They will because that's how things are supposed to work. For example your preference about tracking will get stored for that site. The same as login details. Those are legitimate interests and you never get an option for them.
"legitimate interest" is just weasel words. With some mental gymnastics, you can argue for anything to be legitimate. And you can continue to do so until someone steps up, challenges your claims in a court, and wins the case.
Claiming tracking cookies as "necessary" is often illegal under the GDPR. This is an enforcement problem, not a problem with the law itself, or the EU.
"Necessary" means "necessary for fulfilment of the contract". Your name and address are necessary data when you order off Amazon, your clickstream is not.
Monetizing is fine with me: There’s nothing stopping creators from showing relevant ads—ones they choose themselves. Sometimes I have even found myself wishing there had been an ad a few months ago for a software conference I just realized I missed.
If someone blogs about woodworking, show static ads for tools they actually use and love. If they're into programming, show JetBrains, cloud providers, or anything dev-adjacent. Totally fine by me.
The problem is that almost everyone defaults to Google Ads—which then serves me wildly irrelevant junk, think brain-melting pay-to-win mobile games or even scammy dating sites that have zero connection to the content I’m reading and zero relevance to my interests.
It’s not just noise, it’s actively degrading the experience.
Ah I remember the good-old day when people were selling "ad spaces" on their sites that weren't obtrusive. And usually the ads were things the author approved of or even used
I think you'll find that GDPR says the opposite and the only reason this continues to happen is because authorities don't have enough resources to go after every at the same time and also because European authorities have a hard time against US companies.
Have my upvote. I have just learned that targeted ads might be considered direct marketing. I always thought it was limited to things that had my name and address (physical, email or other) on it, excluding online ads unless they were part of a "logged in experience" like upsells inside the product I am currently using.
That said, I read the rest of the recital and I think it is rather clear to the degree that such things can be clear that if you didn't expect it, it isn't legal. Here are some quotes:
- "[...]provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller."
- "At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place."
I can assure you the even after reading this, if I have clicked "necessary only" (as this discussion started with) it is not my reasonable expectation that any data are stored except those that are strictly necessary for the navigation and the user visible features[1] of the site works.
I'll admit that it seems some people think there is an argument that can me made that online ads can be direct marketing, but I would not risk any of my savings to defend that claim in court and I don't think Facebook or Google want to help you either as they seem to trying their best to prevent people from targeting individuals or at least pretending they do. And if it does, it is still covered by the conditions above.
[1]: and yes, that means user features, so unless you are creating an online ad-collection of some kind, that probably does not mean ads
I never use those. I suspect that in many cases if there are "legitimate interest" options¹ those will remain opted-in.
----
[1] which I read as "we see your preference not to be stalked online, but fuck you and your silly little preferences we want to anyway"