Consent vs. Legitimate Interest: Which Should You Choose for Marketing?
Article 6 of the GDPR allows you to process your users’ personal data under six lawful bases including Consent and Legitimate Interests:
GDPR Article 6(1)(a) – Consent as a lawful basis for processing data: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
GDPR Article 6(1)(f) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
These two are also the most discussed legal bases for processing personal data for marketing purposes.
Of these, the consent basis works quite straightforward … as the user has “consented” to your data processing.
The problem, however, with consent is that it’s not always fitting for the marketing process.
Which then leaves marketers with the Legitimate Interests provision.
At the face of it, Legitimate Interests looks like a blanket term that can allow a lot of personal data processing. But using Legitimate Interests as a legal basis needs careful consideration as they can only be considered as a Lawful Basis for processing data IF the data processing is actually NECESSARY.
Suggested read: GDPR Deep Dive: What Counts as “Legitimate Interest?”
Choosing Between Consent and Legitimate Interests for Marketing Purposes
Processing personal data using consent as the legal basis is considered quite safe as consent is the “golden standard.”
It’s also a much stronger ground for processing data than the ground of Legitimate Interests because it’s unambiguous. You asked the user, and they said “Yes!”.
But getting consent each time you want to process a certain type of personal data means getting your users to opt-in to a host of different consent forms.
The GDPR, in fact, offers some very clear and stringent directives on how you can seek consent legitimately:
[…] an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
The Legitimate Interests lawful basis, on the other hand, is quite flexible.
First and foremost, the GDPR allows marketers to make the case of processing of personal data for direct marketing purposes under the Legitimate Interests lawful basis:
GDPR, Recital 47
…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Furthermore, ICO (Information Commissioner’s Office, a UK-based independent authority that guides businesses on how to apply UK’s data privacy laws such as the GDPR) explains how such a legitimate interest in marketing (such as the one for “boosting sales”) can make a genuine purpose for processing data:
“[W]e have a legitimate interest in marketing our goods to existing customers to increase sales.”
ICO also explains how Legitimate Interests may be the most appropriate basis in multiple instances such as when:
- the processing is not required by law but is of a clear benefit to you or others;
- there’s a limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way; and
- you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
For each marketing need (or purpose) at hand, a marketer needs to carefully decide the different lawful bases to use (from among the six lawful bases under which the GDPR allows data processing). Of these six, consent and Legitimate Interests are the two lawful bases that are often used for website personalization for general (or non-logged in) visitors. (This article focuses on how you can use the Legitimate Interests lawful base for personalizing your website experiences.)
In general, including a case under the Legitimate Interests provision needs a lot of thought. To make this somewhat easy, ICO has designed a three-part test for helping you identify if the purpose you’ve at hand actually qualities to be a lawful basis under the Legitimate Interests provision.
Here’s ICO’s three-part test for determining Legitimate Interests under the GDPR:
- Purpose test – is there a legitimate interest behind the processing?
To use Legitimate Interests as a lawful basis for processing personal data, you need to first explain your need for processing the concerned personal data. You need a clearly articulated purpose behind wanting to process it.
- Necessity test – is the processing necessary for that purpose?
To use Legitimate Interests as a lawful basis for processing personal data, you need to demonstrate that there’s no other less invasive way to achieve your purpose, and that your processing is ” proportionate and adequately targeted to meet its objectives…”
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
After your case qualifies in the first two tests, you need to ensure that processing the concerned personal data doesn’t infringe upon the rights and freedoms of the individual whose personal data will be processed.
With that, let’s now look at some very common personal data processing examples that could fall under the GDPR’s Legitimate Interests provision.
10 Examples of Grounds for Personal Data Processing Using Legitimate Interests
Before we see the actual examples, please understand that every example listed below has a big list of caveats. These examples are just meant to give you some suggestions of marketing purposes that could be explored under the Legitimate Interests provision.
Here goes …
1. IP address data processing
Depending on how much data you capture, an IP address can tell a lot. For example, you can use it to find a visitor’s location, or you can also use it to find out what company they work for (read more about that in our ABM 101 article).
Legitimate Interests is one of the lawful basis that can be used for processing a user’s IP address data (classified as personal data). An example of a marketing purpose under the Legitimate Interests provision using the IP address could be to offer localized offers.
For instance, an eCommerce store can promote a raincoat to someone browsing from an area where it’s the monsoon season. Alternatively, an online store might use a visitor’s location data to offer a limited time free shipping offer to the visitor’s area.
Likewise, a B2B company can use a visitor’s company (identified from their IP address) to show them some dynamic personalization in the form of an image or content personalized with, say, the company’s name or industry.
Note: If you use your visitors’ IP addresses for personalizing their website experiences, it’s best to never store them in your database if you’ve used them for weather or location services. This way, this data won’t pose a problem when collecting multiple data points about a person at the same spot.
2. Website analytics data processing
Most websites collect their visitors’ browsing data for performance optimization purposes. This is usually covered under the Legitimate Interests provision. Generally, such data doesn’t represent a problem as it’s often anonymized and most of the analytics tools like Google Analytics prohibit the processing/storing of PII (Personally Identifiable Information).
The trends from such data processing can be used to form the basis of a wide range of personalized website experiences.
For example, using Google Analytics, you can identify the pages on your website where you lose most of your leads. You can also use some of the advanced segmentation options in Google Analytics to identify the audience segments that drop off. Such data processing can generate many insights for you about the demographics and more about the traffic you’re losing.
Using these insights, you can also test offering these segments more personalized website experiences.
For example, if an eCommerce store finds that a certain product page has a high dropoff rate, it can use its audience’s demographics information to fine-tune its product page’s messaging.
Such personalization isn’t just subtle and meaningful, but the personal data processed, too, doesn’t feel intrusive.
3. Communications data processing
Running personalized marketing communications via emails or SMSes always needs explicit consent.
Also, post the GDPR, adding a person’s email to your CRM and sending them marketing emails just because they contacted you via your contact form with their email isn’t legal. You need to use consent boxes below your contact form that explicitly seek the visitor’s permission for doing so.
Besides, the GDPR doesn’t work in isolation. And so your email (or SMS) marketing campaigns must comply with the relevant legal regulations like offering the users an unsubscribe link and more.
That said, if you’ve obtained consent for such communications from a subscriber, then you can personalize your website’s experience for such a subscriber based on their interaction with your marketing emails or SMSes. This should be reasonably covered under the Legitimate Interests provision.
For example, a travel company can use its communications history with its subscribers to show them personalized pages. For instance, a subscriber who has shown interest (let’s say by clicking on a link) in luxury travel might be shown a page that promotes a stay package at a luxury hotel. Alternatively, a budget traveler might be shown a few select deals on budget hotels.
4. Behavioral data processing via cookies, web beacons, etc.
Behavioral data processing is very similar to website analytics data processing. Just like website analytics data, personal data used for powering behavioral insights-driven campaigns is also anonymized. And the GDPR is quite flexible with the processing of anonymized data.
Insights from the visitors’ interaction with a website (for example the pages they viewed and their click data) can be used to deliver contextually-rich website experiences.
For example, an enterprise-level software company can track behavioral data of its visitors and offer them more personalized experiences on their return visits. For instance, a visitor who seems to be exploring a certain solution might be shown the same solution’s trial page or signup form on their next website visit.
5. Profile data processing
Just like website analytics and behavioral data processing, a company can use the Legitimate Interests basis to use anonymized personal data for creating user profiles (profiling).
For example, a gadget comparison website might use its users’ anonymized personal data to identify its key audience types. It can then serve personalized offers and promotional campaigns to each (for example suggesting high-end mobiles to its high-end audience segment and showing discounts on budget mobiles to its budget-friendly segment).
The doc on the guidance of using Legitimate Interests doesn’t just suggest such a basis as a lawful basis for processing personal data under Legitimate Interests, but it also supports for such user profiling using social media data. The doc states that a company can use:
… [A]n algorithm provided by the social media provider to better target its advertising to ‘lookalikes’ – i.e. other individuals who have similar characteristics to that business’ own customers. The business uploads the minimum required personal data on its customers to enable the social media targeting, but excludes those who have objected to marketing. Profiling is conducted within the social media platform to enable the targeting, however it is purely for marketing purposes and the business has assessed that it does not result in any legal or similarly significant effects upon those individuals.
6. Second-party and third-party data processing
In addition to first-party data (i.e. the data a company collects on its own — for example, data from its Google Analytics account), quite a few companies use second-party and third-party data as well.
This data — sourced from partners and data exchanges — empowers marketers with powerful insights about the psychographics, technographics, and demographics of their audiences. It’s usually used to build detailed customer profiles. Which, in turn, are used to create more relevant content and messaging, and for delivering them to the key segments from the general audience.
For example, a B2B business can use such data to identify the key segments in its audience and target each segment with personalized content recommendations.
If you need to use such sourced data, make sure that you only partner with the data providers and exchanges that follow fair and lawful data collection and processing practices.
7. Purchase history data processing
An eCommerce store might offer personalized product recommendations to its visitors based on their transactional history.
DPN (Data Protection Network, a UK-based body that offers expert advice on Data Protection and Privacy) offers a lot of guidance on the use of Legitimate Interests. It suggests that an online store’s use of a user’s purchase history for making personalized product recommendations can be a good ground for a legal basis of personal data processing:
A retailer with a wide product range conducts automated processing which is based on a customer’s transactional history, for the purpose of predicting what other products and services they may be interested in.
8. Account history data processing
Account data processing can be considered as the equivalent of the purchase history data processing, but for a B2B setup.
A B2B company can use its user’s account history data to deliver richer contextual content experiences. For example, a B2B company can use its customers’ data to offer them more relevant and better upgrade or cross-sell offers.
9. Cookie data processing
There are a lot of ways cookie data can help offer personalized website experiences that are both non-intrusive and relevant. Most of the cookie types that can power effective experiences don’t even need explicit user consent as their usage and opt-out instructions can be explained on a website’s privacy pages.
For example, a business website can use cookie data to determine what content to deliver to a prospect to move them further in the sales funnel. There are endless ways cookie data can be used even in privacy-friendly ways. In fact, all the data from the above examples are mostly collected and stored in some forms of cookies.
For more examples on processing data under the Legitimate Interests clause, check out Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation.
Wrapping it Up …
Choosing either of the two options — Legitimate Interests or Consent — for your marketing purposes needs consideration on a case-by-case basis. While Legitimate Interests can be (and are) the most common lawful grounds for processing personal data for most marketers, they must be used with care.
Also, while the Legitimate Interests provision can cover a lot of website personalization tactics, you must still take the Legitimate Interests Assessment and seek help from a legal online privacy practitioner to be double sure before resorting to it.
At Convert Experiences, we empower marketers just like you to offer GDPR-safe and privacy-friendly personalized website experiences to your users. We’ve also conducted a thorough LIA of all the data we use under the Legitimate Interests provision for powering such personalizations. Check it out here. And if you’re looking to offer website personalizations that offer privacy by design and privacy by default, do check out Convert Experiences.