Legitimate interest is defined as that usage that is absolutely technically necessary. Which is why you cannot object to legitimate interest.

Legitimate interest is for example a website using your IP to send you the necessary TCP/IP packets with the website's content upon request.

Many websites use the term "legitimate interest" misleadingly (or even fraudulently), but that's not how GDPR defines it.

▲

prox 6 hours ago | parent | next [-]

It’s also to check if something works. I recently added something new and while I cannot and will not track any personally identifying information, I still need some data if people go through the whole process alright. That covers legitimate interest. It’s the minimum data I collect and its get wiped after some time.

▲

rglullis 6 hours ago | parent | prev [-]

An IP address is not "personally identifiable data". You can not know who the person is just because you got an IP address in the request.

We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.

▲

Nextgrid 6 hours ago | parent | next [-]

The lack of enforcement is consistent across all companies big and small so I don’t think it counts as regulatory capture.

▲

kuschku 6 hours ago | parent [-]

Tbh, Google and Facebook, after several enforcement actions, now provide a simple "Reject All" button, while most smaller websites don't.

I'd argue that's the opposite of regulatory capture.

	▲	rglullis 5 hours ago \| parent \| next [-]
		Yeap, but the thing is: - they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway. - These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
	▲	Fargren 5 hours ago \| parent \| prev \| next [-]
		This is not my experience at all with Facebook. Since six months ago or so, Facebook is saying my three option are to pay them a subscription, accept tracking, or not use their products. I went with option three, but my reading of the GDPR as that it's illegal for them to ask me to make this choice. I'm in Spain, this is probably not the same worldwide.
	▲	Nextgrid 5 hours ago \| parent \| prev [-]
		The "Reject all" does not in fact reject all. They are taking extreme liberties with the "legitimate interest" clause to effectively do all tracking and analytics under it. The YouTube consent screen for example includes this as a mandatory item: > Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services I don't believe this complies with the GDPR to have this mandatory.

▲

youngtaff 4 hours ago | parent | prev | next [-]

IP address is considered personal data and can be considered personally identifiable data in some circumstances for example if you can geolocate someone to a small area using it

▲

close04 6 hours ago | parent | prev [-]

> An IP address is not "personally identifiable data".

GDPR says it is [1][2].

> We are almost 10 years into the GDPR, and we still have these gross misunderstandings

Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:

> Fortunately, the GDPR provides several examples in Recital 30 that include:

> Internet protocol (IP) addresses;

From Recital 30:

> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses

[1] https://gdpr.eu/eu-gdpr-personal-data/

[2] https://gdpr.eu/recital-30-online-identifiers-for-profiling-...

▲

rglullis 6 hours ago | parent [-]

When an IP address is linked to any other data, then it counts as PII. By itself, it's not.

So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".

▲

kuschku 5 hours ago | parent | next [-]

An IP address linked with the website being accessed is already PII.

When serving content, you're by necessity linking it to a website that's being accessed.

For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.

	▲	rglullis 5 hours ago \| parent [-]
		> a display in their offices that showed the IP address (...) that's not saving or publishing You are not sharing with a third-party, but that sure falls into processing and publishing it.

▲

close04 5 hours ago | parent | prev [-]

IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)

Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.

	▲	rglullis 4 hours ago \| parent [-]
		Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing. So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.