Many websites have a - huge- part in their cookie wall, called 'legitimate interest'.
I never allow them and i wonder; is this just a loophole to be able to force certain cookies on us anyway?
I can't imagine it is harmless, but i never hear anyone discussing these type of cookies.
EDIT: Everyone, thank you so much for taking the effort to answer. These replies were very helpful and often quite detailed. I've read them all and it certainly gives food for thought.
I also read that EU page, which is indeed not really clarifying much.
I agree that we need to do as much as possible to block all these invaders of our privacy, though it is ridiculous that we have to make so much effort to protect ourselves.
And i know many people around me, who just let it all happen and are sometimes not even aware of such things as trackers. And honestly, they shouldn't have to be aware, it is infuriating that these things are either allowed, or those companies taking the - small - risk to get away with it, because most people won't bother with law suits and what not, certainly not when so many websites have these shady practices...
Again, thank you; i'm glad i asked :-)
The legal definition in the GDPR is:
The European Commission has a page expanding on it.
As you can see it's very vague, and it will probably take several court cases to define the boundaries.
Edit: there's currently a request to ECJ from a Dutch court to define the main boundaries (Case C-621/22) and there was already another (c13/16) setting some limits.
True but the GDPR is not the primary legislative instrument here since it deals with general rules for processing personal data. The ePrivacy directive (or PECR in UK) is more important when it comes to cookies since it deals with electronic communication.
The ePrivacy directive states that cookies and similar tracking technologies can only be dropped on a user device after obtaining consent, i.e. no other ‘GDPR’ legal bases such as legitimate interest are available. There is an exception for cookies that are essential or strictly necessary for the website to work. In such cases no consent needs to be obtained. This exception is narrowly interpreted by most EU supervisory authorities.
This may be subject to change though since the ePrivacy directive is in the process of being replaced by the ePrivacy regulation which is said to outline new rules for cookies.
The practical way this seems to be implemented is that sites report the bulk of cookies and default to off to comply with GDPR, then list a subset of cookies as legitimate interest-based and default those to on with an ambiguous "object" setting.
Guessing the idea behind it is legal advice that legitimate interest swaps from one ruleset to another, but like the previous poster said I'm not sure how well any of this is tested.