So almost every GDPR cookie consent banner out there has a section for "legitimate interest" cookies that they can leave on by default and you will inadvertently accept even if you choose "Reject all" unless you go to the detailed settings and disabled those too.
Some of them have dozens of legitimate-interest cookies.
I read some articles about what they are and why it is allowed to keep them on by default, but they were very vague. So can someone explain it to me like I am five?
Yeah, it absolutely is vague. I had reason to read some GDPR stuff a while back - that phrasing is just lifted from there. Article 6 is about what reasons you could have to store private info. 1f is, apparently... yeah, you're just "legitimately" interested. Wonder what that means? So do I.
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.)
There are 2 more questions it sounds like OP is asking -
Why are Legitimate cookies allowed to be defaulted on?
Why are they allowed to be hidden in a different menu?
I didn't see any answers to these questions in my quick read-through. Nothing about default settings on the GDPR website and the menu thing sounds like obfuscation. Now whether it's to make the cookie menu more user friendly or gather more data for the company... or both? Don't know. The GDPR website does mention that
The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will be a continuous job.
So maybe the legal side for this is still in the works.
It's extra weird because by definition, whatever they thought "legitimate interest" really meant, they wouldn't need your consent for. That's a different letter or clause or whatever.
To use legitimate interest as a reason to process data you need you be able to argue that you do actually have a good reason to do so and that the user would expect you to process it.
For example, I think that websites have a legitimate interest in anonymously tracking your browser behaviour to analyse performance data and errors so that they can improve their app.
The loophole is that advertisers use it to process way too much data (when they are pretty much the reason for the bloody law in the first place) and that nothing is done about it.
I know right? Now, I'm not a lawyer, but it seems interesting because of what it isn't. 1a through e are consent, needed for business, legal obligation, (your) vital interests or another being, or public interest/authority.
So after all that, you have to figure... what legitimacy's left?
Just a reminder that there's never such a thing as "a loophole". What there is is a carefully-worded, innocuous-sounding phrase that some corporation "helpfully" got added to a law or regulation (usually "for clarity"), and which the corporation already plans to mis-use in a given way should the appropriate circumstances arise (and in contradiction of all "we should never do that!" protestations they might make prior to the law or regulation taking effect).
When you login to a website they need to give you a secret password so that when you go to the next page you can tell them that secret again and they will let you access information you have permission for (your Facebook wall for example). That secret is stored in a cookie and every time you go to another page the cookie is sent to Facebook so they know who you are again.
In this instance a cookie is the wrist band you get at a concert so they can easily check that you purchased a ticket. You don't want to have to show your ticket every time you leave and come back into the concert because that's slow, you just flash the wrist band and they let you in.
I know what a cookie is.
I was asking what are legitimate-interest cookies and what makes them different so they don't need explicit consent under GDPR.
It would help to clarify in the post that you're interested in the legal aspects for the EU under the GDPR.
To answer your question though, on the GDPR website I thought these snippets were the most helpful:
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
Receive users’ consent before you use any cookies except strictly necessary cookies.
....
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
....
The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will be a continuous job. However, properly informing your users about the cookies your site is using and, when necessary, receiving their consent will keep your users happy and keep you GDPR-compliant.
Edit:
Sorry, forgot the ELI5. As long as the website informs users why a cookie is necessary for the website to function correctly, it can be classified as 'strictly necessary' and not require consent. As far as what's "necessary"... that's still being defined and will probably be reviewed on a case by case basis.
It's rather vague to me too, the most helpful summary I found was this one:
In general, the condition applies when:
The processing isn’t required by law, but there’s a clear benefit to it;
There is little risk of the processing infringing on data subjects’ privacy; and
The data subject should reasonably expect their data to be used in that way.
So "we don't have to do this, and most likely it won't be privacy sensitive, and you probably already know we want to do this, but you can still opt out"
Advertisers have a legitimate interest to process your data and they use the legitimate interest option to do so completely ignoring the fact that they need to infringe upon your privacy to do it.
I set my browser to clear out all cookies for websites unless I've whitelisted the website. The whitelist is a very short list of sites I visit that I actually want it to remember that I've logged in.