing.

ADVERTISEMENT

Cache Merrill, founder of Zibtek, a software development firm, thinks this is a big grey area where websites “can just say all of X functions are required.”

“If the website owner's intentions are pure, this concept allows the site to put data in cookies that are essential to making the site function,” he said. “And if the owner's intentions are not pure, they obviously can push the boundary of that concept.”

However, Merrill also believes that service providers should not be required to ask for permission when cookies are essential for core functionality, bring time savings, and don’t track personal information.

Either way, it would be almost impossible to prove what’s essential and what’s not, even when brought to court.

“I have been an expert witness on a few cases, and it was extremely difficult, with both sides feverishly explaining their point of view to a 60 or 70-year-old judge with very little technical background,” Merrill said.

Why should users be cautious?

Callahan warns that people have reasons to be wary.

“Indiscriminate cookie/data collection can be used to positively identify people and can easily and globally disseminate information about people that you would prefer to keep private. There are also ways for determined adversaries to use data collected on a target to improve social engineering attacks against that target,” he said.

Callahan noted that the European Data Protection Board believes that confusing or difficult-to-use cookie banners (“deceptive cookie banners”) should be improved.

In Germany, courts are cracking down on deceptive cookie banners based on the concept of genuine choice to accept or reject. The Cologne Higher Regional Court clarified in January 2024 that cookie banners must be designed fairly, and consumers must be given a real choice as to whether they wish to accept cookies or not.

ADVERTISEMENT

“By gathering IP addresses, device identifiers, and interaction data, companies can create detailed profiles of users. This not only invades user privacy but also poses security risks, as this data can be used for targeted attacks in the event that it's breached or sold to third parties. The justification of 'legitimate interest' should be re-examined because it's become a catch-all excuse for invasive tracking,” Amishav added.

He noted that the data collected under 'legitimate interests' is often shared with third parties, which only increases the attack surface.

“The more data collected, the higher the risk of unauthorized access or data breaches,” Amishav said.

Kirsten Whitfield: those that get caught will be the tip of the iceberg

For website owners, designers, and even cookie consent management platform providers, it’s easy to get lost in a complex landscape, and many may be confused about when to rely on legitimate interests, according to lawyers.

“It’s easy to get confused,” says Kirsten Whitfield, a Data Protection and Cybersecurity Expert at Fieldfisher, a multinational law firm.

“Of course, some may simply not care enough to educate themselves about how to compliantly deal with these issues.”

The first common misconception is that cookie consent requirements come from the GDPR. These requirements predate GDPR and are commonly referred as Privacy and Electronic Communications Regulations (ePrivacy laws).

Second, even the reference to cookies is misleading.

“The cookie law requirements around obtaining consent apply to not just cookies but any similar technology, e.g., such as pixels that might be embedded in emails to track whether an email is opened, how long browsed etc. The law also applies regardless of whether personal data involved or not,” Whitfield explains.

ADVERTISEMENT

In summary, she described a basic rule as: “if the cookie isn't essential, then you need to get consent before deploying.” User consent is not needed for essential cookies.

“For example, if your website operates a shopping basket and the cookie is used to place items in the basket, this is an essential function of the website. No consent is needed. On the other hand, deploying a cookie to track a user's movement across your website is not essential to the operation of the website, and consent is needed,” Whitfield said.

To add to the confusion, GDPR comes only as an additional overlay of requirements.

“One of the requirements of the GDPR/UK GDPR is that you must have a lawful basis for processing personal data. Consent and legitimate interests are two examples of lawful basis that could potentially apply (there are others, but these are the most commonly relied on in the context of cookies).”

So, if a website uses a cookie to track users’ movements around the site, according to GDPR, it could theoretically rely on 'legitimate interests' as the lawful basis for processing personal data, while the ePrivacy rules would require user consent for the placement of a cookie itself.

“But, this would be very confusing for users if you were asking for consent to drop a cookie but not consent to process personal data collected by the cookie,” Whitfield said.

“This is at odds with the GDPR/UK GDPR principles of fairness and transparency when processing personal data, and this is why data protection regulators (some more vocally than others) are not fans of legitimate interests being relied on in this type of scenario.”

While data protection regulators sometimes focus on cookie consent issues, their efforts do not provide a “great incentive to get it right.”

“Those that get caught out by data protection regulators will be the tip of the iceberg. So not a great incentive to get it right.”

Nonetheless, there are good reasons to get compliance right, as Fieldfisher’s data litigation team hears from companies receiving complaints each week, and a few serial claimants have now made it their business to challenge websites.

ADVERTISEMENT
An easy-to-use guide to clear browser cookies

No way to avoid tracking completely

Users have some choices that can limit, but not eliminate, tracking online.

“There are “third-party” and “first-party” cookies. Browsers will let you block third-party cookies. There are also plugins, like the Privacy Badger plugin from the EFF, that will also block third-party cookies,” said Dr. Brian Callahan, who is also a Director of the Rensselaer Cybersecurity Collaboratory at Rensselaer Polytechnic Institute.

However, these tools generally do not block first-party cookies. Tech giants such as Google and Facebook use other device fingerprinting technologies to track users.

“That’s why we need good legislation to help reign in these first-party cookies. You can still be tracked with first-party cookies. And those first-parties might sell that data to other parties,” Callahan said.

Amishav recommends adding more privacy tools to the mix.

“I recommend running the uBlock Origin browser plugin to help block trackers. Using a reputable VPN can also mask your real IP address and make it harder to track you. Finally, when installing a new app, always grant the least amount of permissions needed to function properly,” Amishav said.

DNS filtering tools may prevent many trackers from loading.

Megerdichian added that the best way for users to protect themselves is “to assume that abuse will happen and disclose the minimum personal information required.”