Consent or legitimate interest: what do they mean exactly? Which one should you choose?
There isn’t one single answer, even though many data protection authorities across Europe have limited the use of legitimate interest.
But first, we need to understand why you need to choose between consent or legitimate interest in the first place.
Consent and legitimate interest are two of the six legal bases of the GDPR.
According to the GDPR, to start processing your users’ personal data, you need a legal basis, that is a legal reason to validate your activity. For your processing activity to be lawful, it should be necessary to achieve your purposes. If you can achieve them without processing any data, or with the least amount of data possible, then the processing should be avoided, and you don’t need a legal basis.
Now, let’s have a closer look at what consent and legitimate interest mean.
The definition of consent is pretty straightforward: your users give you permission to start collecting and using their personal information.
However, for consent to be valid, it needs to meet specific requirements. As stated in the GDPR, consent should be freely given, specific, informed and unambiguous.
It means that, before starting processing on the basis of consent, you need to make sure that your users have been informed about your activity and that they’ve agreed to it freely. This also means that the mechanism for acquiring consent should require a positive action by the user (e.g., you should avoid pre-ticketed boxes in your consent forms). It’s also important to provide them with a means to withdraw their consent whenever they want.
You can learn more about consent and the GDPR here.
The UK’s ICO defines legitimate interest as the most flexible legal bases. And indeed, the processing on the basis of legitimate interest doesn’t require a specific purpose nor the users’ consent. The purpose of the processing is the legitimate interest of the data controller (i.e. a website or app owner) or of a third party.
Since legitimate interest can apply to a wide number of situations, you should be careful in assessing whether your interests are balanced with your users’ rights and freedoms.
For this reason, the ICO suggests a three-part test to assess whether legitimate interest can apply:
As there is no specific purpose for legitimate interest, you should be even more transparent with your users and explain what the legitimate interests of the processing are.
It all depends on how you are going to use the data you collect and how intrusive of their privacy the processing will be.
According to ICO, you can rely on legitimate interest when:
However, there are cases when legitimate interest is not allowed. For example, many data protection authorities, such as the Italian Garante, have issued new guidelines on cookie usage and they have explicitly forbidden legitimate interest as a valid legal basis for profiling cookies.
In general, consent is often the safer choice. Relying on the wrong legal basis could invalidate your activity and expose you to serious consequences. So it’s always better to play it safe!
We hope this post helped you determine your legal basis. Now you’re ready for the next, crucial step.
