Is Legitimate Interest a Legitimate Loophole for GDPR Consent?

BY: Michelle Miles | Chief Client Strategy Officer at MERGE

PUBLISHED: 3/13/2018

Just when you thought GDPR was confusing enough, enter the topic of “legitimate interest.” Many of you have asked about it, wondering if you can bypass obtaining express consent opting for legitimate interest instead.

I can almost hear the glimmer of hope in your voice as you ask… could legitimate interest be my saving grace for updating permission requirements? Has GDPR provided organizations like mine with an escape clause?


Approach with caution here. If you’re considering skipping express consent and claiming the GDPR provision for legitimate interest, you first must understand what legitimate interest entails and when you can use it.

From Article 6(1) of GDPR, legitimate interest can be used to process records if processing is necessary for...

  • The performance of a contract with the data subject or to take steps to enter into a contract
  • Compliance with a legal obligation
  • To protect the vital interests of a data subject or another person
  • The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • The purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (ex: if the data subject is a child)


Clear as mud, right? Many marketers think they’ve found a loophole to collecting explicit consent with option A, the first clause. So is it? No—but it is a common misconception about GDPR and one that can get you into a whole lot of trouble.

Legitimate Interest Pie


Let’s look at a hypothetical situation when legitimate interest can be used. Say you are shopping online—maybe ordering a pizza. Rather than create an account, you opt to check out as a guest and only provide the necessary information to get your pepperoni pie delivered to your doorstep.


In this case, your name and delivery address, plus payment information. Does the pizza place have legitimate cause to process your data? Yes, absolutely. Can they continue to communicate with you and send you pizza promotions for future orders? No, because they don’t have your consent.


Legitimate interest in this example only applies to processing your order; it is not permission to use your information for any other purpose.

I also hear marketers attempting to justify legitimate interest with clause E, claiming they have a legitimate interest in marketing their products. So let’s get another opinion.


The UK Information Commissioner’s Office (ICO) asserts that: “[Legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

In other words, I expect Joe’s Pizza to deliver my pizza (hot, please) so therefore I also expect Joe’s Pizza to process my order and charge my credit card.


But that’s where my expectation ends—so if Joe’s Pizza started sending me special promotions, sold my data to another company, or began tracking my pizza purchases for their rewards program, they would be using my data in ways that I would not reasonably expect, and that would have more than a minimal impact on my privacy.


The ICO addresses this scenario, saying if the customer “would not reasonably expect the processing or if it would cause unjustified harm, their interests are likely to override your legitimate interests.” Did you catch that? “Their interests override…”


In other words, if you use the customer’s data in an unexpected way or a way that goes beyond your initial reason for gaining access to it, the GDPR supervisory authorities will likely take a big slice of your financial “pie” – which as we all know can add up to a lot of dough!

Legitimate Checklist (because who doesn’t love a good checklist?)


Still thinking about taking the legitimate interest route? The ICO offers a checklist before you consider opting to claim legitimate interest. And as you know, we like checklists, so we thought it appropriate to share this one:

☐ We have checked that legitimate interests is the most appropriate basis.
☐ We understand our responsibility to protect the individual’s interests.
☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
☐ We have identified the relevant legitimate interests.
☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
☐ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
☐ We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
☐ If we process children’s data, we take extra care to make sure we protect their interests.
☐ We have considered safeguards to reduce the impact where possible.
☐ We have considered whether we can offer an opt out.
☐ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA. (Data Protection Impact Assessment)
☐ We keep our LIA under review, and repeat it if circumstances change.
☐ We include information about our legitimate interests in our privacy notice.

As you can see, “legitimate interest” is not a “get-out-of-jail-free” card! It requires thoughtful analysis and the documentation to back it up, just as consent does.

In the Interest of Perspective


Unfortunately, there’s no shortcut to GDPR compliance. Think about it: GDPR includes 99 articles all with the goal of protecting an individual’s privacy and rights to personal data.


Careful consideration is needed if you are attempting to override that objective. So if you are going to use legitimate interest, you must do so in such a way that complies with all the other requirements for data protection, usage and storage, and you’ve demonstrated (and documented!) a balance of interests, both your own and the person receiving your communications.


Otherwise, trying to circumvent GDPR requirements will only set you and your company up for a €20 million failure.

GDPR is complex and the ramification of non-compliance is a game-ender for many. I encourage you, don’t do it on your own. We’ve got a team of pizza-loving GDPR experts equipped to assist you and your team, from system Readiness Assessments to Implementation programs.


Don’t be penny wise and pound (Euro) foolish — contact us us to discuss your situation.

Remember, we’re marketers, just like you, and while we’ve gotten better at understanding legalese, we’re still not lawyers, so be sure to run your specific GDPR plan past your legal eagles before implementing.