Legitimate Interests vs. Consent. Do you really know the difference?

28th March 2018European Union flag imposed and blending into the Union Jack

Amendment 26/04/2018
Please note, the following guidance was intended to focus on commercial marketing activities in regards to consumers.

There is a difference between sending emails for marketing and administrative purposes. The latter is permitted under legitimate interests, marketing communications is not

We are now just over one month away from the introduction of the EU General Data Protection Regulation (GDPR), which is set to drastically alter the way in which data is stored and processed. The aim of this new legislation is to put the modern consumer and citizen first, by protecting and limiting access to their data.

On the 25th May 2018, the GDPR will come into force, and the way in which some organisations currently process data will cease to be legal. With just over 7 weeks to go, it is important you understand the changes that are due to be made, as every establishment must follow the new guidelines and regulations when it comes to processing data, so as to avoid breaking the law.

In order to, legally process the data of an individual, you must first have a lawful basis. There are six bases, the two frequently used for marketing purposes are – legitimate interests and consent – they have sparked confusion, as there is uncertainty surrounding what the differences between them are, and when it is appropriate to implement them.

Legitimate Interest

Legitimate interests is probably the most flexible lawful basis for processing, but that does not mean it is always the most appropriate. The entire premise of legitimate interests is that the data of an individual can be processed by an organisation if there is a legitimate reason for that business to do so. For example, a corporation communicating with its customers to win business would be deemed as a legitimate interest of the business, and therefore they would be permitted to contact customers providing they sent relevant material.

With legitimate interests there comes extra responsibility as it is essential you perform a legitimate interests impact assessment (LIA) in order, to determine whether the client would reasonably expect their data to be used for the reason in which you are contacting them. It is a good idea to keep a record of your assessments, so as, to prove you are adhering to guidelines, and only contacting citizens when the purpose is warranted.

Legitimate interest is only applicable to postal mail and telephone contact – with the caveat that the consumer is not registered with the TPS or MPS (voluntary) which is a register of people who have overtly said they do not want to receive marketing-related calls or letters.

Email marketing and SMS are controlled by the PECR regulation and this regulation demands consent.


Consent, on the other hand, means offering individuals real choice and control.  Organisations are unable to process the data of anybody unless they have actively allowed it. In the past, different websites may have offered a pre-ticked box that consumers must un-tick to opt out. The new regulation stipulates that instead of the old method of consumers having to act to opt out, they now must actively choose to opt in. Consumers may have previously been unaware that they must un-tick the box so as, to opt out meaning many individuals may have unknowingly and unwittingly opted in to unwanted emails, phone calls and postal mail.

On top of giving consumers this choice to opt in, you must ensure you make it easy for people to be able to opt out should they wish to do so, and you must also make it clear how they do this. In future, under the forthcoming ePrivacy Regulation (as the current draft stands) in every 12 month period, you must send a reminder to alert the customer that they can opt out of your communications.

It is important to keep evidence of the consent you have acquired. Keeping records of consent ensures you are protected in the event of a consumer challenging you for communicating with them – you will have evidence to say they did, in fact, agree to their data being used.

It is also crucial to declare the names of any third-party controllers who will also rely on this consent. Consumers must know exactly who is able to access and process their data, meaning it is essential to publicise this from the outset.

Although this may seem complex and daunting, the regulation is relatively straightforward once you become familiar with it, and remember, this has not been introduced to catch organisations out or to hand out hefty fines – it is to put the modern consumer and citizen first to protect their data and privacy.

Should you need any more information on either legitimate interests or consent, or on the GDPR itself, please do not hesitate to get in touch and we will be happy to assist you.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.