Browser Cookies: Legitimate Interest vs Consent - Proxidize

Log in

Sign up for free
Book a Demo

Log in

Menu

Browser Cookies: Legitimate Interest vs Consent

Image showing a screen with Legitimate Interest checked and Consent unchecked. Text to the left reads
Zeid Abughazaleh

Say you are the type of person who, when landing on a new website and confronted with browser cookie settings, you decide you want to Reject All, where possible. As you scroll down the list, you notice that despite rejecting all cookies, there are several entries with “Legitimate Interest” turned on.

Which begs the question, what is legitimate interest? And what are you agreeing to that is different from consent? The reason the distinction even exists is the General Data Protection Regulation (GDPR). It’s a piece of legislation that regulates browser cookies for websites based in or operating in the European Union.

The GDPR is very strict when it comes to websites following their rules. Any websites that do not comply with them end up being fined and possibly forcibly shut down.

To save you the deep-dive, we’ve done the legwork for you. As we all become more conscious of our privacy, let’s discuss the difference between legitimate interest vs consent.

Image showing a hand holding a screen with a cookie and a button that says Agree All. Text above reads

What is Cookie Consent?

The definition of cookie consent is simple, it means that users give their full, unambiguous consent and permission to start collecting personal data. For consent to be valid it must meet the requirements of the GDPR which states that consent should be freely given, specific, informed, and unambiguous.

Websites need to make sure that their users are informed about the type of cookies being collected and exactly for what. They also need to be aware that they are willingly and freely agreeing or disagreeing. The mechanism for acquiring consent should require a positive action by the user, which means the user has to check a box themselves or click on “Agree All”.

There are a few guidelines it is recommended to follow when it comes to consent:

  • The opt-in, a positive action that is reliant on the customer ticking a box to confirm their willingness for data collection.
  • The statement of consent is clear and unambiguous. No legalese to confuse anyone or attempt to overpass any loopholes.
  • Any and all third-party data controllers are named.
  • Information on how to withdraw consent is clear.

When Is Consent GDPR-Compliant?

For consent to be legally valid under GDPR it must follow these specific points:

  • Freely Given: Users must have a choice, without pressure or negative consequences. Pre-ticked boxes are not allowed unless absolutely necessary.
  • Specific: Any data collected needs to have a valid and fully-detailed reason as to why it is being collected. Simply stating it is for “marketing purposes” is not enough.

An example of GDPR-compliant consent is when a user selects a checkbox stating “I agree to receive marketing emails”, a website presenting a cookie banner with a clear message and gives the user a yes or no option, or when a customer fills a form that states how their data will be used and submits to it voluntarily.

Image showing someone standing in front of a computer with a shield in between them. Text above reads

What is Legitimate Interest?

Legitimate interest is a type of reasoning applied to browser cookies that does not require the user to provide their consent for the data to be collected. The reason websites would use legitimate interest is if collected that specific type of data is detrimental to the functionality of their website.

Legitimate interest is a type of reasoning applied to browser cookies that does not require the user to provide consent for data collection. Websites use legitimate interest when collecting specific types of data is essential for their functionality.

Occasionally, rejecting these types of cookies is impossible to do as you may have seen when you have to click “Accept necessary cookies”. Turning them off may result in the website banning you from accessing them. Websites are heavily restricted when it comes to the type of data they are allowed to collect under the GDPR so it is not a blanket slate for them to accept any type of data they require.

Legitimate interest differs from cookie consent because it does not require user agreement for data collection. The purpose of processing data through legitimate interest relies on the interests of the website or a third party.

IP rotation, city and carrier targeting,
sticky sessions — control it all via API

Buy Proxies Now

Legitimate interest is when a website or a third-party has a genuine reason for processing the data and that no other interests outrank it. For example, they can justify legitimate interest as a way to market their goods to existing customers to increase sales.

There is a three-part test websites should take when assessing where legitimate interest can be applied. They are the purpose, necessity, and balancing test.

Purpose Test: Is there a legitimate interest behind the processing? They will need to determine if they have a clear, specific, and lawful reason for processing the data. The purpose must be genuine and align with the website’s interests, customers’ expectations, or societal beliefs.

Some examples include: preventing fraud, maintaining security, conducting business analytics to improve products or service, sending marketing emails to existing customers, and ensuring system performance.

Necessity Test: Is the processing necessary for that purpose? Websites must evaluate if processing the data is necessary to achieve a goal. Some questions they can ask themselves include:

  • Is there a less intrusive way to achieve the same result?
  • Could the data be anonymized or minimized?
  • Can you achieve the same objective without processing personal data?

As an example, if they want to analyze customer preferences, they might not need personally identifiable data. Aggregated and anonymized data could achieve the same results without risking customer privacy. If there is a way to reduce data usage while achieving their goal, legitimate interest might not apply.

Balancing Test: Is the legitimate interest overridden by the individual’s interests, rights, or freedoms? The GDPR puts user privacy first, so websites must assess if customers expect this process to happen, if the processing would negatively impact users, or if the data is being used in a way that is transparent and fair.

Unlike with consent, legitimate interest does not require an organization to be named at the point of data capture as long as websites can tell their customers what the data will be used for. The best practice is to provide a descriptive list of sectors that the data will be shared with.

Legitimate interest lets websites collect and use data when it is absolutely essential for their operation as long as it does not harm and unfairly impact your users. This does not give them a free pass to do anything they want with personal data.

As an example, if they use customer data to prevent fraud, improve website security, or send direct marketing to existing customers, then they can justify legitimate interest. However, if they use that data to track users across multiple websites without clear justification, then they will be violating GDPR.

Image of a hand pressing a button on a phone that is showing a cookie in a shield. Text above reads

How to Get Cookie Consent?

Picking consent as a legal basis for processing personal data is a popular choice. Websites can do almost anything with the data as long as they tell their customers exactly what they intend to do with the data and that they get their explicit consent. Websites will want to use consent as a legal basis for the following situations:

  • When no other legal basis applies to data processing.
  • When they want to use the data in a way that is not compatible with their original purpose.
  • When they want to process data in a way that could be seen as intrusive or unexpected.
  • When they want to process sensitive data such as race, ethnicity, religious beliefs, or biometric data.
  • When processing involves personalized advertising, online tracking, and app or software installations.
  • When they value transparency and want to give users control over how their data is used.

Websites must ensure their legitimate interest assessments are transparent and user-friendly to maintain trust.

The GDPR allows consent to be gathered in three different ways:

Explicit Consent 

A customer is given a clear option to agree or disagree to the gathering or processing of their personal information. Explicit consent can be gathered verbally as well as through written text.

If someone offers to give their personal information voluntarily, that can be considered explicit consent. They offer this information entirely on their own after clearly understanding the reasoning behind the necessity of the information.

Implicit Consent

This type of consent is given directly. This means that a customer provides their personal information for purposes that favor both the individual and the organization. The customer could voluntarily provide the data for obvious reasons that require information. This can include optional boxes on a form or putting their address and saving it for future use.

Opt-Out Consent

For an opt-out consent, a customer needs to give a clear option to decline having their information gathered and used. This should not include having them click off a preference and should be an active and conscious decision made by them to have that specific data collected.

When browsing a shoe brand’s store, it may be clear that the product marketing tick boxes are shown to provide the user a more personalized experience. Only when they clearly choose the option to not give permission to use their data is consent not given. Basically, they would need to check the box and give permission for the data to be used. If they left the option unchecked, then opt-in consent is given.

Cookie consent should last anywhere from a few months to a full year. It is important to check the guideline specifics to the EU country that applies to them. This depends on their intended outcome with cookie collection and is limited to what is necessary to achieve their purpose.

How to Use Legitimate Interest?

If websites want to use legitimate interest as a basis for cookie collection, they must carefully evaluate how they process the data and how it impacts user privacy.

Websites would use the legitimate interest basis when data processing activities are low-risk or they have a strong reason for processing personal data. If websites are unwilling to conduct a risk assessment to determine how their data collecting activities could impact users, or if they do not want to put in the work to justify using legitimate interest as a basis, then they might want to consider consent as your legal basis.

However, if websites do want to use legitimate interest as a legal basis, there are three major steps they would need to follow to make sure everything is set up correctly.

Step 1: Identify a legitimate interest. Websites would need to satisfy the three-part test we had mentioned earlier in the article which are the purpose, necessity, and balancing tests.

Step 2: Conduct a Legitimate Interests Assessment. This involves assessing each part of the three-part test and recording the results to demonstrate that legitimate interest is a justifiable legal basis for your processing. Websites need to be sure to constantly update their assessment as their business goals evolve to ensure the legitimate interest basis continues to apply to their data collection activities.

Step 3: Notify your users. After the three-part test and the assessment are completed, websites need to let people know their reasons for collecting data, that they are using legitimate interest as a legal basis, and an explanation of their legitimate interest. This information can and should be included in their Privacy Policy.

Examples of Legitimate Interest

The GDPR’s effect on marketing is vital. However, picking the right approach in terms of legitimate interest matters. Recital 47 of GDPR states that: The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Companies may send information that they think users will find relevant. However, it must be clear to the user that they can opt out at any time. For example, if they are a SaaS company and want to send customers an email about upcoming offers. This can be seen as legitimate interest as it benefits them and does not affect their rights.

Websites may use legitimate interest as a reason when they have taken the steps needed to protect users’ personal data. As an example, if they were running a website that collects sensitive information, they must maintain reasonable security measures to prevent unauthorized access or use the data.

When it comes to cookies specifically, legitimate interest can be used as a way to bypass cookie consent but the reasoning lies in the text of the law itself. Website cookies often have marketing purposes. Recital 47 states that legitimate interest can be claimed for processing personal data for marketing, Recital 70 states that users have the right to deny it. Users must have a choice to reject these cookies if they want. This makes legitimate interest not a viable option.

Does It Fall Under Consent or Legitimate Interest?

Consent builds a level of trust and brand awareness and allows websites to communicate with their customers. Legitimate interest helps brands target a broader consumer base.

Websites should follow these five steps to determine whether data collection falls under legitimate interest or consent:

  1. Does the user expect their data to be processed? If they do, then legitimate interest can be applied as they would be aware that processing the data helps with fraud detection, website analytics, and internal business improvements. If the processing can feel intrusive such as behavior tracking, personal advertising, or sharing the data with third-parties, then explicit consent is needed.
  2. Does processing involve marketing? Marketing activities are heavily regulated under GDPR and the ePrivacy Directive. Websites must get explicit consent before sending marketing emails or text messages, even to existing customers. In some rare cases, they can send B2B emails under legitimate interest but consent is still recommended.
  3. Is processing necessary for operations? If they need to collect customer data for operational, security, or compliance purposes, legitimate interest is the best choice. Sharing user data for third parties does not count and would need consent. Additionally, if there is a way to achieve their goals without processing personal data, the legitimate interest would be void.
  4. Does the data involve sensitive information? This involves health records, political views, racial or ethnic data, biometrics information, and so on. If a website is handing this data, consent is always required unless there is a strong legal justification. If they have a solid legal reason as to why they need to collect this data, then legitimate interest applies.
  5. Will the user have control over their data? If users can easily opt out or withdraw their consent without negative consequences, then the risk of non-compliance is lower. Consent is best when users need full control over their data while legitimate interest is acceptable if users can opt out anytime without impacting their experience.

Conclusion

Collecting browser cookies is mandatory for running a functional website. Understanding what data can be legally collected is essential for compliance.

Cookie consent is critical when collecting personal or marketing data. Websites must offer users a way to opt-out of data collection.

Key takeaways:

  • Cookie consent requires websites to ask users for permission to collect certain types of data.
  • Legitimate interest applies when websites have a justifiable reason to collect data that does not involve the personal data of their customers.
  • To decide if data falls under legitimate interest, websites must follow the three-part test (purpose, necessity, balancing) and if it passes all three, then legitimate interest can be applied.
  • Cookie consent varies on the different types of consent but also all of them require the user to agree to the data to be collected.
  • When it comes to collecting marketing cookies, websites need to be cautious of Recital 70 of the GDPR as that could be the determining factor between collecting marketing data with consent or as a legitimate interest.

Websites must have solid reasoning for collecting specific data under legitimate interest to avoid legal penalties.

Frequently Asked Questions

What are the 6 types of consent?

The 6 types of consent are informed, explicit, implied, granular, opt-in/out, and withdrawable consent. Informed has the user understand the risks and benefits before agreeing. Explicit requires them to click a button or sign a document. Implied is inferred from actions or inactions. Granular allows users to choose which data they consent to. Opt-in/out requires a user to take the action to agree or are assumed to give consent unless they refuse. Withdrawable consent is the ability for a user to revoke their permission at any time with no questions asked or trouble finding out how to do so.

Can you use legitimate interest for marketing?

Yes, legitimate interest can be used for marketing but it must follow the three-part test. While direct marketing is not recognized as legitimate interest, it is not a blanket justification and does require careful documentation, especially when it comes to B2B communication.

What does “grounds of legitimate interest” mean?

Grounds of legitimate interest under GDPR is a lawful basis that allows companies to process personal data without consent, as long as it is necessary for a specific, non-trivial, and clear business purpose.

Save Up To 90% on Your Proxies

Discover the world’s first distributed proxy network, which guarantees the best IP quality, reliability and price.

Sign up for free

Related articles

a drawing of a laptop with a gear next to the title
5 Best AI Web Scrapers in 2026

Web scraping used to be a pretty binary situation, either you knew how to write

Eyad Elkhatib
What Is Screen Scraping?

Data collection techniques have changed and evolved over the years, giving anyone the opportunity to

Zeid Abughazaleh
Image of a computer showing 504 Gateway Timeout. Text on the left reads
What is Error Code 504?

One of the most common error codes is error code 504. It is an issue

Zeid Abughazaleh

Save Up To 90% on Your Proxies

Discover the world’s first distributed proxy network, which guarantees the best IP quality, reliability and price.

Talk to Sales
Sign up for free
Talk to Our Sales Team​

Looking to get started with Proxidize? Our team is here to help.

“Proxidize has been instrumental in helping our business grow faster than ever over the last 12 months. In short, Proxidize has empowered us to have control over every part of our business, which should be the goal of any successful company.”

mobile-1.jpg
Makai Macdonald
Social Media Lead Specialist | Product London Design UK

What to Expect:

  • Quick chat to learn about your needs
  • Clear answers on pricing, features, and setup

By submitting this form, you consent to receive marketing communications from Proxidize regarding our products, services, and events. Your information will be processed in accordance with our Privacy Policy. You may unsubscribe at any time.

Contact us
Contact Sales

PRICING

RESOURCES

Products

DOCUMENTATION

COMMUNITY

DOWNLOAD
Sign up for free
Book a Demo