Legitimate interest is one of the key concepts in the General Data Protection Regulation (GDPR). However, it is often a confusing concept, and website owners are unsure how to implement it correctly.
Can you have a legitimate interest in processing personal data without user consent?
Read this blog to find out the answers to these questions.
What is Legitimate Interest under the GDPR?
Under the General Data Protection Regulation (GDPR), a legitimate interest is a legal basis for the processing of personal data. Processing the personal data of your users is not lawful without consent. However, you can process personal data if you have a legitimate interest to do so.
Legitimate interests can include things like protecting the security of a service or your network, improving the performance of a service, fraud detection, or enabling a company to meet its legal obligations.
Even if you consider data processing to be necessary, legitimate interest must respect the fundamental rights and freedoms of individuals. The rights of the individual must be considered and the data processing must not be excessive or unnecessary. There must be solid reasons for processing the data, the processing must be necessary and there must be no other reasonable way of achieving your tasks. If the individual objects to the processing, the organization must be able to demonstrate that its legitimate interests override the individual's rights.
Legitimate interests can be personal, commercial, or even societal interests.
When does Legitimate Interest apply?
To determine if your purpose of data processing is in legitimate interests, you should conduct a GDPR Legitimate Interest Assessment (LIA), recommended by the UK’s Information Commissioner’s Office (ICO).
The three-part LIA test consists of the following:
- The purpose test. Evaluate whether your purpose for processing data is legitimate.
- The necessity test. Show that processing the data is necessary for said purpose.
- The balancing test. Make sure that a legitimate interest does not violate the rights or interests of the individuals.
Keep a record of your LIA to demonstrate compliance if asked.
1. The purpose test
The term “legitimate interest” is broad. However, to have a legitimate interest, you must show that you, or a third party, have some clear and specific benefit or outcome. It is not enough to rely on generic business interests.
For example, you could not simply state that you have a legitimate interest in processing customer data, as this is too generic and does not clarify your purpose. Instead, you could say, for example, that you have a legitimate interest in marketing your goods or services to your customers to increase sales.
While any purpose could potentially be relevant, that purpose must also be legal. Anything illegitimate, unethical, or unlawful is not a legitimate interest. For example, although marketing and promoting your product could be a legitimate purpose, sending spam emails without user consent breaches European data privacy laws and thus makes your purpose not legitimate.
If your purpose is not legitimate and you do not meet the first part of the LIA test, there is no sense to consider the remaining two tests as without a purpose test passed you could not use legitimate interests as your lawful basis.
2. The necessity test
The necessity test determines if the data processing is needed in principle to achieve the said purpose. This doesn’t mean that it is absolutely necessary to process the data of your users, but it must be a proportionate way of achieving your purpose.
You could ask yourself:
- Will the data processing help achieve the said purpose?
- Can you achieve the said purpose in some alternative ways without processing the data?
- Is the level of data processing proportionate to your stated purpose?
- Could you achieve your purpose in a less invasive way?
Do not confuse processing that is necessary for the said purpose with processing that is only necessary because you have chosen such a method. If you could achieve your purpose in a less invasive way, then the more invasive way should be avoided.
For example, to track your website traffic and user interaction with it, it is not absolutely necessary to use Third-Party Cookies and services like Google Analytics. You could achieve your purpose by collecting aggregated or anonymized data rather than the personal data of individual users.
3. The balancing test
You need to find a balance between your interests and the fundamental rights and freedoms of your users.
The interests, rights, and freedoms of individuals are a broad concept that includes data protection and privacy rights under the GDPR, as well as other fundamental rights and more general interests.
You would be violating the interests, rights, and freedoms of individuals if an individual:
- could not exercise his rights, including data protection rights;
- could not control the use of his personal data;
- would receive any social or economic disadvantage.
Be particularly careful if the data belongs to children. You must ensure their interests and rights are protected.
What is Not Legitimate Interest Under the GDPR?
The GDPR does not specify much about what does not represent a legitimate interest. However, any purpose that the user wouldn’t expect or wouldn't allow you to process his data does not constitute a legitimate interest.
For example, if a user orders a product from your website without registration and provides you with his contacts to process the particular order, marketing other products by email or telephone provided do not constitute a legitimate interest.
Could Cookies be Used as the Basis for Legitimate Interest?
One area where the legitimate interest basis is often used is in the context of using cookies and other tracking technologies.
First-party, strictly necessary cookies, that are required to complete the user's order or to login into his account, constitute legitimate interest.
However, marketing or targeting cookies that collect and process website users’ personal information for marketing purposes, do not fall under the legitimate interest. The ePrivacy Directive and the GDPR require you to get user consent prior to using cookies. If you did not get the user consent, you cannot use legitimate interests instead!
If you choose to rely on legitimate interests, you are taking on extra responsibility for protecting users’ rights and interests.
Examples of Legitimate Interests for Businesses
Here are some examples of legitimate interest for businesses:
- Fraud detection and crime prevention.
- Direct marketing.
- Network and information security.
- Debt collection.
- Employee monitoring.
- Client data management.
- Enforcement of legal claims.
- Physical security.
- Prevention of misuse of services.
- Research and development.
- Unsolicited non-commercial messages.
Fraud detection and crime prevention
Data processing for the purposes of fraud detection and crime prevention most often passes the purpose test, you just have to evaluate the balancing test for a specific case.
Businesses or organizations may send information about their products or services that they think users will find relevant or interesting. However, they must clearly indicate to users that they can opt out of such information at any time, and how to do it. Providing relevant information for potential users could be considered legitimate interest as it benefits them, but it shouldn’t affect their rights or freedom.
Network and information security
Organizations must monitor and maintain the security of their platforms to prevent unauthorized access to the data or data theft since the protection of personal data is a legal obligation under privacy laws. Thus, processing personal data could constitute legitimate interests if it is necessary to maintain security, for data breach investigations, or to prevent unauthorized access to a network.
If an individual received a service or good from a company and did not (fully) paid for it, the company has a legitimate interest to process his data for debt collection purposes. However, prevention should be taken not to disclose his sensitive personal information in public.
Employee monitoring for management purposes or safety could constitute legitimate interest which is addressed in Recital 47 of the GDPR: „The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller”.
The processing of personal data of employees could constitute legitimate interest in these cases:
- Recruitment management.
- Background checks.
- Emergency management.
Client data management
Client data management could also constitute legitimate interest which is addressed in Recital 47 of the GDPR: „Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller”.
For example, a company could record customer service calls or communication messages for the purpose of internal quality management.
In conclusion, if you’re processing the personal data of your users and aren’t sure that your purposes constitute legitimate interests, we recommend getting user consent to process their data. It is the safest option for GDPR compliance.
- Display a Cookie Consent banner on your website.
- Inform users about the types of cookies used and what are their purposes.
- Give users full control of cookie settings on the banner.
- Record all user Cookie Consents.
- Make a custom Cookie Banner, that fits your website design.
- Show cookie table for full disclosure of cookies.
- Show auto-translated banner due to geotargeting function.
- Auto-block Third-Party Cookies until the user gives consent.
Frequently Asked Questions
What is legitimate interest under the GDPR?
When does Legitimate Interest apply?
UK’s Information Commissioner’s Office recommends to conduct a GDPR Legitimate Interest Assessment (LIA) to determine if your data processing is in legitimate interests. The three-part LIA test consists of the purpose test, the necessity test, and the balancing test. Choose CookieScript Consent Management Platform, and we will take care of your website's GDPR and other privacy laws' compliance issues!
How to apply legitimate interests in practice?
You need to assess a Legitimate Interest Assessment (LIA) test and document the outcome of the test so that you can demonstrate that legitimate interests apply. There are no specific rules on how to perform this. However, in practice, you should perform the LIA test, document the outcome, and then perform an audit of your decisions and justification for personal data processing.
What are examples of legitimate interests for businesses in practice?
Here are some examples of legitimate interest for businesses: fraud detection and crime prevention, direct marketing, network and information security, debt collection, employee monitoring, client data management, enforcement of legal claims, fundraising, physical security, prevention of misuse of services, research and development, and unsolicited non-commercial messages.
Can direct marketing be a legitimate interest for businesses?
Businesses or organizations may send information about their products or services that they think users will find relevant or interesting. However, they must clearly indicate to users that they can opt-out of such information at any time, and how to do it. Providing relevant information for potential users could be considered legitimate interest as it benefits them, but it shouldn’t affect their rights or freedom.
Could cookies be used as the basis for legitimate interest?
First-party, strictly necessary cookies, that are required to complete users' orders or to login into their account, could be the lawful basis for legitimate interest. However, marketing or tracking cookies that collect and process website users’ personal information for marketing purposes, do not fall under the legitimate interest. The ePrivacy Directive and the GDPR require you to get user consent prior to using cookies. If you did not get the user consent, you cannot use legitimate interests instead!