GDPR: Consent vs. legitimate interest – what’s the answer?

The GDPR reinforces the view that the DMA has held for a long time, which is that the customer should be at the heart of everything we do as marketers. The new rules present an opportunity for organisations to improve the consumer experience; but they also state that organisations must have an appropriate legal ground to justify their marketing activity.

It is vital that businesses and their marketers understand all the legal options available to them. By analysing the key differences between consent vs. legitimate interest, organisations may be in a better position to decide which option is better suited to their business model and will benefit their consumers most.

Consent is just one of the two legal grounds likely to be used for marketing activities, alongside the equally valid legitimate interests that is still all-to-often being overlooked. In fact, it’s hard to discuss one without the other.

Compared to the existing Data Protection Act, the GDPR has significantly strengthened the standard of consent. For consent to be valid, the individual will need to agree to specific and detailed information they would have been clearly presented at the time.

This may mean marketers will find that using consent as a legal basis is not appropriate, instead opting to use legitimate interests, as the legal basis for their marketing activity. This is a risk-based approach, in which the marketer must balance their interests against the risks to privacy for the individual.

Clear and positive 
Under the new rules, consent must include actively consenting to statements, whether in writing, orally or electronically. You must also use consent if you plan to contact potential customers with whom you have had no prior interaction. Examples of this positive action are ticking a box when visiting a website or choosing technical settings for cookies on your internet browser. 

Under the GDPR, consent cannot rely on silence, pre-ticked boxes or inactivity on the part of the consumer. By making a positive action, a consumer should be in no doubt as to whether or not they will be receiving marketing from your organisation, what sort of marketing and by what channel. Being clear and transparent is key.

Guiding light of transparency 
Many commentators have suggested that consent is the only legal ground that a marketer should rely on. Some organisations have opted for consent as their preferred legal option due to its objective nature, but legitimate interests is an equally valid ground for marketing activity and provides marketers with more flexibility to connect with customers. However, legitimate interests cannot be considered a “get out of jail” card.

Legitimate interests are those uses of personal data by an organisation that are deemed necessary (e.g. to provide the product or service) or reasonable by a consumer, and a legitimate interest must not override the fundamental right or freedoms of an individual.

Organisations must make their case as to why someone would be interested in their goods or services by carrying out a Legitimate Interests Assessments (more details about this can be found in the DMA’s guidance), while also offering clear opt-outs to customers.

It’s also important to reiterate that the legislation says there is no hierarchy and all legal grounds are equal. Meaning the decision to select consent or legitimate interests for marketing activity should be made on what is best for your customers and your business, so long as your intentions remain transparent.

So what is the answer?
It is clear that the correct approach to justifying marketing activity shouldn’t be a case of consent or legitimate interests, it is more about consent and legitimate interests. You might choose consent for some activities and legitimate interests for others. This might even happen within the same transaction.

For example, a company might decide that consent is appropriate for email marketing, but that profiling should be carried out using legitimate interest. Either way, transparency should be your guiding light throughout.

It is imperative that organisations use the GDPR as a catalyst to transform the consumer experience, balancing privacy with innovation. From boardrooms through to all tiers of organisations, we must work together to create customer-centric business environments. Brands that make data protection a core value will blossom.

‘GDPR Guidance for Marketers: Consent and Legitimate Interests’ provides further analysis into the options available to organisations with some practical case studies, to find out more please visit:

What’s Hot on Essential Retail?