Skip to main content
Back to Guides
Compliance6 min read

Legitimate Interest vs Consent for Cookies

Teams often try to justify analytics or ad cookies under "legitimate interest" to skip the banner. For cookies on an EU visitor's device, that reasoning fails at the first gate. Here's when consent is the only option, and the narrow cases where legitimate interest genuinely fits.

Can you skip the banner with "legitimate interest"? No

A pattern shows up in a lot of privacy reviews. A company runs Google Analytics or a marketing pixel, decides it has a "legitimate interest" in the data, and concludes it doesn't need to ask for consent. For cookies on an EU visitor's device, that reasoning breaks at the first step, and it's one of the more expensive misunderstandings in cookie compliance.

The confusion comes from treating cookies as a single legal question when there are actually two laws stacked on top of each other. The ePrivacy Directive governs the act of storing or reading information on someone's device. The GDPR governs what you then do with any personal data. They're separate gates, and you have to clear both. Legitimate interest lives in the GDPR gate. It does nothing for you at the ePrivacy gate, which is the one your cookie has to pass first.

The ePrivacy gate comes first, and it demands consent

Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended) is the rule most people skip. It says storing information, or gaining access to information already stored, on a user's terminal equipment (their browser, their phone) is allowed only with the user's consent. There are two exemptions, and only two: when the storage or access is done for the sole purpose of carrying out a communication, or when it's strictly necessary to provide a service the user has explicitly requested.

Everything outside those two exemptions needs consent before the cookie is set. Analytics, advertising, retargeting, personalization, A/B testing, session recording, social embeds: all of it. And the consent standard is the GDPR's, so it has to be freely given, specific, informed, and unambiguous. The Court of Justice made the active-consent part explicit in Planet49 (C-673/17, decided 1 October 2019): a pre-ticked box is not valid consent for a non-essential cookie. The user has to take a clear affirmative action.

Legitimate interest is not on the menu for cookie access

Here's the part that settles the argument. The European Data Protection Board addressed the interplay between ePrivacy and the GDPR in Opinion 5/2019, and the position is direct: where Article 5(3) applies, consent is the operative requirement for placing or reading the cookie. Legitimate interest under Article 6(1)(f) cannot be used as the legal basis to store or access information on the device. You clear the ePrivacy gate with consent, or you clear it with the strictly-necessary exemption. There's no third door labeled legitimate interest.

This matters for how you read a consent tool. If a banner offers you a "legitimate interest" basis for dropping non-essential cookies, that's a red flag for the storage layer, not a feature.

The TCF "legitimate interest" toggle trap

In IAB TCF banners you'll see certain advertising purposes offered under a "legitimate interest" tab. That can be defensible for some downstream ad-processing purposes on the GDPR side. It does not extend to the storage or reading of the cookie or device identifier itself, which still needs consent under ePrivacy Article 5(3). Don't let a TCF interface convince you that a legitimate-interest signal replaces cookie consent. The read and write of the identifier is a separate act with a separate rule.

Where legitimate interest genuinely fits

Legitimate interest isn't useless for tracking. It just operates on the layer above the cookie. Two situations are worth knowing.

First, when the cookie itself is strictly necessary, it's exempt from the ePrivacy consent requirement, so you never needed consent for the storage. The personal data that cookie involves then needs a GDPR lawful basis, and legitimate interest (or contract) often fits after a balancing test. Think session cookies for a shopping cart, a security or authentication token, load balancing, or fraud detection. Second, processing that never touches the user's device, server-side logs, data you already hold lawfully, can rest on legitimate interest under Article 6(1)(f) once you've done and documented the balancing exercise.

Recital 47 of the GDPR notes that processing for direct marketing purposes may be regarded as carried out for a legitimate interest. People quote this to justify marketing cookies. It's about the GDPR processing layer only. It is not a licence to drop a marketing cookie without consent, because the ePrivacy gate still stands in front of it. See Recital 47 and Article 6 for the text.

A practical rule for classifying each cookie

For every cookie and similar identifier on your site, work through three questions in order.

  1. Is storing or reading this on the device strictly necessary for a service the user explicitly asked for, or purely to transmit a communication? If yes, it's exempt from consent. Pick a GDPR lawful basis for the data it involves (often legitimate interest or contract) and document why.
  2. If no, you need consent before it's set. There's no legitimate-interest shortcut for that storage. Block the cookie until the visitor opts in.
  3. For the personal data processed once consent is given, consent is usually also your GDPR basis. Keep both layers documented so you can show your reasoning if asked.

The mistake that gets sites fined is answering step one too generously, labeling analytics or advertising "necessary" to dodge the banner. Regulators read "strictly necessary" against the user's requested service, not your business goals. Analytics helps you, not the visitor asking for the page, so it isn't strictly necessary.

Getting the basis right for each cookie

  • Default non-essential cookies to blocked until consent

    Analytics, ads, personalization, and embeds all need prior consent under ePrivacy Article 5(3).

  • Don't offer legitimate interest as a basis for storing non-essential cookies

    EDPB Opinion 5/2019 rules it out for the Article 5(3) storage or access layer.

  • Reserve legitimate interest for genuinely necessary cookies and server-side data

    Security, fraud prevention, load balancing, and data you already hold lawfully.

  • Read "strictly necessary" narrowly

    Necessary for the service the user requested, not for your analytics or marketing.

  • Document both layers per cookie

    The ePrivacy basis (consent or exemption) and the GDPR basis for the data.

How CookieBeam handles the split

CookieBeam is built around exactly this two-gate model. You categorize each cookie and script (necessary, analytics, marketing, preferences). Necessary items load right away, and everything else stays blocked until the visitor opts in, so the ePrivacy gate is enforced in code rather than promised in a policy. See how to block scripts before consent for the mechanics.

Consent is then recorded per purpose, with a timestamp and the jurisdiction that applied, so you can show which basis you relied on for which activity (consent logging and audit requirements). What CookieBeam doesn't do is offer you a legitimate-interest toggle for storing non-essential cookies, because that basis isn't valid at the storage layer. To go deeper, read the GDPR cookie compliance checklist, our take on whether Google Analytics is GDPR compliant, and whether your analytics vendor is a controller or processor.

Legitimate Interest vs Consent for Cookies | CookieBeam | CookieBeam