For what it's worth, at least on my Swedish model, this seems to be gated behind an opt-in (default off!) consent toggle. It was buried in several layers of menus, and not even mentioned during the setup process.
So I would assume that this is mostly an issue in non-GDPR regions (or they're doing some really ugly legal shenanigans to ignore the denied consent?).
> Legitimate interests is most appropriate as a lawful basis where companies use personal data in a way that individuals can reasonably expect. If it impacts individuals, it can still apply if the controller company can justify there is a compelling reason for the impact the processing will have.
> Companies can rely on legitimate interests for marketing purposes if they can prove that the data usage is proportionate and fair to the user. It must have a minimal impact on the user in privacy terms and be for a reason that people would not be surprised at.
Sadly I would reasonably expect Samsung to sell the data and I would not be surprised by it.
So I would assume that this is mostly an issue in non-GDPR regions (or they're doing some really ugly legal shenanigans to ignore the denied consent?).