75% of websites fail basic GDPR consent requirements — and one of the most common culprits is a toggle that looks like a solution. Most WordPress store owners who’ve set up CookieYes, Cookiebot, or Complianz have seen it: a category listed as ‘Analytics’ with a switch labelled ‘Legitimate Interests’. You enable it. The banner still shows. You feel compliant. You aren’t.
This isn’t a gotcha. It’s a genuinely confusing piece of UI sitting at the intersection of two different laws that most cookie plugin documentation doesn’t explain clearly. Here’s what’s actually happening — and why the toggle doesn’t do what you think it does.
Two Laws, One Checkbox: Why the Confusion Exists
The confusion starts with a legal architecture problem. Two separate regulations govern data collection in the EU and UK, and they operate at different moments in the data journey.
ePrivacy Directive Article 5(3) governs the act of placing a cookie on a visitor’s device. It’s triggered the moment your site writes anything to — or reads anything from — a user’s browser. This law requires consent. Full stop. Legitimate Interests is not listed as a valid basis.
GDPR Article 6 governs what you do with personal data after it’s been collected. This is where Legitimate Interests (Article 6(1)(f)) lives. It’s a valid basis for certain types of processing — fraud detection, security logging, direct marketing in some circumstances — but it applies to the processing that happens downstream, not to the cookie placement itself.
When you tick the LI toggle in your CMP for analytics or advertising, you’re applying a GDPR Article 6 basis to an ePrivacy Article 5(3) situation. The laws don’t overlap at that point. The toggle is solving for the wrong law.
You may be interested in: One WooCommerce Sale, Three Different Conversion Numbers
What the EDPB Actually Said in October 2024
In October 2024, the European Data Protection Board published Guidelines 1/2024 on Legitimate Interests. The timing matters — these are the most current authoritative guidance on LI under GDPR, issued after years of enforcement data.
The guidelines confirmed that extensive profiling and targeted advertising activities are generally not compatible with Legitimate Interests as a legal basis. Google Analytics, Meta Pixel, and similar tracking tools exist specifically to profile user behaviour for advertising. The EDPB’s position is that this category of activity fails the LI balancing test because the impact on individual privacy is too high.
One month earlier, the CJEU issued its judgment in case C-621/22. The court confirmed that commercial interests can, in principle, qualify as legitimate under GDPR Article 6(1)(f). Some compliance commentators interpreted this as opening a door for ad tech. The EDPB issued immediate clarification: the C-621/22 ruling doesn’t override the ePrivacy requirement for cookie consent. You can have a legitimate interest in analysing your traffic — that doesn’t give you the right to place the cookie without consent.
The two-layer framework is clear: consent for cookie placement (ePrivacy), then a valid basis for processing (GDPR). Skipping layer one with a UI toggle doesn’t work.
What ‘Legitimate Interests’ Is Actually For in Your CMP
The LI toggle isn’t useless — it’s just misapplied when used for analytics and advertising. Here’s what it legitimately covers:
- Fraud prevention and security: Detecting bot traffic or suspicious login attempts — no cookie placement required, server-side analysis only.
- Load balancing and session management: Strictly necessary functions that may technically involve terminal storage but fall under the “strictly necessary” exemption rather than LI anyway.
- B2B direct marketing (UK PECR only): In limited circumstances, established business relationships may support LI for email marketing — but this is a PECR nuance, not a cookie consent bypass.
Analytics that track individual user behaviour across a session? That’s profiling. Advertising pixels that build audience profiles for retargeting? That’s the category EDPB 1/2024 called out directly. Neither qualifies.
The Scale of Enforcement Risk
This isn’t theoretical. €5.88 billion in total GDPR fines have been issued since enforcement began, with €1.2 billion issued in 2024 alone — and cookie consent violations are consistently in the top-cited reasons for investigations. The 75% failure rate on basic consent requirements (SecurePrivacy, 2025) means the majority of WooCommerce stores operating in the EU or serving EU visitors are exposed.
Supervisory authorities audit consent management in two main ways: automated crawlers that check whether cookies fire before consent, and complaint-driven investigations triggered by users who notice non-consensual tracking. Both routes find LI misconfigurations quickly because the cookies fire immediately regardless of what the visitor chose.
You may be interested in: Your GTM Container Builder Left. Nobody Knows What the 47 Tags Do.
The Architectural Fix: Remove the ePrivacy Trigger
Here’s the practical resolution. The ePrivacy Directive Article 5(3) is triggered by storing or accessing information on the user’s browser. If your tracking doesn’t touch the browser, the trigger doesn’t fire. This is the reason server-side event capture exists from a compliance architecture perspective — not just for ad blocker bypass or attribution accuracy, but for legal design.
When a purchase completes on your WooCommerce store, the transaction data exists on your server. You don’t need to read a cookie from the visitor’s browser to know it happened. You can capture that event server-side, process it through your own infrastructure, and deliver it to GA4 via Measurement Protocol, Meta via Conversions API, or Google Ads via Enhanced Conversions — all without placing a tracking cookie in the visitor’s browser.
No cookie placed. No ePrivacy Article 5(3) trigger. No Legitimate Interests debate needed.
This is the architecture behind Transmute Engine™ — Seresa’s server-side event pipeline for WordPress. The inPIPE WordPress plugin captures events from WooCommerce hooks on your server, batches them to the Transmute Engine running on your own subdomain, and routes them simultaneously to your configured ad platforms via their server-to-server APIs. The visitor’s browser isn’t involved in the tracking step at all.
What to Do Right Now
If your site is currently relying on the LI toggle for GA4, Meta Pixel, or Google Ads tags, here are three immediate steps:
- Audit your CMP configuration. Open your cookie plugin settings and look at every category set to ‘Legitimate Interests’. If any of them map to analytics or advertising cookies, switch them to require explicit consent — or disable them until you have a compliant collection method.
- Check your tag firing rules. In GTM or your plugin’s tag settings, verify that analytics and advertising tags only fire after a positive consent signal. Tags that fire on page load regardless of consent status are a direct Article 5(3) violation.
- Evaluate server-side alternatives. For the data you genuinely need — purchase events, lead form completions, checkout behaviour — server-side collection means you capture what matters without the browser consent dependency.
The LI toggle isn’t a compliance shortcut. It’s a UI artefact from an era when this legal distinction wasn’t well understood. The October 2024 EDPB guidelines closed whatever interpretive gap existed.
Frequently Asked Questions
No. Google Analytics places cookies on the visitor’s browser, which triggers ePrivacy Directive Article 5(3). That law requires consent — not Legitimate Interests — for cookie placement. LI is a GDPR Article 6 basis that covers what you do with data after it’s collected, not whether you can collect it. Your CMP’s LI toggle does not satisfy the ePrivacy requirement.
The LI toggle in plugins like CookieYes and Cookiebot exists for server-side data processing activities that don’t involve placing cookies — such as fraud detection or security logging. These activities may qualify under LI. Analytics and advertising cookies don’t, because the cookie placement itself is subject to ePrivacy, not just GDPR.
Under current EU and UK law, you cannot run Meta Pixel without valid visitor consent for the cookie placement. There is no alternative legal basis for the client-side pixel. The architectural alternative is Meta’s Conversions API (server-to-server), which doesn’t place a browser cookie and sits outside the ePrivacy Directive’s scope.
The EDPB’s October 2024 guidelines explicitly stated that extensive profiling and targeted advertising are generally not compatible with Legitimate Interests as a legal basis under GDPR Article 6(1)(f). Combined with the ePrivacy requirement for consent on cookie placement, this removes any viable path to using LI for analytics or advertising cookies.
If your compliance setup relies on a toggle in a cookie plugin, it’s worth spending an hour verifying exactly what that toggle is — and isn’t — doing. The distinction between ePrivacy and GDPR is the distinction between a violation and a defensible position. Your CMP’s UI doesn’t tell you which side of that line you’re on.