GDPR Deep Dive: What Counts as “Legitimate Interest?”February 28, 2018 –
You know what they say—you give them a finger, they will take the hand.
Give them a legitimate interest exception, and they’ll cold email all of LinkedIn.
GDPR has six lawful grounds for processing personal data, as outlined in Article 6. And legitimate interests is well set up to be the most misused. Every marketer that wants to avoid obtaining consent to process data, will try and use legitimate interest as a way around asking for it.
But be careful…very careful. Legitimate interest is a stricter provision than it sounds like.
So let’s talk about where it can be applied, and how we can better understand its intentions.
Six Lawful Grounds for Personal Data Processing
You must have a valid lawful basis in order to process personal data and there are six that are now considered lawful.
No single basis is ’better,’ or more important than the others. And which basis is most appropriate to use will depend on your purpose, and relationship with the individual.
One thing to note: you have to determine your lawful basis before you begin processing. You should have it documented, and available, in case of a potential audit. Officials won’t look kindly upon any last minute switches.
For the purpose of simplicity, this article won’t dive into special data—like passports, biometric data etc.
We’ll keep things pertinent to marketers: analytics, lead generation, emails, and a/b testing.
Here’s what you can use as lawful grounds:
- Legal obligation
- Vital interests
- Public interest task
- Legitimate interests
10 second summary:
1.You need to get consent (that checkbox on your forms),
2.You need to have a contract with the individual, or company (where you both agreed that personal data needed to be processed).
3-5. We’ll leave these for another time, as they’re not meant for marketers.
6. Legitimate interest. That sounds the easiest right? Just ensure you have a good, “legitimate” reason to process personal data and be done with it. Bye bye consent?
Legitimate Interest: What Is It?
Legitimate interests are the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. OR where there is a compelling justification for the processing.This is what GDPR recital 47 says about legitimate interest.
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
So if you have a system where you are really sure you guaranteed the privacy of the users, that’s a strong indicator you can use legitimate interest.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights, and freedoms.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must also be necessary. If you can reasonably achieve the same result in another less intrusive way—legitimate interests no longer apply,
In addition, you need to follow the following steps using legitimate interest:
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy notice.
ICO (UK’s) Privacy Authority Checklist for Legitimate Interest
The ICO website (Information Commissioner’s Office) has a checklist meant to help you determine on whether your data processing is justified under legitimate interests.
If you’re looking to play it safe, make sure you can confirm the following:
- We have checked that legitimate interests is the most appropriate basis.
- We understand our responsibility to protect the individual’s interests.
- We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
- We have identified the relevant legitimate interests.
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
- We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
- We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
- We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
- If we process children’s data, we take extra care to make sure we protect their interests.
- We have considered safeguards to reduce the impact where possible.
- We have considered whether we can offer an opt out.
- If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
- We keep our LIA under review and repeat it if circumstances change.
- We include information about our legitimate interests in our privacy notice.
Using Legitimate Interest for A/B testing
Moving forward, GDPR and ePrivacy Directive will be the two legal cornerstones for digital marketers.
And as it outlines: IP addresses, cookies—these things are now considered “personal data.”
So legitimate interests aside: you’ll most likely need consent for cookies and other identifiers with your current A/B testing tools.
It’s pretty hard to have an argument for a balanced, legitimate interest if you are using third-party software to enrich your segments or store every move of your website visitors. This sort of storage is common practice with tools like Heap—or any similar program that has post-segmentation, or predictive analytics capacities.
With many leading A/B testing solutions, you store a lot of data about a user. And you use that data, afterwards, however you want, without informing the user about that process.
Looking back to the checklist…
Do users entering your website “reasonably expect” you’d use their data to predict their purchasing patterns?
Is your “legitimate need” to store an excess of their data, sure to override objections they might have to you using it?
This sort of data collection likely requires specific consent. Which means you shouldn’t be loading cookies or experiments without a specific opt-in.
A/B Testing, Minus Personal Data Storage
No cookie IDs, no unique identifiers, and no IPs are being stored. Really everything is stripped down, as much as possible, so that no personal data is being stored or used.
This means, no consent is needed.
What might be needed, is to inform the website visitors of the way you handle A/B testing.
Maybe, to be on the safest side, users should include legitimate interest in their privacy policies—to signal that that cookie placed for A/B testing software does not store personal data. And to mention the strategic interest for you, as a company, makes it necessary to place this analytics cookie, to improve the performance of your business.
To sum it up:
Consent and legitimate interest are most likely the most used legitimate bases for digital marketers.
Without a doubt, consent is the safest way to avoid any legal actions against your company.
Legitimate interest should be used only in the rare case where you find yourself with the back against the wall, and where you are sure there is no, or extremely little, personal data stored and processed.
Make sure it’s 100% clear why you think legitimate interest is viable, and store that in case of an audit.
Because it’s complicated, but it’s not rocket science. If it sounds sneaky, then ask for consent. If it’s truly harmless processing, make a strong case for minimum impact on your customers and website visitors.
And remember: GDPR is just months away. Keep informed, talk to your vendors, and prepare yourself for a more transparent data processing landscape.