Legitimate Interest vs Consent in TCF

• Legitimate interest and consent are distinct GDPR legal bases that, when conflated in TCF, violate specific EDPB guidelines and CJEU rulings.
• Empirical studies show that 100% of cookie paywalls commingle these legal bases post-accept, with instances occurring even pre-interaction and persisting after paid subscriptions.
• This practice obscures the true basis of data processing, compromising transparency and user autonomy, and necessitating technical and regulatory revisions.

Legitimate interest and consent commingling refers to the systematic conflation of two distinct GDPR legal bases—“consent” under Article 6(1)(a) and “legitimate interest” under Article 6(1)(f)—within technical frameworks like the IAB Europe Transparency and Consent Framework (TCF), especially in the context of web cookie paywalls. Empirical investigations demonstrate that website operators frequently signal both legal grounds simultaneously for the same data processing purposes, contravening explicit European Data Protection Board (EDPB) guidance and Court of Justice of the European Union (CJEU) jurisprudence, thereby obscuring the applicable basis for data processing and undermining user autonomy (Morel et al., 2023).

1. Legal Foundations: Consent and Legitimate Interest under GDPR

Under the General Data Protection Regulation (GDPR), controllers must specify a lawful basis before processing personal data. Two bases feature prominently in tracking and advertising: “consent” (Art. 6(1)(a)) and “legitimate interest” (Art. 6(1)(f)):

• Consent: Defined in Art. 4(11) and Art. 7, consent must be prior, freely given (without “pay-or-okay” scenarios), specific, informed (purpose-specific, e.g., “select personalised ads”), unambiguous, and revocable with equal ease as provision.
• Legitimate interest: Requires an identified, genuine interest by the controller; processing necessary for that purpose; and that this interest does not override the data subject’s fundamental rights and freedoms (balancing test).

The CJEU has determined that “tracking-and-profiling-driven personalised content and behavioural advertising” can only rely on consent (Meta v. Bundeskartellamt, Case C-252/21, ¶ 117–118). Further, once consent is solicited, relying on legitimate interest as a fallback is prohibited (EDPB Guidelines 2020, ¶ 121–123; noyb complaints, § 3.4.1).

2. Empirical Measurement of Cookie Paywall Prevalence

A large-scale paper leveraged an automated crawler targeting the Tranco top one million domains to detect cookie paywalls (Morel et al., 2023). Thirty-two containerized Firefox agents using Selenium visited each domain, captured DOM snapshots, and applied a text-heuristic classifier. Sites flagged as likely paywalls were then subject to manual annotation, recording country, category, and monthly price.

Key findings include:

• Detection accuracy: $$A = \mathrm{TP}/(\mathrm{TP}+\mathrm{FP}) = 323/(323+7) \approx 0.979$$
• Total prevalence: $N=431$ paywalls among $10^6$ domains $(p \approx 4.31 \times 10^{-4})$
• Framework usage: All detected cookie paywalls implemented the IAB Europe TCF.

The distribution demonstrates a heavy concentration in Germany (73.6% of sites), with others distributed across France, Italy, Austria, and additional countries.

Country	Number of Paywalls	Percent
Germany	317	73.6%
France	42	9.7%
Italy	27	6.3%
Austria	22	5.1%
Others	≤6 each	<1.4%

3. Technical Analysis of Consent and Legitimate Interest Commingle

Forensic analysis of TCF “consent strings” was conducted in three states: pre-interaction, post-“Accept”, and post-paid subscription. For each of the 10 TCF purposes ($p \in \{1,\ldots,10\}$), binary indicators were established:

• $C_p = 1$ for purposes tagged under consent
• $L_p = 1$ for purposes tagged under legitimate interest

A “commingling flag” was set to 1 if, for any $p$, both $C_p=1$ and $L_p=1$.

Principal findings:

• 100% commingle post-Accept: Every site indicated both consent and legitimate interest for at least one purpose after user acceptance.
• Pre-interaction commingling: 14 sites had $L_p=1$ prior to any user input for up to nine different purposes, including the legally restricted Purpose 1 (“Store/access information on a device”).
• Persistence after paid subscription: All 14 paid-only sites continued to set $L_p=1$ “by default” for multiple purposes, including the vague or sensitive Purpose 10.
• Advertising purposes: Three sites relied exclusively on legitimate interest for all advertising and analytics-related purposes (TCF Purposes 3–6), despite contrary legal requirements.

State	Commingled Sites	Note
Post-accept (all paywalls)	431	100%
Pre-interaction	14	Up to 9 purposes
After paid subscription	14/14	“By default” L for Purpose 10

4. Regulatory and Jurisprudential Constraints

GDPR and ePrivacy Directive establish definitive boundaries for the use of legal bases:

• Blocking effect: Once consent is requested, subsequent reliance on legitimate interest violates fairness (EDPB 2020, ¶ 121).
• Consent for tracking: ePD Art. 5(3) mandates prior, freely given consent for non-essential cookies; DPAs argue paywalls that mandate acceptance of tracking vitiate consent (CNIL 2022).
• Behavioural advertising: CJEU (Meta C-252/21) demanded explicit, informed consent for advertising and profiling.
• Country-level DPA enforcement: German Lower Saxony DPA prohibits “pay-or-okay”; Spanish AEPD requires genuine and disclosed alternatives; French CNIL enforces “real and fair” alternatives at reasonable cost; Austrian DPA demands per-purpose choice.

The observed technical practice—encoding both consent and legitimate interest for the same TCF purpose—systematically violates these requirements by masking the true legal rationale for data processing.

5. Implications for User Autonomy and Transparency

The commingling of legitimate interest and consent in TCF implementations directly undermines GDPR mandates for independent, transparent notification and choice regarding each lawful basis. This practice erodes user autonomy and frustrates the regulation’s intent to protect fundamental rights online. Furthermore, the lack of significant adaptation by website operators in response to adverse DPA and CJEU decisions highlights a disconnect between regulatory guidance and technical deployment.

A plausible implication is that without explicit regulatory and technical interventions, user rights will continue to be opaque in practice and enforcement efficacy will remain limited.

6. Remediation and Technical Recommendations

To address legitimate interest and consent commingling, the following measures are identified:

1. Prohibit “custom” local-storage fields for legitimate interest or advertising purposes, impeding Consent Management Platforms (CMPs) from concealing the operative legal basis.
2. Amend TCF specification (post-v2.2) to require a machine-readable “legal basis signal” precluding simultaneous consent and legitimate interest flags per purpose.
3. Regulatory clarification: Urge the EDPB to issue pan-European guidelines on (i) what constitutes an “appropriate” fee, (ii) the “blocking effect” of consent, and (iii) leverage-based consent prohibition in paywalls.

Absent these interventions, the pervasive commingling of consent and legitimate interest will persist as a regulatory and technical challenge (Morel et al., 2023).