What do cookie warnings mean by "Legitimate Interest"?

Legitimate interest is a legal term from GDPR. You should read the GDPR to get a detailed explantion what it is :), but in short it's any legal reason that justifies the need to process your personal data by the site. For example, if you order something from an Internet shop, the shop's legitimate interest to process your data is the need to complete your order.

However, the legitimate interest concept is often abused by sites and they list for example tracking users in order to "protect from fraud" as legitimate interest. If there is an option to turn this off, turn off whatever possible. If there is something that is really needed for the site to function, you won't be able to turn that off :)

Under GDPR there are 6 grounds based on which anybody can process personal data. Those are:

• Consent

  You explicitly agreeing to it. This needs to be opt-in, informed, specific and freely given, but also gives the greatest freedom to a company.

• Contract

  This is the basis which raj's answer confused with legitimate interests. This is the processing that is required to fulfil a contractual obligation (note that contracts do not always need to be signed, e.g. an order from an eshop).

  need to process someone’s personal data:

  • to deliver a contractual service to them; or
  • because they have asked you to do something before entering into a contract (eg provide a quote).

           ^{Source: ico.org.uk}

• Legal obligation

• Vital interests

• Public task

• Legitimate interests

  Legitimate interests are the most flexible lawful basis for processing personal data. In the words of the UK's ICO ¹:

  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

           ^{Source: ico.org.uk (worth reading!!!)}

  The underlying text from the GDPR itself (definitions and links added are mine)

  processing is necessary for the purposes [=a specific minimal type of processing] of the legitimate interests pursued by the controller [=the company wanting to process your data] or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [=you] which require protection of personal data, in particular where the data subject is a child.

           ^{Source: GDPR Article 6(1f)}

  So basically a legitimate interest claim by a company is them saying 'we are convinced that our interest outweigh the negligible impact on the privacy of the people whose data we process'. This doesn't give them a free pass though, as GDPR also gives the right to object

  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point [public interest] or [legitimate interest] of Article 6(1), including profiling based on those provisions.

           ^{Source: GDPR Article 21(1)}

  Which then require the company to either concede and stop the processing or justify their claim. Companies in practise have taken this to mean they can basically just do a bunch of processing and as long as they make the objection process (=opt-out) easy enough the theory is that they will get away with it.

Notes:

¹ The UK left the EU, but they still have by far the best English language resource explaining GDPR and for the time being "UK GDPR" matches "EU GDPR" one on one as far as I am aware.

Since the question is about cookies, an answer that is based solely of the GDPR would be incomplete.

The confusing facts are that:

• It is the ePrivacy Directive which controls the use of cookies (“the Cookie Law”)
• It is the GDPR that controls the data which cookies process.

The GDPR defines six grounds for keeping user data that include Consent, Contract, Legal obligation, Vital interests, Public task and Legitimate interests. But because of the ePrivacy Directive, it is Consent that is mandatory, much before Legitimate interests. This means that Legitimate interest must still require consent.

Even if the website deems processing to be necessary, legitimate interest must be weighed against the fundamental rights and freedoms of the users.

The GDPR highlights the following as specific types of processing that are considered legitimate interest:

• Fraud prevention
• Network and information security
• Indicating possible criminal acts or threats to public security
• Processing employee or client data, direct marketing and intra-group administrative transfers will probably also be considered legitimate interest.

Recital (47) of the GDPR says: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. But the word "may" here does not give the website carte blanche for keeping user data.

The website must balance its interests against the individual’s. If the individual would not reasonably expect the processing, or if it would cause unjustified harm, his interests override the website's legitimate interests.

Legitimate interest is actually pretty troublesome to use by a website. The website must document its justifications for using it, and must supply this documentation for any inquiry by users or the authorities. It must include details of its legitimate interests in its privacy information. It must also keep a record of its legitimate interests assessment (LIA), to help demonstrate compliance if required.

To that end, the UK’s data protection authority, suggests using a three-part test that includes the following:

• Purpose test – is there a legitimate interest behind the processing?
• Necessity test – is the processing necessary for that purpose?
• Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

Having good answers available for all these three points is required to demonstrate legitimate interest. This rather heavy process should make a website think twice before claiming legitimate interest.

References:

• The GDPR: Legitimate interest – what is it and when does it apply?
• Legitimate interests by UK's ICO
• What is legitimate interest under the GDPR?