Comment by oliwarner
1 day ago
There's obviously a lot more real world than they can codify into laws and examples but I think if you can get consent, you should get consent. The ICO:
> Private-sector or third-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must avoid doing anything they would not expect, ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
Session tracking, storing account information, addresses, etc all seem obvious in any e-commerce system but you still have every opportunity to notify and consent that data collection.
I think you and I both think that data protection is a good thing, I'm just a little more wary of leaning on legitimate usage* as a way to skip formal consent.
I'm definitely not in favour of the “legitimate interest” bollocks. There is a significant difference between “absolutely necessary for running the site/app” and “we see your desire to not be tracked, but we want to track you anyway so we are going to make you click a bunch more things to opt out again, because fuck you and your silly little privacy”.