First off, INAL, and my data protection training pre-dates the GDPR.

Things like security, fraud prevention, but also direct marketing. In the sense of a shop you already bought something at sending you an email “hey we’ve got a new shipment and you bought these teas before so we think you might like this one”. The last one has to be opt-out, and indeed be direct, they can’t do “hey check out our parter stores and have you heard of Raid Shadow Legends”. Essential in that context would only be processing information strictly necessary to fulfil the contract, which would be more restrictive than IRL (where your tea guy indeed does remember what you like).

The data you collect has to be necessary for that legitimate interest, and you have to balance it against the consumer’s right to privacy. In a nutshell: If someone would complain, or someone reasonable (legal term :) wouldn’t expect you to use the data in the way you do, better get a lawyer.

Meta tried to argue that it covers all the tracking and all the advertisement they want to do “because we have a legitimate interest to earn money and the user wants a service and privacy doesn’t matter”, they ran against a brick wall with that one. Legitimate marketing in their case would be to tell you about their other platforms.