Legitimate Interest: Cracking the Cookie Code

The ad-tech world is often blurred by legal jargon. For cookies, you face two distinct hurdles: the **TDDDG** (formerly TTDSG) for device access and the **GDPR** for processing the personal data retrieved.

The TDDDG turns the EU ePrivacy Directive into law. The core rule: any access to a user's device requires active consent (§ 25 TDDDG), unless it is **strictly necessary** to provide a service specifically requested by the user.

Once that hurdle is cleared, the GDPR kicks in for data processing. Here, vendors check if they can rely on consent or the elusive **legitimate interest** (Art. 6 GDPR). However, the TDDDG's specific rule always trumps the GDPR during the initial storage process.

For a long time, marketing teams treated **legitimate interest** (Art. 6 GDPR) as a convenient loophole. In reality, EDPB guidelines mandate a strict three-part test before you can legally claim it.

First, you need a **legitimate, clear, and real interest** (economic interests generally count). Second is the **necessity test**: the processing must be absolutely required to achieve that interest. If there is a less intrusive way, the test fails immediately.

Third is the **balancing test**. The rights and freedoms of the individual must not outweigh the controller's interest. With invisible tracking or deep profiling, the legal pendulum almost always swings in favor of the user.

Many Consent Management Platforms (CMPs) once allowed tracking cookies via legitimate interest. Legally, this is a fallacy because the ePrivacy Directive mandates **consent for non-essential cookies**.

If a cookie is stored for reach measurement or retargeting, the TDDDG applies. Since these aren't *technically strictly necessary* for the primary service (like reading an article), the user must actively opt-in first.

Because the act of setting the cookie requires GDPR-compliant consent, the EDPB clarifies that it is paradoxical to base the subsequent processing on 'legitimate interest.' A technical intrusion requiring consent dictates the legal basis for all following steps.

The only valid overlap between cookies and legitimate interest involves **strictly necessary cookies**. These fall under the legal exception where no prior consent is required (§ 25 TDDDG).

Examples include session cookies for **shopping carts**, authentication for login status, or security cookies like CSRF tokens. Even the cookie that remembers your consent choice in the banner belongs in this essential category.

These functions don't need consent because the user explicitly requested them to use the core service. The corresponding data processing (e.g., log files for IT security) can then be legally justified via **legitimate interest** under the GDPR.

The **Transparency and Consent Framework (TCF)** by IAB Europe is the global standard for signaling consent in programmatic advertising. With version 2.2 in 2023, the IAB finally closed a massive legal loophole.

Older versions allowed vendors to claim legitimate interest for purposes like personalized ads. This led to a 'dark pattern' where users clicked 'Reject All,' but tracking continued silently in the background under the guise of legitimate interest.

TCF v2.2 completely removed legitimate interest as a legal basis for advertising and content personalization (Purposes 3 to 6). Now, ad-tech providers must obtain explicit consent for these activities to remain compliant.

A common legal design flaw in old banners was the 'cascading legal basis': 'We ask for consent to track you. If you say no, we'll do it anyway based on our legitimate interest.'

Regulators and EDPB guidelines make it clear: this **'Bait and Switch'** is illegal. Once a controller chooses to rely on consent for a specific processing activity, they are bound by that architectural choice.

If the user rejects consent, a **blocking effect** occurs. A secret fallback to legitimate interest violates the principles of fairness and transparency. In the eyes of the law, a user’s 'No' must remain a binding 'No.'

The interpretation of legitimate interest has tightened significantly due to recent court cases. In landmark rulings (like *Meta v. Bundeskartellamt*), the European Court of Justice (ECJ) set clear boundaries for the ad industry.

The ECJ ruled that extensive **tracking, profiling, and behavioral advertising** are so intrusive to privacy that the user's rights almost always outweigh the company's interests.

This high-court ruling confirms: for complex ad networks aggregating data across multiple sites to build behavior profiles, legitimate interest can **never** be the valid legal basis. Explicit, voluntary consent is the only legal path forward.

Even in the rare cases where a vendor legitimately uses legitimate interest, the GDPR provides a sharp tool: Art. 21, the **Right to Object**.

Users must be able to object to processing based on legitimate interest at any time. Usually, they must provide grounds relating to their 'particular situation'—unless the processing is for **direct marketing**.

For direct marketing, the right to object is absolute and unconditional. A compliant system architecture must allow users to exercise this opt-out just as easily as they would grant consent within a preference center.

One of the most debated topics today is the **Pay-or-Okay (Pur-Abo)** model. Media houses require users to either consent to full tracking or pay for a monthly subscription.

Privacy advocates argue whether consent under this 'pressure' is truly 'voluntary.' Currently, many regulators tolerate the model as long as the price for the ad-free alternative remains reasonable.

Crucially, **legitimate interest** disappears in these models. Since the deal is 'data for content,' the entire architecture rests on explicit consent. Secretly tracking via legitimate interest would immediately undermine the contractual promise of the paid, ad-free alternative.

With the crackdown on third-party cookies, the industry is fleeing to **Server-Side Tracking**. Here, the browser communicates only with the website’s own first-party server, which then forwards cleaned data to networks.

While this improves technical control and bypasses ad-blockers, it does not change the legal reality. As soon as device info (IP addresses, fingerprints, IDs) is read for identification, the TDDDG applies.

Technical obfuscation or moving processing to the cloud does not exempt companies from their duties. They must still choose between the high bar of consent or the very narrow confines of true legitimate interest.