Session IDs and loadbalancer cookies would be required cookies, "legitimate purpose" is a different concept

The whole point of misusing legitimate purpose is they're trying to end-run around consent. It's a bad hack until one of the national data protection agencies decides to say "no, you can't do that" and then it goes away.

> Because you need to name stuff like session ID cookies, loadbalancer backend cookies and other stuff that is necessary for operation

No you don't. You don't need to ask for permission for data you collect/store that is strictly required for your business to operate.

Key word: strictly required.

Meanwhile these leeches have latched on on a more nebulously defined "legitimate interest".

For example, if you need fraud protection for your order-processing business, you have a legitimate interest to process and store more data than is strictly required. Since such legitimate interests are innumerable they are not explicitly defined in the law.

So, the parasites clamp things like "siphon your data and sell it to the highest bidder" under "legitimate interest". Which skirts the law, and will fall apart under scrutiny. See the three-part test by UK's data authority, https://ico.org.uk/for-organisations/guide-to-data-protectio... (UK is so far still bound by GDPR)

I think they might be referring to the dark pattern where there are two sets of "Legitimate Purposes":

1. Actual legitimate purposes for core functionality

2. A toggleable "legitimate purposes" under the ads section

Presenting the second option could be construed as malicious compliance or just dishonesty.

On sites where I've seen this, there is no one-click option to disable those, which should make them non-compliant with GDPR.