Legitimate interest has become one of the key concepts to be aware of in the new data protection framework. It is also a concept that many seem to find confusing and are unsure as to how it will affect them. In this blog, we aim to address some of the questions surrounding it to provide some clarity on what legitimate interest is and when it might be relevant.

First of all, let’s have a basic understanding of what legitimate interest is.

What is GDPR’s legitimate interest?

Legitimate interest is one of the lawful bases for processing personal data. Under the GDPR, you can process personal data if you have a legitimate interest to do so.  

This legal basis is only available in certain circumstances. If your organization relies on legitimate interests as its lawful basis, you must be able to show an appropriate reason for processing the data. However, there are some limits: the purpose must be necessary and there must be no other reasonable way of achieving it.

Your legitimate interest requires a careful assessment of the circumstances surrounding the processing of personal data. This includes the nature of your relationship with the individual whose information you wish to use, e.g. if the individual uses a service provided by you.

When does Legitimate Interest apply and how to demonstrate it?

You can determine if your purpose is in legitimate interests by assessing whether your purpose for processing is a legitimate one. You should consider:

  • The benefits of processing the data.
  • Whether the processing is necessary for achieving those benefits. If so, whether there are alternative means available to achieve them without having to process personal data in any way at all (e.g., through anonymization or pseudonymization).
  • The nature of the personal data being processed, including how sensitive it is and any reasonable expectations users, may have about how it will be used by you or third parties in conjunction with their services or products (e.g. medical records).
  • The likely impact on users from your processing could cause them harm or distress if not handled appropriately (e.g. financial data).

ICO recommends this as a three-part test, called Legitimate Interest Assessment (LIA):

  1. The purpose test: determine if your purpose for processing data is legitimate.
  2. The necessity test: make sure that processing is necessary for the said purpose.
  3. The balance test: make sure that the individual’s rights or interests don’t override your legitimate interest.

Using this test, you can identify if your use of legitimate interest is valid.

You can use ICO’s LIA template (click to download) to do your assessment.

What is not legitimate interest under GDPR?

The GDPR has a limited amount of information about what does not constitute a legitimate interest. However, any purpose that the user wouldn’t expect you to process does not fall under a legitimate interest basis.

For example, if a user orders a product from your website as a guest without signing up for an account, you have the right to process their data such as their email address and payment details. However, you cannot use their contact details to send them emails about special offers or promotions. That is not something they shared with you voluntarily.

The ICO suggests using a checklist (which includes the LIA). If one or more do not apply to the way of your processing, then you cannot use legitimate interest to process data. 

ICO checklist for legitimate interest
Source: ICO

What are examples of legitimate interests?

Examples of legitimate interests include:

Direct marketing

The GDPR’s effect on marketing is huge. However, marketers are still puzzled about the right approach.

Recital 47 of GDPR states that:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Organizations may send information that they think users will find relevant or interesting. However, it must be clear to the user that they can opt out at any time. E.g. If you’re a SaaS company and you want to send your customers an email about upcoming special offers. This could be seen as a legitimate interest as it benefits them and doesn’t affect their rights or freedom.

Here are the marketing methods that are likely to fall under legitimate interest:

legitimate interest for marketing methods by ICO
Source: ICO

Network and information security

You may use legitimate interest as a defense when you have taken reasonable steps to protect your users’ personal data. E.g. You are running a website that collects sensitive information. You must maintain reasonable security measures to prevent unauthorized access or use of that data. As long as you do so, then security can be used as evidence that your data processing has a legitimate interest.

Fraud detection and crime prevention

If you have a business that handles sensitive data, like credit card numbers, some laws require you to verify the identity of your customers. In this case, you can use legitimate interest to analyze customer data for signs of fraud or criminal activity.

Processing employee or client data

There are many situations where processing employee or client data is a legitimate interest. One example of this would be when you’re using an app like payroll software to process the payroll of your employees. In this case, the processing of personal data is necessary for the legitimate interest of paying your employees properly and keeping their records up-to-date.

Another example would be when you’re running background checks on potential employees that have applied for jobs at your company. This is also considered a legitimate interest because it helps protect your company from hiring someone who might not be qualified for the position.

What does legitimate interest mean for cookies?

In the early days of the internet, cookies were used to improve a website’s usability. They made it easier for users to log in and allowed them to save their preferences. Over time, cookies have become more entrenched in how we use the internet.

So, can a website use legitimate interest to set cookies? Some sites claim that they have a legitimate purpose in collecting personal data from users and bypass having to get cookie consent. The question is: do they? The answer lies in the texts of these laws themselves.

Website cookies often have marketing purposes. Even if Recital 47 explicitly states that legitimate interests can be claimed for processing personal data for direct marketing purposes; Recital 70 states that users have the right to object to data processing for direct marketing purposes. In that regard, users must have the choice to reject cookies if they want. That basically means that legitimate interest may not be a viable option here.

What about other types of cookies that aren’t related to marketing? 

The ePrivacy Directive and GDPR are two legal documents that control the use of cookies within the EU. The ePrivacy Directive directly controls cookie usage, whereas the GDPR limits the data processed via cookies. Both of them are used in conjunction to protect the personal data of EU residents. Therefore, even if cookies can be used without consent as a legitimate interest under GDPR, the ePrivacy Directive poses a huge contradiction here. One of the Directive’s mandatory requirements for websites is to get explicit consent from users to store cookies that are not strictly necessary or technical. Some cookies track user behavior. While this may eventually be useful for improving a website’s services, it may also interfere with their privacy, which is not necessary or expected by users.

Therefore, a legitimate interest cannot be used as a legal basis for processing personal data using cookies.

Get cookie consent easily and for free!

Sign up on CookieYes and simplify cookie consent management trusted by 1 Million+ websites.

Free Cookie Consent

*Free for 14 days *Cancel anytime

Legitimate interest vs consent

Consent and legitimate interest are two different concepts that both relate to the processing of the personal data of users. Legitimate Interest is an exception to the need for consent under the GDPR.

Consent is a more stringent requirement for businesses because it requires that a user affirmatively agrees to the use of their personal data. Legitimate interest, on the other hand, can be used by businesses without consent from users if they can demonstrate that the use of this information is necessary for the proper functioning of their business.

In other words, legitimate interest is when you have a legitimate reason to process someone’s personal data. Consent is when they give you permission to do so.

When using legitimate interests as a legal basis for processing personal data, it’s important that these are specific and focused on what benefits the organization or its customers or users. E.g. improving security, product improvement, improving customer experiences, training staff, etc.

If your processing is based on consent, then you don’t need to do an LIA. You can just rely on consent as a legal basis.

In addition, while you must clearly communicate about both of them to users to protect them from harm or deception, only consent requires affirmative action on behalf of the user before it becomes effective.

If you aren’t sure whether your purpose of processing personal data is legitimate, you should rely on other lawful bases, such as consent to collect user data. 

Frequently asked questions

What is a legitimate interest under GDPR?

A legitimate interest is a legal basis for processing personal data under the GDPR. It is one of the six conditions for lawfully processing personal data. This means that if you have a legitimate interest in processing an individual’s personal data, you do not need to obtain consent from them before doing so.

The GDPR states that processing is lawful under this basis if:

  • your purpose for carrying out the processing is legitimate;
  • it is necessary for fulfilling the said purpose; and
  • it is balanced against any impact on the individual’s rights and freedoms; 

When can I use legitimate interest?

Legitimate interests are a legal basis for processing personal data. The GDPR states that you can only rely on this basis if the processing is in your or the individual’s legitimate interest, and the individual’s rights and freedom do not override it.

It is legal when:

  • the alternatives (other lawful bases including consent) are not appropriate or achievable;
  • you have a clear and legitimate purpose for processing personal data; or
  • the processing is necessary for fulfilling the business purpose.

Should I accept legitimate interest?

Legitimate interest is a lawful reason for processing personal data under the GDPR and is an exemption to consent.  However, you should still provide information about how you are processing personal data, why it is necessary, and how long it will be kept. The GDPR requires that you tell people what information you hold about them, why you hold it, and how long it will be kept. This is to demonstrate transparency and accountability.

If you collect data from someone who has not given their consent, then you must include an explanation of your legitimate interest in collecting the data in your privacy notice.

What is the legitimate interest of data subjects?

The legitimate interest of data subjects means the vital interest of individuals whose data is being collected and processed by businesses. Legitimate interests under GDPR are not generally used in the context of data subject’s rights. However, here it means the data processing that is necessary to protect the rights and freedom or even life of data subjects. Hence, the legitimate interest of data subjects means the vital interest basis that the GDPR grants to businesses to process personal data.