How to Track Website Visitors Based on Your Legitimate Interests
Legitimate interests are one of the most widely misunderstood concepts in data protection. Many businesses rely on them to process users' data, but often they do it unlawfully and violate the GDPR or another applicable data privacy law.
One of the most commonly misunderstood topics in data protection is legitimate interests. Many businesses rely on them to process user data, but they frequently do so illegally, in violation of the GDPR or another applicable data privacy law.
Here you can read about:
- What legitimate interests are
- How to decide if legitimate interests are a good fit for your processing purposes
- How to conduct and necessity test
- How to run a balancing test
- Can you rely on legitimate interest for marketing purposes
What is Legitimate Interest?
Legitimate interest is one of the legal bases for data processing under the GDPR and other data protection laws. You can rely on them when your legitimate business interests outweigh your users', i.e., data subjects', rights and freedoms, while keeping in mind the users' reasonable expectations.
It means that you can process users' personal data when:
- You have a specific business interest
- Your interest does not hurt the rights and freedoms of the users, and
- Users can reasonably expect to be tracked due to your purposes.
The tricky part is how to make sure that you rely on legitimate interests without violating the law.
You cannot rely on legitimate interests by default. They are only used as a last option. When other basis, such as contract execution or consent, are unavailable, you should only consider relying on legitimate interests.
How to Decide If your Business Interests Are Legitimate Interests for Personal Data Processing?
You need to conduct a Legitimate Interests Assessment (LIA). The LIA is made of the purpose, necessity, and balancing tests. They will demonstrate whether or whether you have legitimate interests in the processing of personal data.
The purpose test determines what your purpose is in processing your users’ personal data.
The necessity test aims to determine whether personal data processing is necessary.
The balancing test determines whether your interests are vital enough to rely on them. This is a simple comparison between your and your users' interests. When your interests override theirs, you are good to go with the processing. When your interests do not outweigh the rights and freedoms of other users, you cannot rely on legitimate interests and must establish another legal basis for processing.
How to Conduct the Purpose Test?
You conduct the purpose test by simply identifying the purpose for personal data processing. You need to know why you process the data. The purpose test does not differ in any way from determining any other processing purpose.
Once you have determined the purposes of your processing, you can proceed to the necessity test.
How to Conduct the Necessity Test?
The necessity test is straightforward. You must consider whether the processing of personal data is required for your purpose.
- Is data processing necessary?
- Can you fulfill the processing purpose without processing personal data?
- Can you satisfy the processing purpose in another and less intrusive way?
For example, if you want to process personal data due to website security concerns, you need to examine whether you can protect it without personal data processing. If you discover that protection is feasible and commercially viable, i.e., the charges will not bankrupt your business, you should evaluate such technology and refrain from processing personal data.
If you find that the existing technology is insufficient or too expensive for your business, your necessity test has found that personal data processing is required for your purposes.
You can proceed to the balancing test.
How to Conduct the Balancing Test?
The balancing test compares your interests to the interests of your users. You can only process users' personal data if you can demonstrate that your interests outweigh theirs.
In the case of the processing due to website security, you must demonstrate that your business interest in having a secure website is more important than your users' privacy rights.
Assume you process IP addresses to guarantee that your users are safe and that no user poses a threat to the website. In that instance, you must decide if users' online privacy trumps the need for a safe website.
The balancing test is not a one-size-fits-all procedure. Nobody can tell you whether your interests are more important than the interests of other users. It is up to you to make your decision.
The UK's Information Commissioner's Office (ICO) provides an excellent foundation for you to consider. According to them, legitimate interests may be appropriate when:
- the processing is not required by law but is of a clear benefit to you or the users,
- The intrusion on your users' privacy is limited.
- The user should reasonably expect you to use their data in that way, and
- You cannot, or do not want to, bother users with disruptive consent requests when they are unlikely to object to the processing.
What Are the Areas Where Legitimate Interests May Apply?
Legitimate interest may apply for processing for any reason and in any field. However, practice indicates that they are more prevalent in some areas than others.
However, if you process personal data for the purposes of fraud prevention, network and information security, or crime prevention, you are extremely likely to meet the standards.
You are also likely to meet the standards if you depend on legitimate interests in direct marketing activities, data processing of staff and clients, and intra-group data transfers.
Direct Marketing and Legitimate Interests
Personal data can be processed based on legitimate interests in specific instances. But not in every case. You must still complete the three-part test to evaluate whether you can achieve your objectives through alternative ways.
Many businesses are mistaken when they believe that every direct marketing attempt is covered by the legitimate interest justification for processing. Recital 47 of the GDPR expressly specifies that direct marketing may come within this category, but this does not guarantee that it will.
Again, before relying on legitimate interests, you must use the three-part test.
Here are two examples that illustrate how to do this:
- You own an ecommerce store and want to reach out to new customers via influencers. You send emails to influencers using their email addresses. This is likely to fall within legitimate interests because you cannot approach influencers in any other way, and contacting them for collaboration is in their best interests.
- You offer loans to customers. You contact a customer who has fallen behind on their payments with another bank and offer them a new loan. Because the new loan will aggravate their financial circumstances, this message does not appear to be in their best interests.
When conducting the balance test for marketing purposes, evaluate whether people would anticipate you to contact them in that manner, whether the marketing efforts could be seen as nuisance communications from the other side, and how frequently you receive them.
It may be okay to contact prospects infrequently to offer benefits. You still can't do it on a regular basis, even if they gave you their phone number or email address.
Employee and Client Data Processing and Legitimate Interests
As with the case of direct marketing, you need to do the three-part test. However, there are many situations where it is likely that you can rely on legitimate interests for processing employee personal data.
In the case of employee personal data, it is wise to rely on the execution of a contract as a legal basis for processing. You have a contract with your employee, and to execute it, for example, to give them a salary, you need to process their data.
Intra-Group Data Transfers and Legitimate Interests
The data transfers between companies from the same group (same holding company) may share data with each other. In some situations, the sharing may occur based on legitimate interests.
For example, if a subsidiary firm lacks an HR department, the data is sent to the main company, where employment decisions are made. The processing will be carried out in accordance with legitimate interests.
The golden rule of legitimate interests processing is to employ it only as a last option. If you can rely on another legal basis, such as contract execution or permission, you will be on the right side of the law.
If you believe you must do it, make sure you follow the three-part criteria and confirm that there is some advantage to the data subject, or that their rights and freedoms do not outweigh yours.
Secure Privacy solution gives you control over the tracking. If you need to wait until the user opts in, it won’t let cookies out before obtaining valid consent. Find the best plan for your organization and sign up now for a free trial.
Want to try
Get your free cookie banner up and running today!
Five Problems that GDPR DPOs Face and How to Solve Them
DPOs often have more than one job in an organization, so it's clear that they can't always keep up with the latest legal and technological changes that are important to their work. Even though they aren't lawyers, they are expected to know the GDPR inside and out. Though they may lack technical expertise, these individuals are frequently tasked with advising on how organizations should use cutting-edge security measures to secure sensitive data. In other words, it's not a simple task.
- Data Protection
Three Free DPIA Templates and How to Use Them
In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide.
- Data Protection
What is a Consent Management Platform?
Consent Management Platform (CMP) is a software tool that makes it easy for websites to follow cookie regulations. Before a user gives consent, your website needs to block cookies. In this article, we'll discuss how websites can use CMPs to keep track of the consent they ask for.
- Data Protection