Consent versus legitimate interest – know the difference

Rebecca Bada Headshot
Rebecca Bada
Senior GDPR Consultant
18th April 2022

When discussing the GDPR, a common confusion we run into is the difference between consent and legitimate interest, as well as when to use them as your legal basis for collecting, processing and storing personal data. Each of these are incredibly important in ensuring you’re connecting with your prospective customers and not stalking them.

Consent and legitimate interest are two terms commonly heard when conducting direct marketing activities such as telemarketing, email, mobile, and web push marketing. To legally process the data of an individual, one of the six lawful bases of Article 6 of the GDPR must be applied, two of which are consent and legitimate interest.

In this blog, we discuss the difference between consent and legitimate interest and why you need to understand both terms to make an informed decision on the purpose of your data processing.

What is consent?

Consent is simply offering individuals a choice in how businesses use their data. Without consent, organisations cannot process an individual’s personal data. For example, when a data subject fills in an online form on a website requesting for a call back, an organisation cannot contact the data subject other than for the action they have requested – unless they’ve checked an ‘opt-in’ box to receive additional communication from that company.

The GDPR sets a high standard for consent that specifically requires opt-in to be unambiguous and allows individual’s to actively give their consent. Consent can also be withdrawn at any time, meaning they need an option to opt-out. This should be detailed clearly and concisely by organisations, separate from their terms and conditions.

What is legitimate interest?

Legitimate interest is arguably the most flexible of the six lawful bases of Article 6 within the GDPR. It allows a business to process data without explicit consent as long as the processing of data is of mutual benefit to the data controller and data subject, has minimal impact on the privacy of the individual, and uses data in a way that the individual would expect.

For example, if a recruiter seeks to retain a job applicant’s personal data as they feel the candidate may be suitable for a role in the future, they can hold on to personal details under legitimate interest. Why? As the data was provided by the individual, there is little risk of the data being misused, and keeping the data would be deemed beneficial for both parties.

Legitimate interest would also apply to incidents relating to fraud prevention, network security and indicating criminal acts or possible threats to public security. Direct marketing and processing employee or client data are also considered as grounds for legitimate interest under the GDPR recitals.

Using consent versus legitimate interest as a legal basis to process data

In both scenarios, the person whose data is being processed should have the right to opt-out at any time, halting the processing of data. Consent versus legitimate interest can be defined as follows:

If you rely on consent:

  • You have asked the individual in plain language to process their personal data for a specific reason and they’ve agreed
  • You’ve kept proof that you’ve collected consent from the person in question, until they opt-out or you cease the processing of their data

If you rely on legitimate interest:

  • You don’t have explicit consent from a data subject
  • There’s no other possible legal basis the process could fall under
  • The reason for processing data passes the three-part test

What is the three-part test?

The ICO (Information Commissioner’s Office) have created a three-part Legitimate Interests Assessment (LIA) designed to help organisations understand how legitimate interest works and how it can be applied under the GDPR. The three stages of the LIA include:

  1. Purpose test – is there legitimate interest behind the processing of personal data?

    • To determine whether the processing of data is legitimate or not, businesses should be clear on their purpose for collecting, storing, and processing data
    • Who benefits from it, what is the intended outcome and is it lawful to process the data?
    • The legitimate interest could be trivial or controversial, but the more compelling the argument for processing the information, the less likely it will be objected to or overridden by the interests of the individual in the balancing test
  2. Necessity test – is the processing necessary for that purpose?

    • The processing activity needs to be targeted and proportionate to fulfil your purpose. For example, if you wish to send out a marketing email to a customer who previously purchased something from you and shared their email address, it would be deemed necessary to process their email address for that purpose
    • To establish necessity for processing data, also consider whether you can fulfil the purpose without processing data or processing less data
    • Is there a less intrusive way of processing data to achieve the purpose?
  3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

    The balancing test are questions you should be asking yourself to understand if the individual’s rights might override your argument for processing their data. The weaker the argument for processing, the higher the chances of the individual’s rights overriding it. For example:

    • Are you intending to use the data in ways that individuals could reasonably expect?
    • Are individuals still in control to exercise their rights, such as opting out of communication, or requesting to be erased from a database?
    • Does the individual maintain control of who processes their data?

It should be noted that the three-part test is already pre-prepared for us by the ICO with a Legitimate Interest Assessment Template (download a copy). This allows anyone looking to rely on legitimate interest to complete a questionnaire showing that you’ve thought about the feasibility of using this legal basis for processing data.

Case study: fine for non-compliance

In March 2022, the ICO fined H&L Business Consulting Ltd £80,000 for sending 378,538 unsolicited text messages to individuals who had not consented to receive them between January and July 2020. The spam messages sought to benefit from a ‘government-backed’ scheme during the COVID-19 pandemic even though the company was not authorised to provide regulated financial products or services.

SMS message

This incident resulted in the ICO receiving over 300 complaints from recipients, who said they felt “anxious and annoyed by those messages”, as stated by Andy Curry, the ICO’s Head of Investigations. The ICO has the power to impose fines under PECR (the Privacy and Electronic Communications Regulation) for cases such as this as it contravenes Regulation 22, which states that unless the recipient has given the sender consent, they cannot “transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail.”

This was relatively a clear-cut case, H&L Business Consulting did not obtain consent from individuals either directly or indirectly, and legitimate interest would have been easily overridden as no individual reasonably expects to be sent an SMS out of the blue for a service they had never enquired for. This incident is a good example for the necessity to collect and retain consent, or have a legitimate interest for contacting prospective customers to avoid non compliance.

Key takeaways

  • Understand the difference between consent and legitimate interest when collecting, storing and processing personal data
  • Know when to claim your legal basis as legitimate interest when contacting individuals, as well as whether it benefits both parties
  • Should the ICO investigate a complaint or the individual asks for proof of consent, you must be able to provide evidence that you have the consent of the data subject to collect, store and process their data
Rebecca Bada Headshot

Meet the author

Rebecca Bada Senior GDPR Consultant

As one of our more experienced data protection officers, Rebecca knows data protection inside and out. Her favourite topics to write about include UK & EU GDPR, DPO activities and the often-overlooked PECR regulations.

Meet your GDPR & data protection obligations

Our GDPR consultants are certified and experienced data protection experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of GDPR and data protection.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.