Just when you thought GDPR was confusing enough, enter the topic of “legitimate interest.” Many of you have asked about it, wondering if you can bypass obtaining express consent opting for legitimate interest instead.
I can almost hear the glimmer of hope in your voice as you ask...could legitimate interest be my saving grace for updating permission requirements? Has GDPR provided organizations like mine with an escape clause? Approach with caution here. If you’re considering skipping express consent and claiming the GDPR provision for legitimate interest, you first must understand what legitimate interest entails and when you can use it.
From Article 6(1) of GDPR, legitimate interest can be used to process records if:
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (ex: if the data subject is a child)
Clear as mud, right? Many marketers think they’ve found a loophole to collecting explicit consent with option A, the first clause. So is it? No—but it is a common misconception about GDPR and one that can get you into a whole lot of trouble.
Legitimate Interest Pie
Let’s look at a hypothetical situation when legitimate interest can be used. Say you are shopping online—maybe ordering a pizza. Rather than create an account, you opt to check out as a guest and only provide the necessary information to get your pepperoni pie delivered to your doorstep, or in this case, your name and delivery address plus payment information. Does the pizza place have legitimate cause to process your data? Yes, absolutely. Can they continue to communicate with you and send you pizza promotions for future orders? No, because they don’t have your consent. Legitimate interest in this example only applies to processing your order; it is not permission to use your information for any other purpose.
I also hear marketers attempting to justify legitimate interest with clause E, claiming they have a legitimate interest in marketing their products. So let’s get another opinion. The UK Information Commissioner’s Office (ICO) asserts that: “[Legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
In other words, I expect Joe’s Pizza to deliver my pizza (hot, please) so therefore I also expect Joe’s Pizza to process my order and charge my credit card. But that’s where my expectation ends—so if Joe’s Pizza started sending me special promotions, sold my data to another company, or began tracking my pizza purchases for their rewards program, they would be using my data in ways that I would not reasonably expect, and that would have more than a minimal impact on my privacy. The ICO addresses this scenario, saying if the customer “would not reasonably expect the processing or if it would cause unjustified harm, their interests are likely to override your legitimate interests.” Did you catch that? “Their interests override…” In other words, if you use the customer’s data in an unexpected way or a way that goes beyond your initial reason for gaining access to it, the GDPR supervisory authorities will likely take a big slice of your financial “pie,” - which as we all know can add up to a lot of dough!
Legitimate Checklist (because who doesn’t love a good checklist?)
Still thinking about taking the legitimate interest route? The ICO offers a checklist before you consider opting to claim legitimate interest. And as you know, we like checklists, so we thought it appropriate to share this one—you’ll find the checklist and the rest of this article on Perkuto’s blog.