General enquiries :
+44 (0)20 7602 6000

GDPR: Consent or legitimate interest, which to choose?

Thursday 20 December 2018 Data Insight & AnalyticsGDPR

Paul Winters's picture
By Paul Winters

Of the six legal grounds for processing personal information allowed by GDPR, the two most likely to be used in direct marketing are consent and legitimate interest.

GDPR sets a higher standard for consent than the earlier Data Protection Act. Consent must be “freely given, specific, informed and unambiguous”. It must be given by “a statement or by a clear affirmative action”, so opt-out boxes are banned.

Legitimate interest can be used where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. GDPR recognises direct marketing as a legitimate interest.

Both grounds are equally valid, so how do we decide which to use? In principle, consent might be considered the “safer” option, as it is more objective. You can either show that you have consent from the data subject, e.g. by someone having ticked an opt-in box or signing a statement giving consent, or you can’t.  Legitimate interest is slightly more subjective. Can you be sure that your legitimate interest to market your products and services isn’t overridden by the data subject’s interests or rights?

Most brands will use consent where it is practical to obtain it. For some channels, consent may be obligatory. A new ePrivacy Regulation will come into force sometime in 2019, but in the meantime the Privacy and Electronic Communications Regulation (PECR) applies and this mandates consent in some instances when using electronic communications such as email.

However, it is clear that legitimate interest will have a major role to play in direct marketing under GDPR. Sometimes, it will be difficult to obtain consent, for example when contacting a prospective customer for the first time. In such circumstances, legitimate interest may be the only option.

Although direct marketing is listed as a legitimate interest, that doesn’t mean that all processing for marketing is automatically compliant on that basis. You must carry out a balancing test that weighs your interests against those of the data subject. Is the processing you intend to carry out strictly necessary to achieve your objectives or could you achieve your goal using other means? What might be the risks to the privacy or other interests of the data subject? Might the individual have a reasonable expectation to receive marketing material from you? The latter would be the case if there was a prior relationship with you, e.g. the individual had bought something from you in the past. More information on how legitimate interest might be used in marketing can be found in the following documents:

Some brands have taken a very strict view about consent vs. legitimate interest and decided to use consent only for marketing to their customers. They have had to renew their consents where they do not match the stricter GDPR standard. In most cases, the opt-in rates have been very low (below 20% in most cases). Brands should therefore think very carefully about whether legitimate interest might be the better option, particularly for existing customers where the balancing test is likely to be met. Read David Sealey's blog post on 12 ways to optimise your marketing opt-in process for best results. 



If you have any further questions relating to GDPR, get in touch.

Discover the key ways to assess which legal grounds is most appropriate for processing personal data.

GDPR: Consent or legitimate interest, which to choose?


Add new comment