I was referring to the grey area of legitimate interest in the law and how I was briefed to interpret it ca. 2021. Things may have moved on and I am not a lawyer. You might be right and what the lawyers told me back then isn't true or was true and is no longer considered true.
What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).
You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.
I'll certainly agree that this is an area where different opinions abound, and also you are much less likely to be prosecuted for this, so it's likely that advice would be that it's probably alright and you'll get away with it. But a strict interpretation of the law says that you can't use information gathered for a purpose for which the user didn't consent (or deliberately ask for, etc), even if you have it lying around because you collected it for a separate reason that is valid.
Regarding arguing that improving the user experience is a legitimate interest - I'm not aware of that having been argued and decided in court, but my opinion is that it is a hopeful misinterpretation of the law, and a slippery slope towards quite egregious data collection.
Yes, you can collect web site metrics without identifying information, for instance how many times are the different links on a particular page clicked on, but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
> [...] but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
Just out of curiosity: That would be crossing a line, because it might be potentially possible to reconstruct an identity from the linked navigation pattern?
If so, I guess I would consider that beyond the realm of what any normal internet lawyer would include in their advice.
A cookie used solely for counting anonymous visits without storing individual identifiers generally wouldn't be considered personally identifiable information under GDPR.
At least that's what I was told. Having said that, this is obviously a complicated and nuanced topic with a lot of grey areas. I guess it's a good idea to talk to a lawyer in any case.
What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).
You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.