Consent or legitimate interest: which option is best for your organisation?

by Martyn Gurr on 16th July 2018


The content of this blog is provided for information purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to your organisation. 

One of the side effects of the implementation of GDPR was the rash of ‘repermissioning’ requests sent out by organisations in the run up to the legislation coming into force on 25 May 2018. Inboxes were deluged with organisations asking for consent to continue mailing. Because of this, one could be forgiven for thinking that GDPR means you can only process people’s personal data if they’ve given their explicit consent, but of course that’s not the case. In fact, the GDPR lays out six grounds on which you can legitimately process personal data.

Consent and legitimate interest are both equally valid grounds for processing

However, for most organisations, certainly those without a legal or contractual data processing obligation, the choice comes down to consent or legitimate interest. Talking to clients, it’s clear that many people view consent as the ‘gold standard’ here, or that because consent had been used, that was automatically the most appropriate basis of processing going forward. That’s not the case. Legitimate interest is just as valid. Consent isn’t any better than any of the other options. Indeed, the ICO itself makes this clear, saying “No single basis is ‘better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.”

So, how do you best determine whether to use consent or legitimate interest? In many organisations that we speak to this is treated purely as a legal decision, and this often leads to the selection of consent as the basis for processing when in fact legitimate interest might be a better choice. Lawyers tend to prefer consent because it seems more legally cut and dried: once someone’s given their consent then there’s no further ambiguity about whether you can or can’t process their data.

Consent can be complex to manage

However, in reality things are rarely so black and white as there are more commercial factors in play. GDPR sets a very high standard for consent. It requires that you request consent to process a data subject’s personal data for specific purposes, and that’s what you get: consent for those specific purposes only. If you then want to process data for a different purpose then you then need to go back to the data subject and request further consent, otherwise you can’t do it.

Consent also needs to be managed. In particular, you need to be able to demonstrate how consent was given and for what purposes it was given, and be able to manage situations where consent is withdrawn and the consequential need to delete that data from all systems, including back-ups, if there is no other purpose for keeping it. (There’s more advice about managing requests for erasure in this blog post).

Additionally, GDPR requires consent statements to be detailed and granular, so a blanket, all-purpose “we’d like consent to mail you” won’t suffice. If you want to use consent as the grounds for processing, then the chances are that you’ll have to repermission your database unless you’ve already collected individuals’ consent in a way that’s GDPR compliant (so if you’ve used pre-ticked boxes or blanket consent statements this definitely won’t apply).

Repermissioning is hard work, expensive and is likely to lead to a significant drop in the number of people you can then mail. Where upsell or cross-sell to existing customers is a significant revenue stream for an organisation, the commercial impact of choosing consent could be critical.

When does legitimate interest apply?

So what about legitimate interest? The ICO itself says: “You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.” You don’t need consent under PECR if the soft opt-in exception applies, i.e. you are marketing similar products or services to customers who have not opted out.

So, if the choice is between consent or legitimate interest, there are often sound business reasons why legitimate interest would be the better option. It’s certainly the most flexible option, it saves you the cost of repermissioning your database, it and means that you can keep mailing your list (at least those contacts who don’t opt out) at least for marketing similar products under PECR.

But what counts as legitimate interest? Legitimate interest is defined by the business for the business – there’s no clear guidance on what is or is not a legitimate interest. The ICO advises that “[legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

To determine whether legitimate interest applies you need to conduct a legitimate interest assessment (LIA) for every type of data processing, balancing your interests against those of the individual. If you’re relying on legitimate interest, then you also need to tell the data subjects that that’s the case. Best practice here involves the following:

Consent or legitimate interest should be a commercial as well as legal decision

Should the final decision regarding legitimate interest or consent be made by your legal team? Perhaps not. Your legal team are not always best placed to factor in the commercial impact of reconsenting customers rather than relying on legitimate interest.

Managing your compliance position of course requires the involvement of your legal team, particularly if you’re moving beyond common use cases covered in ICO guidance such as marketing to existing customers. However, it’s critical that you ask your legal team the right question. Rather than asking them which legal basis you should use, a better question to ask is which legal bases would be available for you to use. It is also worth remembering that the advice of the ICO itself can be sought via its free helpline.

Armed with that information you can then make a commercial decision regarding which is the most appropriate to use in the light of all of the factors identified above. Asking the wrong question risks turning a data governance issue into a legal problem with significant commercial impact.

Can you switch from consent to legitimate interest if you’ve already repermissioned your database?

If you’re already repermissioned your database what can you do? Can you then switch to legitimate interest if you didn’t get the response you were hoping for? The ICO is very clear that “Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.” Although it does envisage circumstances in which the legal basis can be revisited, these are predicated on ‘genuine change in circumstances’ and ‘unanticipated purpose’, both of which would be difficult to satisfy in the present context.

However, it may not be all doom and gloom. The concerns identified by the ICO would arise where there was a change in basis for a particular existing customer, less so if a different legal basis could be used for marketing to individuals who become customers going forward. Accountability and transparency can be satisfied by updating the information required to be given to data subjects. Although an element of unfairness may remain, as different legal bases will be used for the same processing, it is arguable that this is mitigated by the availability of an opt out required by PECR, and the overarching right to object to processing for direct marketing. The critical aspect here is the purpose for which the request for consent was made.

If it went beyond direct marketing of similar products or services to existing customers, then it may be possible to refine that into separate purposes, including one specifically for the direct marketing of similar products or services to existing customers, to be applied prospectively. The ICO has said that it sees compliance as a journey, and refinement of processing purposes over time is consistent with that. This at least allows a line to be drawn under the lost marketing opportunities.

If the processing purpose was only for direct marketing of similar products or services to existing customers, then there is no change in purpose. It is not clear whether the ICO would accept that there had been a ‘genuine change in circumstances’ caused by the commercial risk to the organisation of reduced marketing opportunities.

In either case, the path back from consent will be difficult to navigate and will require careful documentation, particularly around the wider considerations of fairness, accountability and transparency. It will require input from the legal team, and possibly also the ICO, to identify an outcome that balances data subject rights and commercial interests.

However, there are things that can be done even if you decide to stick with consent. Provided the purpose remains the same, the request itself can be optimised using various marketing methods, such as split testing. Furthermore, as someone who has taken the time to consent might be a warmer prospect, other steps to minimise drop off in a sales funnel may yield greater results than they otherwise might.

How we can help you

We work with many clients on projects relating to GDPR compliance. There’s an overview of the different ways we can help you and the various GDPR-related resources we have available here. Get in touch if you’d like to talk more about how we might help you.