Legitimate interest is one of the most confusing concepts in the GDPR. However, it is an important concept to understand if you manage a company website, work in marketing or sales.
The General Data Protection Regulation (GDPR) is all about consent and measures needed to be taken to safeguard the data of EU citizens.
Whenever you collect and process peoples’ personal data, you need – almost by default – to ask for their permission (consent).
However, there is a feature built into the GDPR called Legitimate Interest – a loophole to avoid asking for consent for collecting and processing personal information. Sounds good, right? Well, you need a very good reason; it has to be legitimate; and you need to document it thoroughly. Let’s take you through legitimate interest in the GDPR.
What is legitimate interest GDPR?
As a company or organization, you may need to process personal data in order to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, processing of personal data can be justified on grounds of legitimate interest.
However, the requirements in the GDPR for claiming legitimate interest to collect and process people’s personal data are very strict.
Collecting and processing internet users’ (or people in general) personal information requires their consent. This is how it is stated in the General Data Protection Regulation (GDPR). However, you can also process users’ personal data without asking for consent if you can claim – prove and document – a legitimate reason to do so.
Let us start by diving straight into Article 6(1) of the GDPR. It concerns the lawful processing of personal data.
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks
For most company websites; website owners and managers; marketers and sale persons, considering whether their processing of personal data is lawful, only subparagraphs (a), (b), and (f) will typically apply:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Now, the challenge with (a) is, that it can be difficult and often expensive to collect a consent on a website, especially if the consent has to be valid with respect to Recital 32 of the GDPR and thereby be “clear, affirmative and freely given” i.e. explicitly given by the user.
Therefore, it is only natural for website owners and marketers to look to (f) for assistance. If you could somehow justify personal data processing as a legitimate interest, collecting consent would not be necessary.
(a) will apply for the majority of websites using third-party cookies (incl. Google Analytics which is masked as first-party cookies) instead of (f). This means, obtaining consent prior to collection and processing of personal data is obligatory.
Legitimate interest vs. users’ fundamental rights and freedoms
Processing data under (f) “legitimate interests” requires that processing is absolutely necessary. If an alternative approach could fulfil the same goal without processing personal data, then processing is not lawful without consent.
Even if you deem processing to be necessary, legitimate interest must be weighed against the internet users’ fundamental rights and freedoms.
If you would like to claim legitimate interest, you should be prepared to prove what legitimizes your interest in respect to the general interests of the internet user.
An opinion posted by Article 29 Data Protection Working Party, an independent advisory body to the EC stated call-out that the legitimate interest ground under 6(f) should be avoided.
In this context, the Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions, and believes that the introduction of open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground), should be avoided.
Legitimate interest and direct marketing
Recital (47): “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
The last line of recital 47 of the GDPR could give website owners and marketeers carte blanche to profiling internet users and process all their data without ever asking. However, this is not the case.
Recital 47 of the GDPR
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The key thing to notice in recital 47 is the verb “may” in characterizing situations that could, but do not necessarily or automatically justify lawful data processing.
The recital suggests an example where you (website owner and data controller) may be able to justify data processing for your customers, provided that your customer “can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.
The recital goes on to specify that the customer then would not reasonably expect further processing of this data in the future.
Let’s take a look at an example:
Were you to give the customer the choice to opt-out to letting you process the personal information (the address), you would risk not being able to carry out your business task (delivering the pizza).
Therefore, the last sentence in Recital (47) “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest“ does not mean that you – or your third-party services – by default can collect and process data for profiling and marketing purposes without consent.
Instead you must follow the requirements in (a) by collecting consent if the data you collect is going to be used by processors (third-party services) for marketing purposes.
Examples of third-party services
- Google Analytics
- Facebook Pixel
The list is in no way exhaustive.
Therefore, if you use third-party services on your website which set cookies used for online profiling and direct marketing, you are ill-advised to stick to Recital 47 and skip collecting consents.
The recital does not allow for direct marketing or third-party processing to track visitors’ behavior based on site visits, email engagement, IP-addresses, geolocation, online identifiers etc. for marketing purposes.
Actually, Recital (70) rejects the possibility of claiming legitimate interest processing personal data for marketing purposes.
According to Recital 70, the internet user has the right to object to the processing of personal data including profiling used for direct marketing.
If you want to use third-party services which collect and process personal information for marketing purposes, you need a freely given consent (see Recital 32) unless you can prove and document an actual legitimate interest.
Recital 70 of the GDPR
(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
Legitimate interests summarized
If you would like to collect and process website visitors’ personal information and use this for direct marketing and/or share this information with third-party services who use it for online behavioral profiling, you have to decide whether or not your data collection and processing fall under your business’ legitimate interest or if it requires user consent. If the former, you have to prove and document legitimate interest.
If you claim legitimate interest, it requires planning and strategic thinking on your part. Before you process any data under legitimate interest, it is important that you follow a number of steps.
Link: Steps to claim legitimate interest under the GDPR (external link)
If you cannot prove legitimate interest, you have to obtain a valid consent from the user.
The requirements for consent are described in Recital 32 (must be “clear, affirmative, freely given” i.e. explicitly given by the user).
It is necessary that we take the GDPR seriously. The regulation defines how we as businesses can collect and process our visitors’ and customers personal information and still respect their right to online privacy.
Are you uncertain whether you have a legitimate interest to collect and process personal data, stick to Article 6(a) and get a consent. It is easy to obtain a professional website solution that collects and stores GDPR valid consents. Best of all, you do not have to worry about the legitimacy of data processing if the user has given his or her consent.
Let’s show you how.
Cookie Information’s Consent Solution
Take the next step in your company journey and become completely ePrivacy and GDPR compliant on your website. It creates trust in your brand that you safeguard your users’ personal data and provide the possibility for them to opt-out of tracking.
Furthermore, Cookie Information will handle all your cookie consents if you should be subject to inspection by the Data Protection Authorities (DPA). Fines for violations to the GDPR are rather hefty and DPA’s around Europe are beginning to investigate large and smaller companies for GDPR breaches - also website cookies processing personal data. Fines up to €20 million or 4% of worldwide annual revenue (whichever is highest).
Try our Consent Solution for free for 30 days and get:
- GDPR valid cookie pop-up banner (collects user consents)
- Deep scan (of your website cookies)
- Privacy controls (opt-out options)
- Storage of Consents for up to 5 years (as required by law)
- SDK implementation options (for blocking cookies prior to consent)
- Compliance Dashboard (complete overview of cookies, consents and acceptance rates).
Try your new Consent Solution today and become GDPR compliant on your website.