preventing fraud and info security are legitimate, direct marketing may be legitimate but probably is not.
direct marketing that I believe is legitimate - offers with rebate on heightened service level if you currently have lower service level.
direct marketing that is not legitimate, this guy has signed up for autistic service for our video service (silly example, don't know what this would be), therefore we will share his profile with various autistic service providers so they can market to him.
> preventing fraud
Fraud prevention is literally "collect enough cross-service info to identify a person in case we want to block them in the future". Weasel words for tracking.
> therefore we will share his profile with various autistic service providers so they can market to him.
This again falls under legitimate interest. The user, being profiled as x, may have legitimate interest in services targeting x. But we can't deliver this unless we are profiling users, so we cross-service profile users, all under the holy legitimate interest
> Fraud prevention is literally "collect enough cross-service info to identify a person in case we want to block them in the future". Weasel words for tracking.
You're literally not allowed to store that data for years, or to sell/use that data for marketing and actual tracking purposes.
You would not be allowed if not for legitimate interest.
Websites A and B buy fraud prevention service FPS, website A flags user x as fraudulent, how should FPS flag user x as high risk for website B if consent from user x was required?
Legitimate interest literally allows FPS to track users, build cross-service profiles, process and store their data in case FPS needs that data sometime in the future. Under legitimate interest response to query "What's the ratio of disputed transactions for this user?" is perfectly legal trigger to put all that data to use, even though it is for all intents and purposes indistinguishable from pre-GDPR tracking.