How-to: Consent and the limits of legitimate interest

The incoming General Data Protection Regulation significantly raises the bar on personal data processing for all organisations contacting EU citizens. Not least in the list of considerations is the extent of legitimate interest - contacting existing customers - and the requirement for explicit, opt-in consent.

GDPR compliance does not mandate discarding all of your existing data and gaining fresh consents from users, but it is absolutely necessary to review your current consent management process.

If the process complies with GDPR's definitions, then existing consents are valid and you may continue to hold existing personal data. The tricky part may be determining that compliance...

We have covered legitimate interest in previous posts. It is a valid legal basis for continuing to hold personal data under the terms of GDPR and doesn't require wholesale deletion and gaining of fresh consents. We have also looked at PECR/ePrivacy compliance under this heading.

Essentially, paying customers (let's gather users, visitors, members, subscribers under this banner) with whom there is a clear, pre-existing relationship, and particularly when initiated by the customer, then legitimate interest should carry.

However, legitimate interest raises some questions:

How long someone is a customer? A month from their last purchase, one year, two years, three?

For exactly how long can you store and process their data?

I might baulk at constant marketing emails three years after I made a one-off purchase; I might not if I regularly re-ordered the same items or frequently took up special offers.

What if I am a lapsed subscriber after several years' renewals to a service? Is three years too long? And what if I get my first marketing email only after two years lapse?
The use of legitimate interest as a legal basis is subjective, running the risk that the ICO takes a different view than yours. I suspect it may ultimately be tested in the courts.

What's the safety net? Always include a clear and unambiguous unsubscribe or opt-out on every communication with an individual, regardless of the frequency or time-lag between events. GDPR recommends and recognises this as the best way to put the consumer in charge of the relationship.

If in any doubt on existing data - perhaps it's not clear how you obtained the personal data as source or who initiated the relationship, then it is always safest to discard the data and get fresh consent in a GDPR compliant way. RC

Image credit: Safety Net - by Ian Paterson, CC BY-SA 2.0, via wikimedia commons.