A Guide to Understanding Legitimate Interest in 2024

In this latest blog, we are looking at a key topic in the world of data protection and its rules - legitimate interest. Because this term often causes confusion and people aren't always sure how it affects them, our goal is to make this clearer by explaining what legitimate interest is and the six lawful bases for processing personal data under CCPA, GDPR and other privacy regulations around the world.

What is legitimate interest?

GDPR Article 6(1)(f)  gives you a lawful basis for processing where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

In the field of data processing, the concept of legitimate interest is often misunderstood due to its flexibility and the fact that it varies depending on the nature of the business and its relationship with the data subjects. Unlike consent, legal obligation, or contract, legitimate interest must be evaluated on a case-by-case basis, considering the risks involved and the interests and rights of the data subjects. 

It is important to keep two key things in mind when considering legitimate interest: 

• First, it is the most adaptable legal basis for processing, as it can be tailored to the specific needs of your business. 
• Second, it cannot be used as a legal basis for processing simply because it is convenient for your business - you must always balance the interests and risks of the data subjects against the benefits to your business.

What is Legitimate Interest under the CCPA? 

Under the CCPA (California Consumer Privacy Act), businesses are allowed to process personal data based on consent, compliance with legal obligations, public interest, scientific research, historical research, statistical research, or in order to exercise or defend legal claims. It is important to note that US data protection laws generally allow the processing of personal data without consent unless it is sensitive or special personal data. However, data subjects have the right to opt-out, but businesses can refuse this right on the grounds mentioned above. 

What is Legitimate Interest under the GDPR? 

In contrast, the General Data Protection Regulation (GDPR) requires companies to have a lawful basis for processing personal data. This means that data collection must be justified, and the burden of justification falls on the controllers of personal data. Similar requirements can be found in many other laws formed after the GDPR, such as Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) or Japan's Act on Protection of Personal Information (APPI). 

“The requirement to have a lawful basis in order to process personal data is not new. It replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998 (the 1998 Act). However, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing.” 

Information Commissioner's Office (UK) on Lawful Basis for Processing 

What are the Lawful Basis for Processing Under the GDPR? 

There are six lawful bases for processing personal data under GDPR. These include: 

6. Consent: The individual has given explicit consent for you to process their personal data for a specific purpose. 
7. Contract: The processing is necessary for a contract with the individual or because they have asked you to take specific steps before entering a contract. 
8. Legal obligation: The processing is necessary for you to comply with the law (excluding contractual obligations). 
9. Vital interests: The processing is necessary to protect someone's life. 
10. Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 
11. Legitimate interest: The processing is necessary for your legitimate interest or the legitimate interest of a third party unless there is a good reason to protect the individual's personal data, which overrides that legitimate interest. However, this cannot apply if you are a public authority processing data to perform your official tasks.

All of these grounds for processing have equal importance, but they have exemptions and conditions that apply. Additionally, when certain grounds for processing are used, individuals may be restricted in their ability to exercise their rights concerning their personal information. For example, suppose a business processes personal information because it is required by law (such as for tax purposes or accountability). In that case, individuals cannot ask for their data to be deleted or object to the processing. This is because businesses would face penalties for not complying with the law.

When can we rely on legitimate interest? 

Legitimate interest can be used when a business has no legal obligation to collect and process information. Still, it is beneficial for the business and has a limited impact on data subjects. To determine if processing personal data is lawful and verify if you can rely on legitimate interest, you need to perform three tests: the purpose test, the necessity test, and the balancing test. 

The purpose test involves identifying your purpose for processing the data and deciding whether it is a legitimate interest. You should be specific and ask yourself questions, such as why you want to process the data, what benefits you expect to gain, whether third parties benefit, and whether there are any public benefits. Additionally, you should consider the intended outcome for individuals, comply with relevant laws and industry guidelines, and evaluate any ethical issues. If you use data for fraud prevention, network, and information security, or indicate possible criminal acts or threats to public security, the UK GDPR deems it a legitimate interest.

The necessity test involves determining whether the processing is necessary for the purpose you identified in the first test. You must consider if processing will help you achieve your goal, if it is proportionate if you can achieve the objective without processing or by processing less data, and if you can use another less intrusive method. Be honest in your evaluation and explain why other alternatives are not reasonable.

The balancing test involves weighing the individual's interests, fundamental rights, and freedoms against the legitimate interests you identified in the first test. You should consider the nature of the data, the reasonable expectations of the individual, and the likely impact of processing on the individual. If the data is sensitive or private, you need a more compelling reason to use it, and you must take special care to put adequate safeguards in place.

It is expected that data should be processed in such a way that it is not reasonable to obtain the consent of the individuals whose data is being processed. To verify this, you can ask yourself if data subjects would likely consent to such data processing, given that it is in their best interest. 

However, legitimate interest may be more burdensome as it can be difficult to demonstrate compliance with the balancing test. A business must perform and store evidence of the balancing test, ensuring that all risks to data subjects have been taken into account and that the benefits outweigh them. Furthermore, it requires a more transparent notice for processing and highlighting to data subjects that part of the processing is based on legitimate interest.

When can you rely on legitimate interest for cookies? 

As we have explained in our two-part guide named "A Guide to Understanding Cookies," there are some cases where cookies can be placed without the user's consent, and in such cases, the website may rely on legitimate interest instead. 

This can happen when a cookie or script falls under the exemption for cookie consent and is considered essential for website performance, security, or required to deliver services that users have requested. For more information and examples, please refer to the guide, which consists of Part 1 and Part 2.

It's important to note that although the guidelines focus on cookies, they also apply to anyone who stores information on a user's device or gains access to information on a user's device. This means the same rules would apply to similar technologies, including pixels, flash cookies, and all kinds of devices.

Can we use legitimate interest in marketing? 

Direct marketing can be delivered based on a legitimate interest in some cases. However, the legitimacy of this interest depends on the specific circumstances. 

Regarding the purpose test, certain types of marketing may only be considered legitimate if they comply with legal and ethical standards or industry codes of practice. Nonetheless, as long as the marketing adheres to e-privacy laws and other relevant legal and industry standards, it is likely that direct marketing is a legitimate interest in most cases. However, it is essential to note that not all processing for marketing purposes is lawful on this basis alone. 

You will still need to demonstrate that your processing satisfies the necessity and balancing tests. Additionally, you may need to provide more specific details about your purposes for certain elements of your processing to prove that it is necessary and to weigh the benefits of the balancing test. This is particularly true if you use profiling to target your marketing. While marketing may be in the interests of individuals, such as receiving money-off products or offers that are directly relevant to their needs, this is likely to add little weight to your balancing test. 

It is important to consider that marketing can significantly negatively affect individuals in certain cases, depending on their personal circumstances. When conducting the balancing test, you should consider factors such as whether individuals would expect you to use their details in this way, the potential nuisance factor of unwanted marketing messages, and the effect that your chosen method and frequency of communication might have on more vulnerable individuals. 

Under most data protection laws, individuals have the absolute right to object to direct marketing. Therefore, it is easier to pass the balancing test if you give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication if the data was not collected directly from the individual). The lack of a proactive opportunity to opt-out in advance would contribute to losing control over their data and act as an unnecessary barrier to exercising their data protection rights. 

Legitimate interest implementation in practice 

To determine whether you can rely on a legitimate interest or not, you should apply a three-part test called Legitimate Interest Assessment (LIA). You can use a template provided by a Data Protection Authority in your country as an example, for example, this template provided by ICO. The LIA test consists of three parts: 

1. Identify the legitimate interest or the purpose of processing 
2. Consider if processing is necessary to achieve the same goal 
3. Consider if it is in the data subject’s interest and if they benefit from it 

To conduct a LIA test, you should ask yourself various questions such as 

• “Why do we want to process data?”, 
• “How does it impact us if we don’t have this information?” 
• “Are we complying with industry standards and best practices?” or 
• “Will this data actually help us to achieve set goals?”. 

These types of questions are designed to encourage you to evaluate the processing and data collection and ensure that it is lawful and beneficial for the data subjects.

Regularly review your Legitimate Interest Assessment (LIA) to ensure it remains up-to-date. Update your LIA accordingly if there are any significant changes, such as a change in the purpose or context of data processing. 

If your LIA determines that an individual's rights outweigh your legitimate interests, you cannot process their data using this basis. In this case, consider using another lawful basis. 

Transparency is crucial under the data protection laws. Your privacy notice must explain clearly and transparently how you collect and process data and the lawful basis for doing so. If you rely on legitimate interests, provide examples and explain that individuals have the right to object to processing their personal data.

In brief, here are the main takeaways: 

1. Data protection laws allow personal data processing without consent under certain circumstances. 
2. GDPR requires companies to have a lawful basis for processing personal data. 
3. There are six lawful bases for processing personal data under GDPR. 
4. Legitimate interest is a flexible legal basis for processing, but it must be evaluated case-by-case. 
5. Balancing the interests and risks of data subjects against the benefits to the business is necessary when relying on legitimate interests.

How Can Clym Help?

Clym's revolutionary Cookie Consent Manager is a streamlined solution for global cookie consent management. You can effortlessly go through the intricacies of 40+ international data privacy laws, encompassing GDPR in Europe, LGPD in Brazil, and CCPA in California. Our platform goes beyond compliance; it intelligently adapts to regional regulations through built-in geolocation rules, ensuring seamless adherence to various requirements.

In the ever-evolving data privacy landscape, Clym is your ally, alleviating the challenges of staying current with regulatory changes. Our system takes the burden off your shoulders by automatically updating your cookie banner whenever there's a modification in the covered regulations. Bid farewell to the constant monitoring of legal shifts and manual updates—Clym does the heavy lifting for you.

At Clym, we believe in harmonizing digital compliance with your business needs, offering a suite of benefits, including an all-in-one platform that combines Privacy and Accessibility compliance with global regulations at an affordable price. Experience seamless integration into your website, adaptability to users' locations and applicable regulations, customizable branding, ReadyCompliance™ covering 40+ data privacy regulations, and accessibility options, which include six preconfigured accessibility profiles and 25+ display adjustments for visitors to tailor their individual experiences. Clym is not just a solution; it's a commitment to simplifying and enhancing your digital compliance journey.

You can convince yourself and see Clym in action by booking a demo or contacting us to discuss your specific needs today.