New GDPR Guidelines on Legitimate Interest
In October 2024, The European Data Protection Board (EDPB) adopted new Guidelines on processing personal data based on legitimate interest, providing a clearer path for data controllers to lawfully process data under Article 6(1)(f) of the GDPR.
In our opinion, it’s about time to address this issue, especially considering how frequently we encounter “legitimate interest” as a legal basis in cookie consent banners.
Some websites use legitimate interest as a legal basis to pre-check consent boxes for various types of cookies (see example below). A particularly concerning example is a Dutch online community that claims legitimate interest to place cookies for gambling-related ads. A justification that seems questionable under GDPR standards.
So, what exactly is legitimate interest under GDPR?
In short, legitimate interest is a legal basis that allows organisations to process personal data when it’s necessary for a legitimate business purpose, provided it does not override the individual’s rights and freedoms. This means that no consent is required. A company may rely on legitimate interest to send marketing e-mails to existing customers, believing they have a reasonable expectation of receiving such communications.
The broad and flexible nature of the term allows websites to claim legitimate interest for various data processing activities, such as targeted advertising and user profiling, without fully disclosing these actions to users.
However, the main concern is that it can sometimes be applied in ways that may not fully align with user consent and transparency standards.
Key Takeaways from the new guidelines for legitimate interest as a legal basis
To address concerns around using legitimate interest as a legal basis for cookies, the latest guidelines outline when controllers can rely on this approach for data processing.
Controllers must meet three cumulative conditions:
- The controller or third party pursues a legitimate interest.
- Processing the data is necessary for this interest.
- Balancing the legitimate interest with the rights and freedoms of individuals is essential.
The update also reflects the recent ECJ ruling (C-621/22, Oct 2024), which provides further clarity on how legitimate interest should be evaluated.
Controllers must carefully assess:
- Whether their interest is lawful, specific, and real.
- If there are less intrusive alternatives.
- Safeguards that can protect the individual’s rights.
These updates are important for any organisation considering relying on legitimate interest to process personal data. The new framework helps ensure compliance while balancing business needs with protecting individual rights.