So almost every GDPR cookie consent banner out there has a section for “legitimate interest” cookies that they can leave on by default and you will inadvertently accept even if you choose “Reject all” unless you go to the detailed settings and disabled those too.
Some of them have dozens of legitimate-interest cookies.
I read some articles about what they are and why it is allowed to keep them on by default, but they were very vague. So can someone explain it to me like I am five?

  • chuso@kbin.socialOP
    link
    fedilink
    arrow-up
    7
    arrow-down
    6
    ·
    1 year ago

    I know what a cookie is.
    I was asking what are legitimate-interest cookies and what makes them different so they don’t need explicit consent under GDPR.

    • cabbagee@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      It would help to clarify in the post that you’re interested in the legal aspects for the EU under the GDPR.

      To answer your question though, on the GDPR website I thought these snippets were the most helpful:

      To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

      • Receive users’ consent before you use any cookies except strictly necessary cookies.

      Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

      The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will be a continuous job. However, properly informing your users about the cookies your site is using and, when necessary, receiving their consent will keep your users happy and keep you GDPR-compliant.

      Edit: Sorry, forgot the ELI5. As long as the website informs users why a cookie is necessary for the website to function correctly, it can be classified as ‘strictly necessary’ and not require consent. As far as what’s “necessary”… that’s still being defined and will probably be reviewed on a case by case basis.

      • chuso@kbin.socialOP
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        It seems you are confusing strictly necessary cookies with legitimate interest cookies, which are different things: https://kbin.social/m/[email protected]/t/466192/-/comment/2427882

        It would help to clarify in the post that you’re interested in the legal aspects for the EU under the GDPR.

        I had added the #GDPR tag to the question and, as far as I know, GDPR is the only regulation that requires a cookie consent banner and mentions legitimate interest cookies, but I may be wrong on that as I don’t know all the regulations around the world 😃 (and California tends to follow EU’s stances on these matters, so I wouldn’t be surprised if they were baking something similar to the GDPR if they don’t have it yet).

        But yeah, you are right, people from many different places around the world could be reading the question, so I must have been clear that this is specific to some local regulation. I edited the post.

        • cabbagee@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thanks, appreciate it. I definitely misunderstood ‘legitimate interest’ cookies as ‘strictly necessary’. It looks like the laws are vague and still in development. I’m not in the EU but it’s been fun diving into this discussion and the laws!

    • eluvatar
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      They’re different because you can’t use the service without them. For example like with an auth cookie.

      • chuso@kbin.socialOP
        link
        fedilink
        arrow-up
        8
        arrow-down
        1
        ·
        edit-2
        1 year ago

        That’s a functional (or “strictly necessary”) cookie and those are the ones you cannot reject.
        Legitimate-interest cookies are a different thing and you can indeed reject them, but they are on by default.