GDPR Deep Dive: What Counts as “Legitimate Interest?”

28th Feb 2018 –
Here’s what you can use as lawful grounds:
You must have a valid lawful basis in order to process personal data and there are six that are now considered lawful.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
Do users entering your website “reasonably expect” you’d use their data to predict their purchasing patterns?
Moving forward, GDPR and ePrivacy Directive will be the two legal cornerstones for digital marketers.

Six Lawful Grounds for Personal Data Processing

That means when you use Convert in the default settings—it’ll comply with GDPR without consent being necessary (see our roadmap here).
Is your “legitimate need” to store an excess of their data, sure to override objections they might have to you using it?
But be careful…very careful. Legitimate interest is a stricter provision than it sounds like.
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
And remember: GDPR is just months away. Keep informed, talk to your vendors, and prepare yourself for a more transparent data processing landscape.
Give them a legitimate interest exception, and they’ll cold email all of LinkedIn.
The processing must also be necessary. If you can reasonably achieve the same result in another less intrusive way—legitimate interests no longer apply,

Consent
Contract
Legal obligation
Vital interests
Public interest task
Legitimate interests

The ICO website (Information Commissioner’s Office) has a checklist meant to help you determine on whether your data processing is justified under legitimate interests.
Without a doubt, consent is the safest way to avoid any legal actions against your company.

Legitimate Interest: What Is It?

If you’re looking to play it safe, make sure you can confirm the following:
10 second summary:

And as it outlines: IP addresses, cookies—these things are now considered “personal data.”

It’s pretty hard to have an argument for a balanced, legitimate interest if you are using third-party software to enrich your segments or store every move of your website visitors. This sort of storage is common practice with tools like Heap—or any similar program that has post-segmentation, or predictive analytics capacities.
Since the passing of GDPR, we’ve redesigned Convert Experiences. And we’re continuing to work on it so we are 100% ready before May 25th, 2018.
Legitimate interests are the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.

identify a legitimate interest;
show that the processing is necessary to achieve it; and
balance it against the individual’s interests, rights, and freedoms.

Looking back to the checklist…
One thing to note: you have to determine your lawful basis before you begin processing. You should have it documented, and available, in case of a potential audit. Officials won’t look kindly upon any last minute switches.
1.You need to get consent (that checkbox on your forms),
2.You need to have a contract with the individual, or company (where you both agreed that personal data needed to be processed).
3-5. We’ll leave these for another time, as they’re not meant for marketers.
6. Legitimate interest. That sounds the easiest right? Just ensure you have a good, “legitimate” reason to process personal data and be done with it. Bye bye consent?

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
You must include details of your legitimate interests in your privacy notice.

ICO (UK’s) Privacy Authority Checklist for Legitimate Interest

So legitimate interests aside: you’ll most likely need consent for cookies and other identifiers with your current A/B testing tools.
We’ll keep things pertinent to marketers: analytics, lead generation, emails, and a/b testing.

We have checked that legitimate interests is the most appropriate basis.
We understand our responsibility to protect the individual’s interests.
We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
We have identified the relevant legitimate interests.
We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
If we process children’s data, we take extra care to make sure we protect their interests.
We have considered safeguards to reduce the impact where possible.
We have considered whether we can offer an opt out.
If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
We keep our LIA under review and repeat it if circumstances change.
We include information about our legitimate interests in our privacy notice.

Using Legitimate Interest for A/B testing

Because it’s complicated, but it’s not rocket science. If it sounds sneaky, then ask for consent. If it’s truly harmless processing, make a strong case for minimum impact on your customers and website visitors.
Maybe, to be on the safest side, users should include legitimate interest in their privacy policies—to signal that that cookie placed for A/B testing software does not store personal data. And to mention the strategic interest for you, as a company, makes it necessary to place this analytics cookie, to improve the performance of your business.
What might be needed, is to inform the website visitors of the way you handle A/B testing.
With many leading A/B testing solutions, you store a lot of data about a user. And you use that data, afterwards, however you want, without informing the user about that process.
Your privacy notice should also include your lawful base for processing, and your purposes for processing. If your purposes change, you may be able to continue processing under the original lawful basis—assuming your new purpose is compatible with your initial basis (this is assuming your lawful basis wasn’t consent). Either way: you should make sure to update your privacy policy.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
You know what they say—you give them a finger, they will take the hand.
Make sure it’s 100% clear why you think legitimate interest is viable, and store that in case of an audit.
Here’s why:
In addition, you need to follow the following steps using legitimate interest:

A/B Testing, Minus Personal Data Storage

For the purpose of simplicity, this article won’t dive into special data—like passports, biometric data etc.
This sort of data collection likely requires specific consent. Which means you shouldn’t be loading cookies or experiments without a specific opt-in.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. OR where there is a compelling justification for the processing.This is what GDPR recital 47 says about legitimate interest.
No cookie IDs, no unique identifiers, and no IPs are being stored. Really everything is stripped down, as much as possible, so that no personal data is being stored or used.
Consent and legitimate interest are most likely the most used legitimate bases for digital marketers.
So let’s talk about where it can be applied, and how we can better understand its intentions.

To sum it up:

This means, no consent is needed.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
GDPR has six lawful grounds for processing personal data, as outlined in Article 6. And legitimate interests is well set up to be the most misused. Every marketer that wants to avoid obtaining consent to process data, will try and use legitimate interest as a way around asking for it.
Legitimate interest should be used only in the rare case where you find yourself with the back against the wall, and where you are sure there is no, or extremely little, personal data stored and processed.
So if you have a system where you are really sure you guaranteed the privacy of the users, that’s a strong indicator you can use legitimate interest.
No single basis is ’better,’ or more important than the others. And which basis is most appropriate to use will depend on your purpose, and relationship with the individual.