If you collect personal data from EU residents, GDPR requires you to have a lawful basis for doing so. Two of the most common - and often confused - bases are user consent and legitimate interest. Here's when and how to use each.

This article explains who needs a legal basis for processing personal data, the differences between user consent and legitimate interests, and when and how to use each basis.


Anyone who is required to comply with the GDPR must have a legal basis for processing (using) data subjects' personal data. Data subjects are the individuals to whom personal data belongs.

Personal data is information that can be used to identify an individual, such as names, phone numbers, and addresses.

The GDPR applies to:

  • Any organizations that collect or process EU data subjects' personal data
  • Organizations located outside of the EU that offer goods or services to EU residents
  • Organizations located outside of the EU that monitor the behavior of EU residents

If you are required to comply with the GDPR, you must process data in accordance with at least one of the six following legal bases:

  1. The data subject consents to having their personal data processed for a specific purpose.
  2. The data needs to be processed to fulfill a contract with a data subject or to take actions requested by a data subject before entering into a contract.
  3. You are required by law to process the personal data.
  4. You need to process the personal data to protect someone's life.
  5. The personal data needs to be processed in order to carry out a task in the public interest or to exercise official authority.
  6. You need to process personal data to fulfill your legitimate interests (or those of a third party). You can only use this basis to process data as long as the data subject's rights and freedoms don't override your legitimate interests.

Article 6 of the GDPR lists the lawful bases that you must choose from in order to process personal data, including when a user has given their consent to the processing activities and when the processing is necessary to fulfill legitimate interests.

GDPR Article 6

Keep in mind that once you have identified a legal basis for processing personal data, you cannot change it. However, you can choose more than one legal basis.

Consent in the context of the GDPR means getting permission from a data subject to use their personal data.

The GDPR requires consent to be:

  • Freely and clearly given. This means that you can't require a data subject to consent to having their personal data processed in order to use your service, unless the data is necessary to provide the service. For instance, if you sell products via an e-commerce store, you'll need a customer's payment info and address to complete and ship their purchase.
  • Specific. You should clearly explain what you plan to do with the personal data. If you want to use personal data for more than one purpose, you'll need to get separate consent for each purpose.
  • Informed. For consent to be informed, the data subject must understand who is processing their data and for what purposes and that they can withdraw their consent whenever they wish.
  • Unambiguous. There needs to be no doubt as to whether the data subject consented to having their personal data processed.

What Are Legitimate Interests?

Legitimate interests can encompass a wide variety of interests, including fraud prevention, information security, and third-party interests, among others.

Processing personal data under the legitimate interests basis can be appealing as it can apply to a variety of circumstances and doesn't depend on fulfilling a contract, complying with a law, or obtaining a data subject's consent.

However, if you rely on legitimate interests to process personal data, you must ensure that your legitimate interests are balanced with the rights and freedoms of the data subject, particularly if they are a child. The other lawful bases do not explicitly require this step.

It's important to note that personal data cannot be processed under the legal basis of legitimate interests if the processing infringes on the data subject's fundamental rights or freedoms, especially when the data subject is a child.

Recital 47 of the GDPR explains that the legitimate interests of a data controller (an individual or entity who makes decisions about how or why to process data) or third party must be balanced against the rights and freedoms of the data subject.

GDPR Recital 47: Overriding legitimate interest

Many business owners choose user consent as their legal basis for processing personal data since they can do almost anything with the data as long as they tell the data subject what they intend to do with the data and get their explicit consent.

You'll likely want to use user consent as your legal basis for processing personal data in the following situations:

  • When no other legal basis applies to your data processing
  • When you want to use data in a way that isn't compatible with your original purpose
  • When you want to process data in a way that could be viewed as intrusive or unexpected
  • When you want to process sensitive data, such as race or ethnicity, religious beliefs, or biometric data
  • When processing involves certain activities such as personalized advertising, online tracking, and app or software installations
  • When you value transparency and want to give users control over how their personal data is used

Many organizations choose legitimate interests as their legal basis for processing personal data due to its flexibility.

The legitimate interests basis is often used when an organization's data processing activities are low-risk or it has a strong reason for processing personal data.

You may want to use legitimate interests as your legal basis for processing personal data if:

  • You are not legally required to process the personal data but processing the data would be demonstrably beneficial to you or others.
  • The data processing activities have a minimal impact on the data subject's privacy.
  • The data subject would reasonably expect that their personal data would be used for your intended purpose(s).
  • You can't (or don't want to) request consent from the data subject when they would be unlikely to oppose the processing activities.

If you are unwilling to conduct a risk assessment to determine how your data processing activities could impact data subjects, or if you don't want to put in the work to justify the use of legitimate interests as your basis, then you might want to consider consent as your legal basis for processing personal data.

If you choose to process personal data under the legal basis of user consent, you need to make sure that you meet the following requirements:

  • Your consent request must be clearly written, distinguishable from any other text, and easily accessible.
  • You must provide a way for users to refuse to allow their personal data to be processed or withdraw their consent at any time without being penalized.
  • If a data subject withdraws their consent, you must stop processing their personal data right away.
  • The consent withdrawal process needs to be as easy as the process for giving consent. 
  • You should maintain records of the consent you obtain in case of an audit. 
  • If you have multiple reasons for processing personal data, you need to get separate consent for each purpose.

Article 7 of the GDPR outlines the conditions for consent, including ensuring that the consent request is distinguishable from other text and that data subjects can easily withdraw their consent at any time.

GDPR Article 7: Conditions for Consent

Let's take a look at a few examples of how different businesses meet the GDPR's requirements for consent-based data processing.

Your consent request needs to be separate from any other text.

Meta uses text size and placement to distinguish its consent request from the other text on its newsletter sign up page

Meta uses text size and placement to distinguish its consent request from the signup page

If you plan to use personal data for multiple purposes, you'll need to get consent for each individual activity.

Chase provides Disney credit card applicants with separate consent requests for different data processing activities, including receiving automated calls and texts and authorizing the Social Security Administration (SSA) to disclose their personal information.

Chase provides Disney credit card applicants with separate consent requests for different data

When users go to sign up for Postscript's newsletter, the business lets them know that by providing their phone number they are agreeing to receive marketing text messages from Postscript and authorized third parties.

Postscript: When users go to sign up for the newsletter, the business informs them of SMS marketing consent

It should be as easy for users to withdraw their consent as it was for them to give it.

Users signing up for a HealthCare.gov account must tick a box next to a statement that they agree with the website's Privacy Policy and Terms and Conditions agreement.

HealthCare: Users signing up for an account must tick a box

HealthCare.gov's Privacy Policy explains how it uses the information it collects, including to process health insurance applications and send Marketplace messages.

HealthCare.gov's Privacy Policy explains how it uses the information it collects

Users can easily adjust their privacy settings and choose whether to allow the website to use their information for advertising, social media, or web analytics purposes.

HealthCare privacy settings: Users can easily adjust their privacy settings

You need to make sure that your consent request clearly explains how you will be using personal data and why you are processing it. Avoid using technical language or legal terms the average person wouldn't understand. If your consent request is vague or hard to understand, consent will not be valid under the GDPR.

When submitting a demo request to Slack that includes their personal information, users are informed that by registering, they agree to the processing of their personal data as outlined in its linked Privacy Statement.

Slack: When submitting a demo request, users provide consent

Users can read the full explanation of why Slack processes their personal data-including to provide and improve its website-by clicking on the link.

Slack: Users can read the full explanation of why Slack processes their personal data

Comparably, when users go to sign in to TikTok, they are presented with a statement that by continuing they agree to TikTok's linked Terms of Service agreement and Privacy Policy.

TikTok: When users go to sign in to TikTok app, they are presented with consent for legal policies

Users can learn how TikTok processes their personal data-including to fulfill requests, customize content, and improve its platform-by clicking on its Privacy Policy link.

TikTok Privacy Policy: Users can learn how TikTok processes their personal data

Consent that is obtained passively-such as through pre-ticked checkboxes or inactivity-is not considered unambiguous under the GDPR.

Unambiguous consent can be obtained through the use of a tickable box next to a statement that the data subject agrees to have their personal data processed or by enabling users to adjust their technical settings.

Recital 32 of the GDPR explains that unambiguous consent can be obtained through the use of an unticked checkbox on a website or by giving users of information society services the ability to choose technical settings.

GDPR Recital 32

For example, before job seekers can submit an employment application with Keen Games, they must check a box next to a statement that they have read the company's Privacy Policy and that Keen Games can store their personal details to process their application.

Keen Games: Consent to Privacy Policy before cover letter upload

Clicking on the link takes users to Keen Games' Privacy Policy, which explains that it typically relies on legitimate interests as its legal basis for processing users' data, but that it also processes data when users consent to the processing.

Keen Games Privacy Policy: Section for Legal bases

In another example, LVMH's Cookie Banner explains that by clicking the "Accept All Cookies" button, users are consenting to have cookies stored on their devices for enhanced site navigation, site usage analysis, and marketing purposes. The Cookie banner includes a "Reject All" button for users who don't consent to have cookies stored on their device, as well as a link to the company's Cookies Settings, which takes users to a pop-up box where they can adjust their cookie preferences.

LVMH Cookie Banner: Accept All button

Similarly, Novo Nordisk's Cookie Banner contains an "Accept All Cookies" and a "Reject All" cookies button and a link to its Customize Cookies pop-up box, but it takes the extra step of clearly articulating what clicking on each button or link does.

Novo Nordisk Cookie Banner: Accept All Cookies or Reject All

Follow these three steps to apply legitimate interests as your legal basis for processing personal data.

Step 1. Identify a Legitimate Interest

You'll need to satisfy a three-part test before processing personal data under the legitimate interests basis.

1. Purpose test

First, figure out your purpose: is there a legitimate interest for processing the data?

Legitimate interests can include your legitimate interests, those of a third-party organization or individual, or even the legitimate interests of the general public.

Answering the following questions can help you identify your purpose:

  • Why do you want to process the personal data?
  • What benefits will the data processing provide you, third parties, or the general public, and how important are they?
  • What would happen if you were unable to process the data?
  • What result is expected for individuals?
  • Are you complying with applicable laws?
  • Are you complying with industry guidelines and standards?
  • Does the data processing raise any ethical concerns?

2. Necessity test

Next, you'll need to decide whether the processing is necessary.

These questions can help you decide if data processing is necessary:

  • Will the data processing help you achieve your purpose?
  • Is the processing limited to what is necessary to fulfill the purpose?
  • Can your purpose be fulfilled without processing the data, or by processing less data?
  • Can you process the data in a more straightforward or less intrusive way?

3. Balancing test

Finally, make sure your legitimate interest is balanced with the data subject's rights, interests, and freedoms.

Step 2. Conduct a Legitimate Interests Assessment (LIA)

Once you have performed the three-part test, you can conduct a Legitimate Interests Assessment (LIA). An LIA involves assessing each part of the three-part test and recording the results to demonstrate that legitimate interest is a justifiable legal basis for your data processing.

Be sure to update your LIA regularly as your business goals evolve to ensure the legitimate interests basis continues to apply to your data processing activities.

Step 3. Notify the data subject

Once you have conducted the three-part test and LIA, you will need to inform individuals of the following information:

  • Your reasons for processing personal data
  • That you are using legitimate interests as your legal basis for processing personal data
  • An explanation of your legitimate interests

You can include this information in your Privacy Policy, a legal document that outlines your privacy practices and explains how individuals can exercise their privacy rights.

Experian's Consumer Product Privacy Policy explains that it relies on legitimate interests to process personal data for multiple purposes including marketing, fraud detection, and internal training.

Experian Consumer Product Privacy Policy: Legitimate interest section

Your Privacy Policy needs to be clearly written, regularly updated, and easily accessible.

You should provide a link to your Privacy Policy wherever you collect or process users' personal data, including on or within your:

  • Website footer
  • App menu
  • Account creation or login page
  • Cookie Banner
  • Checkout page
  • Terms and Conditions agreement

AccuWeather puts links to its legal agreements-including its Privacy Policy-within its website footer.

AccuWeather website footer: Links to legal policies

Kohls maintains links to its Legal Notices and Privacy Policy on its checkout page.

Kohls: Links to legal policies from the Checkout page

Legal Basis When to Use Pros Cons
User Consent When processing is optional, intrusive, or involves sensitive data Clear user control, transparency Requires active consent, risk of opt-outs
Legitimate Interest When processing is expected, low-risk, or beneficial More flexible, no need for opt-in Requires internal justification, balancing test

Summary

Anyone who is required to comply with the GDPR to process personal data needs to have a legal basis for doing so.

Organizations based in the EU that process EU residents' personal data and organizations located outside of the EU that offer goods or services to EU residents or monitor EU residents' behavior must comply with the GDPR.

User consent under the GDPR refers to getting permission from an individual to process their personal data.

Legitimate interests can include your interests, third-party interests, and the interests of the general public. A three-part test that includes a purpose test, necessity test, and balancing test can be used to determine whether legitimate interests apply.

You can likely use consent as your legal basis for data processing in the following situations:

  • If the other legal bases don't apply to your data processing
  • If you want to use data for a reason other than your original purpose
  • If your data processing activities are unexpected or potentially intrusive
  • If you want to process sensitive data
  • If you are engaging in certain data processing activities such as targeted marketing or tracking users' online behavior
  • If you want to give users a choice over how their personal data is processed

You may be able to use legitimate interests as your legal basis for processing personal data if:

  • The law doesn't require you to process personal data but it would be beneficial to you or others.
  • The data processing poses little risk to the data subject's privacy.
  • The data subject would reasonably expect their personal data to be processed.
  • You can't (or don't want to) request consent from the data subject when they would be unlikely to object to having their data processed.

Getting GDPR-compliant user consent involves the following:

  • Ensuring your consent request is distinguishable from other text
  • Obtaining separate consent for multiple purposes
  • Providing a consent withdrawal process that is as easy to use as the method for giving consent
  • Ensuring your consent request explains how and why you plan to process personal data
  • Making sure consent is unambiguous

To check if legitimate interests is the right legal basis for you, you should:

  • Conduct a three-part test
  • Perform and record an LIA
  • Use your Privacy Policy to inform data subjects why you are processing their data, that legitimate interests is your lawful basis, and what your legitimate interests are

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy