Article 6 of the GDPR allows you to process
your users’ personal data under six lawful bases including Consent and
Legitimate Interests:
GDPR Article 6(1)(a) – Consent as a lawful basis for processing data: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
GDPR Article 6(1)(f) – Processing is necessary
for the purposes of the legitimate interests pursued by the controller or by a
third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a child.
These two are also the most discussed legal
bases for processing personal data for marketing purposes.
Of these, the consent basis works quite
straightforward … as the user has “consented” to your data
processing.
The problem, however, with consent is that
it’s not always fitting for the marketing process.
Which then leaves marketers with the Legitimate Interests provision.
At the face of it, Legitimate Interests looks like a blanket term that can allow a lot of personal data processing. But using Legitimate Interests as a legal basis needs careful consideration as they can only be considered as a Lawful Basis for processing data IF the data processing is actually NECESSARY.
Choosing Between Consent and Legitimate Interests for Marketing Purposes
Processing personal data using consent as the
legal basis is considered quite safe as consent is the “golden
standard.”
It’s also a much stronger ground for
processing data than the ground of Legitimate Interests because it’s
unambiguous. You asked the user, and they said “Yes!”.
But getting consent each time you want to
process a certain type of personal data means getting your users to opt-in to a
host of different consent forms.
The GDPR, in fact, offers some very clear and stringent directives on how you can seek consent legitimately:
[…] an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
The Legitimate Interests lawful basis, on the
other hand, is quite flexible.
First and foremost, the GDPR allows marketers to make the case of processing of personal data for direct marketing purposes under the Legitimate Interests lawful basis:
…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Furthermore, ICO (Information Commissioner’s Office, a UK-based independent authority that guides businesses on how to apply UK’s data privacy laws such as the GDPR) explains how such a legitimate interest in marketing (such as the one for “boosting sales”) can make a genuine purpose for processing data:
[W]e have a legitimate interest in marketing our goods to existing customers to increase sales.
ICO also explains how Legitimate Interests may be the most appropriate basis in multiple instances such as when:
- the processing is not required by law but is of a clear benefit to you or others;
- there’s a limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way; and
- you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
For each marketing need (or purpose) at hand,
a marketer needs to carefully decide the different lawful bases to use (from
among the six lawful bases under which the
GDPR allows data processing). Of these six, consent and Legitimate Interests
are the two lawful bases that are often used for website personalization for
general (or non-logged in) visitors. (This article focuses on how you can use
the Legitimate Interests lawful base for personalizing your website
experiences.)
In general, including a case under the
Legitimate Interests provision needs a lot of thought. To make this somewhat
easy, ICO has designed a three-part test for helping you identify if the
purpose you’ve at hand actually qualities to be a lawful basis under the
Legitimate Interests provision.
Here’s ICO’s three-part test for determining Legitimate Interests under the GDPR:
- Purpose test – is there a legitimate interest behind the processing?
To use Legitimate Interests as a lawful basis for processing personal data, you need to first explain your need for processing the concerned personal data. You need a clearly articulated purpose behind wanting to process it. - Necessity test – is the processing necessary for that purpose?
To use Legitimate Interests as a lawful basis for processing personal data, you need to demonstrate that there’s no other less invasive way to achieve your purpose, and that your processing is ” proportionate and adequately targeted to meet its objectives…” - Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
After your case qualifies in the first two tests, you need to ensure that processing the concerned personal data doesn’t infringe upon the rights and freedoms of the individual whose personal data will be processed.
With that, let’s now look at some very common personal data processing examples that could fall under the GDPR’s Legitimate Interests provision.
10 Examples of Grounds for Personal Data Processing Using Legitimate Interests
Before we see the actual examples, please
understand that every example listed below has a big list of caveats. These
examples are just meant to give you some suggestions of marketing purposes that
could be explored under the Legitimate Interests provision.
Here goes …
1. IP address data processing
Depending on how much data you capture, an IP
address can tell a lot. For example, you can use it to find a visitor’s
location, or you can also use it to find out what company they work for (read
more about that in our ABM 101 article).
Legitimate Interests is one of the lawful basis that can be used for processing a user’s IP
address data (classified as personal data). An example of
a marketing purpose under the Legitimate Interests provision using the IP
address could be to offer localized offers.
For instance, an eCommerce store can promote a
raincoat to someone browsing from an area where it’s the monsoon season.
Alternatively, an online store might use a visitor’s location data to offer a
limited time free shipping offer to the visitor’s area.
Likewise, a B2B company can use a visitor’s
company (identified from their IP address) to show them some dynamic
personalization in the form of an image or content personalized with, say, the
company’s name or industry.
Note: If you use your visitors’ IP addresses for personalizing their website experiences, it’s best to never store them in your database if you’ve used them for weather or location services. This way, this data won’t pose a problem when collecting multiple data points about a person at the same spot.
2. Website analytics data processing
Most websites collect their visitors’ browsing
data for performance optimization purposes. This is usually covered under the
Legitimate Interests provision. Generally, such data doesn’t represent a
problem as it’s often anonymized and most of the analytics tools like Google
Analytics prohibit the processing/storing of PII (Personally
Identifiable Information).
The trends from such data processing can be
used to form the basis of a wide range of personalized website experiences.
For example, using Google Analytics, you can identify the pages on your website where you lose most of your leads. You can also use some of the advanced segmentation options in Google Analytics to identify the audience segments that drop off. Such data processing can generate many insights for you about the demographics and more about the traffic you’re losing.
Using these insights, you can also test
offering these segments more personalized website experiences.
For example, if an eCommerce store finds that
a certain product page has a high dropoff rate, it can use its audience’s demographics
information to fine-tune its product page’s messaging.
Such personalization isn’t just subtle and meaningful, but the personal data processed, too, doesn’t feel intrusive.
3. Communications data processing
Running personalized marketing communications
via emails or SMSes always needs explicit consent.
Also, post the GDPR, adding a person’s email
to your CRM and sending them marketing emails just because they contacted you
via your contact form with their email isn’t legal. You need to use consent
boxes below your contact form that explicitly seek the visitor’s permission for
doing so.
Besides, the GDPR doesn’t work in isolation.
And so your email (or SMS) marketing campaigns must comply with the relevant
legal regulations like offering the users an unsubscribe link and more.
That said, if you’ve obtained consent for such
communications from a subscriber, then you can personalize your website’s
experience for such a subscriber based on their interaction with your marketing
emails or SMSes. This should be reasonably covered under the Legitimate
Interests provision.
For example, a travel company can use its communications history with its subscribers to show them personalized pages. For instance, a subscriber who has shown interest (let’s say by clicking on a link) in luxury travel might be shown a page that promotes a stay package at a luxury hotel. Alternatively, a budget traveler might be shown a few select deals on budget hotels.
4. Behavioral data processing via cookies, web beacons, etc.
Behavioral data processing is very similar to website analytics data processing. Just like website analytics data, personal data used for powering behavioral insights-driven campaigns is also anonymized. And the GDPR is quite flexible with the processing of anonymized data.
Insights from the visitors’ interaction with a
website (for example the pages they viewed and their click data) can be used to
deliver contextually-rich website experiences.
For example, an enterprise-level software company can track behavioral data of its visitors and offer them more personalized experiences on their return visits. For instance, a visitor who seems to be exploring a certain solution might be shown the same solution’s trial page or signup form on their next website visit.
5. Profile data processing
Just like website analytics and behavioral
data processing, a company can use the Legitimate Interests basis to use
anonymized personal data for creating user profiles (profiling).
For example, a gadget comparison website might
use its users’ anonymized personal data to identify its key audience types. It
can then serve personalized offers and promotional campaigns to each (for
example suggesting high-end mobiles to its high-end audience segment and
showing discounts on budget mobiles to its budget-friendly segment).
The doc on the guidance of using Legitimate Interests doesn’t just suggest such a basis as a lawful basis for processing personal data under Legitimate Interests, but it also supports for such user profiling using social media data. The doc states that a company can use:
… [A]n algorithm provided by the social media provider to better target its advertising to ‘lookalikes’ – i.e. other individuals who have similar characteristics to that business’ own customers. The business uploads the minimum required personal data on its customers to enable the social media targeting, but excludes those who have objected to marketing. Profiling is conducted within the social media platform to enable the targeting, however it is purely for marketing purposes and the business has assessed that it does not result in any legal or similarly significant effects upon those individuals.
6. Second-party and third-party data processing
In addition to first-party data (i.e. the data
a company collects on its own — for example, data from its Google Analytics
account), quite a few companies use second-party and third-party data
as well.
This data — sourced from partners and data exchanges
— empowers marketers with powerful insights about the psychographics,
technographics, and demographics of their audiences. It’s usually used to build
detailed customer profiles. Which, in turn, are used to create more relevant
content and messaging, and for delivering them to the key segments from the
general audience.
For example, a B2B business can use such data
to identify the key segments in its audience and target each segment with
personalized content recommendations.
If you need to use such sourced data, make sure that you only partner with the data providers and exchanges that follow fair and lawful data collection and processing practices.
7. Purchase history data processing
An eCommerce store might offer personalized
product recommendations to its visitors based on their transactional history.
DPN (Data Protection Network, a UK-based body that offers expert advice on Data Protection and Privacy) offers a lot of guidance on the use of Legitimate Interests. It suggests that an online store’s use of a user’s purchase history for making personalized product recommendations can be a good ground for a legal basis of personal data processing:
A retailer with a wide product range conducts automated processing which is based on a customer’s transactional history, for the purpose of predicting what other products and services they may be interested in.
8. Account history data processing
Account data processing can be considered as
the equivalent of the purchase history data processing, but for a B2B setup.
A B2B company can use its user’s account history data to deliver richer contextual content experiences. For example, a B2B company can use its customers’ data to offer them more relevant and better upgrade or cross-sell offers.
9. Cookie data processing
There are a lot of ways cookie data can help
offer personalized website experiences that are both non-intrusive and
relevant. Most of the cookie types that can power effective experiences don’t
even need explicit user consent as their usage and opt-out instructions can be
explained on a website’s privacy pages.
For example, a business website can use cookie data to determine what content to deliver to a prospect to move them further in the sales funnel. There are endless ways cookie data can be used even in privacy-friendly ways. In fact, all the data from the above examples are mostly collected and stored in some forms of cookies.
For more examples on processing data under the Legitimate Interests clause, check out Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation.
Wrapping it Up …
Choosing either of the two options —
Legitimate Interests or Consent — for your marketing purposes needs
consideration on a case-by-case basis. While Legitimate Interests can be (and
are) the most common lawful grounds for processing personal data for most
marketers, they must be used with care.
Also, while the Legitimate Interests provision
can cover a lot of website personalization tactics, you must still take the Legitimate Interests Assessment and
seek help from a legal online privacy practitioner to be double sure before
resorting to it.
At Convert Experiences, we empower marketers just like you to offer GDPR-safe and privacy-friendly personalized website experiences to your users. We’ve also conducted a thorough LIA of all the data we use under the Legitimate Interests provision for powering such personalizations. Check it out here. And if you’re looking to offer website personalizations that offer privacy by design and privacy by default, do check out Convert Experiences.
Originally published June 05, 2019 – Updated December 17, 2021
Mobile reading?
Authors
Dionysia Kontotasiou
Convert’s Head of Integration and Privacy, helping customers with technical queries.