So almost every GDPR cookie consent banner out there has a section for “legitimate interest” cookies that they can leave on by default and you will inadvertently accept even if you choose “Reject all” unless you go to the detailed settings and disabled those too.
Some of them have dozens of legitimate-interest cookies.
I read some articles about what they are and why it is allowed to keep them on by default, but they were very vague. So can someone explain it to me like I am five?
They’re different because you can’t use the service without them. For example like with an auth cookie.
That’s a functional (or “strictly necessary”) cookie and those are the ones you cannot reject.
Legitimate-interest cookies are a different thing and you can indeed reject them, but they are on by default.