There is necessary data processing. This is like the server knowing your IP address. Whilst the IP is personal data, it is required for network communication to work, and the server needs to know where to send the packets. But it doesn’t necessarily need to be stored.
Legitimate interests are legit things like security and fraud.
With the IP example, this could be storing your IP address along with some server metrics for a few hours to make sure you aren’t trying to DDOS the server. This is a legitimate interest that doesn’t need consent, as it is protecting company assets.
Similar with fraud.
Legitimate interests that don’t ask for consent have to be backed up in the privacy policy. And because it’s all wishy washy wording, the privacy policy can be challenged. So it’s a barrier of entry to stop companies making everything legitimate interests.
Where it gets funky are things like targeted ads, 3rd party ad companies etc.
An ad company’s legitimate interests are at odd with the end user, indeed their whole business model is at odds with the end user.
They have similar concerns about security as above.
However, their product is delivering ads to users, proving they have been delivered, and proving that the delivered ad has influenced the users behaviour. That is their ideal business model.
So, whilst processing your IP for DDOS protection, they might also tack on some log monitoring to see if “ad on Y page made you visit Z store page”.
This is using data already collected for a legitimate interest (DDOS protection), however it is processing it to track a user… Which is also the company’s legitimate interest, however it will likely be challenged. At which point, it’s easier to have a consent option for the extra processing and save the hassle of having to legally defend the process.
Essentially, legitimate interests are processing user data.
They may be beyond the core functionality of the actual website/app (eg fraud prevention, DDOS protection), but required for the company to run the website/app. At which point they don’t need consent, as long as their privacy policy is up to scratch.
Or they could be extra functionality that isn’t actually required (like the log processing by an ad company) to serve the content, but might improve the experience (or generate the company more money)
How this all boils down in the wild is that a lot of tracking and processing still happens, consent popups have dark-pattern UIs with complex language hiding what it really means backed by a privacy policy full of legalese. A lot of these sites are probably still in breach of GDPR, but it’s hard to prove and hard to prosecute.
Most of the time, if a website makes an effort it’s enough. It’s only the big companies/processors that really need to be on the ball with it.