June 9, 2022

How to Track Website Visitors Based on Your Legitimate Interests

Legitimate interests are one of the most widely misunderstood concepts in data protection. Many businesses rely on them to process users' data, but often they do it unlawfully and violate the GDPR or another applicable data privacy law.

Legitimate interests are one of the most widely misunderstood concepts in data protection. Many businesses rely on them to process users' data, but often they do it unlawfully and violate the GDPR or another applicable data privacy law.

You must have heard other business owners say they use legitimate interests for their marketing, website, analytics, or another purpose. Many of them even avoid using cookie banners because of the assumption that they can do so based on them. It would be best if you did not take their advice for granted. Legitimate interests are a slippery slope for online businesses. They can fit everywhere, but it is wiser to avoid relying on them. Business owners tend to think that every business interest is legitimate for user tracking, but that is not true. Very few business interests are legitimate interests that could allow you to track visitors without their consent. This article will guide you on how to think about it to make a wise and safe decision for your business.

Here you can read about:

  • What legitimate interests are
  • How to decide if legitimate interests are a good fit for your processing purposes
  • How to conduct and necessity test
  • How to run a balancing test
  • Can you rely on legitimate interest for marketing purposes

These answers will show you how to track website visitors based on legitimate interests.

What is Legitimate Interest?

Legitimate interest is one of the legal bases for data processing under the GDPR and other data protection laws. You can rely on them when your legitimate business interests override the rights and freedoms of your users, i.e., data subjects, having in mind the reasonable expectations of the users.

It means that you can process users' personal data when:

  • You have a specific business interest
  • Your interest does not hurt the rights and freedoms of the users, and
  • Users can reasonably expect to be tracked due to your purposes.

The tricky part is how to make sure that you rely on legitimate interests without violating the law.

You cannot rely on legitimate interests by default. They are only a last resort basis. When you cannot rely on other bases, such as executing a contract or consent, you should only consider depending on legitimate interests.

How to Decide If your Business Interests Are Legitimate Interests for Personal Data Processing?

You need to conduct a Legitimate Interests Assessment (LIA). The LIA is made of the purpose, necessity, and balancing tests. They will show you whether you have legitimate interests in personal data processing or not.


The necessity test aims to determine whether personal data processing is necessary. 

The balancing test determines whether your interests are vital enough to rely on them. The balancing test is a simple comparison between your and your users' interests. When your interests override theirs, you are good to go with the processing. When your interests do not override users' rights and freedoms, you cannot rely on legitimate interests and must rely on another legal basis for processing.

How to Conduct the Purpose Test?

You conduct the purpose test by simply identifying the purpose for personal data processing. You need to know why you process the data. The purpose test does not differ in any way from determining any other processing purpose.

How to Conduct the Necessity Test?

The necessity test is relatively simple. You need to ask yourself whether the processing of personal data is necessary for your purpose.

Ask yourself:

  • Is the data processing necessary?
  • Can you fulfill the processing purpose without personal data processing?
  • Can you satisfy the processing purpose in another and less intrusive way?

For example, if you want to process personal data due to website security concerns, you need to examine whether you can protect it without personal data processing. If you find that the protection is possible and commercially reasonable, i.e., the costs won't take your company out of business, you should consider such technology and restrain from processing.

If you determine that the existing technology is not good enough or that it is so expensive that you could not run your business, your necessity test has determined that personal data processing is necessary for your purposes.

You can proceed to the balancing test.

How to Conduct the Balancing Test?

The balancing test compares your interests to the interests of your users. You can only process users' personal data if you prove that your interests prevail.

In the case of the processing due to website security, you need to prove that your business interest to have a secure website is more important than the privacy rights of your users.

For example, suppose you process IP addresses to ensure that your users are safe and no user endangers the website. In that case, you have to determine whether users' online privacy overrides the need to have a secure website.

There is no one-size-fits-all in conducting the balancing test. No one can give you a straightforward answer whether your interests override users' interests. It is left to you to decide.

The UK's Information Commissioner's Office (ICO) gives an excellent framework to direct your thinking. According to them, legitimate interests may be appropriate when:

  • the processing is not required by law but is of a clear benefit to you or the users,
  • The intrusion on your users' privacy is limited.
  • The user should reasonably expect you to use their data in that way, and
  • You cannot, or do not want to, bother users with disruptive consent requests when they are unlikely to object to the processing.

In What Areas Legitimate Interests May Apply

Legimitate interest may apply for processing for any purpose and in any area. However, the practice shows that they are more common in some areas than others.

However, it is very likely that you'll meet the requirements if you process personal data for the purpose of fraud prevention, network, and information security, or prevention of crimes.

You are also likely to meet the requirements if you rely on legitimate interests in direct marketing efforts, processing of employees' and clients' data, and intra-group data transfers.

Direct Marketing and Legitimate Interests

In some cases, you can process personal data based on legitimate interests. But, no, in all cases. You still need to do the three-part test and determine whether you can reach your goals by other means.

Many businesses are wrong when they think that each direct marketing effort falls under the legitimate interest basis for processing. Recital 47 of the GDPR clearly states that direct marketing may fall under this basis, but it does not mean that it will fall for sure.

Again, you need to conduct the three-part test before relying on legitimate interests.

Here are two examples to give you an idea of how to think about this:

  1. You run an ecommerce business and want to reach out to new customers through influencers. You use the email addresses of influencers to reach them out via email. This is likely to fall under legitimate interests since you cannot reach influencers in another way, and it is in their best interest to be contacted for cooperation.
  2. You provide loans to consumers. You reach out to a consumer who is late with repays with another bank offering them a new loan. The new loan would worsen their financial situation; hence, this communication does not seem likely to fall under legitimate interests.

When conducting the balancing test for marketing purposes, you can also consider whether people would expect you to contact them in that way, whether the marketing efforts could be perceived as nuisance messages from the other side, or how often you get them.

It may be acceptable to contact prospects occasionally to offer some benefits. Still, you cannot do it periodically as if they gave you their phone number or the email address for you to do so.

Employee and Client Data Processing and Legitimate Interests

As with the case of direct marketing, you need to do the three-part test. However, there are many situations where it is likely that you can rely on legitimate interests for processing employee personal data.

In the case of employee personal data, it is wise to rely on the execution of a contract as a legal basis for processing. You have a contract with your employee, and to execute it, for example, to give them a salary, you need to process their data.

Intra-Group Data Transfers and Legitimate Interests

The data transfers between companies from the same group (same holding company) may share data with each other. In some situations, the sharing may occur based on legitimate interests.

For example, the subsidiary company has no HR unit and sends the data to the parent company, where hiring decisions are made. The processing will be conducted based on legitimate interests.

Final Thoughts

The golden rule of processing based on legitimate interests is - to use it only as a last resort. If you can rely on another legal basis, such as the execution of a contract or consent, it will put you on the safe side of the law.

If you think you need to do it anyway, make sure you conduct the three-part test and ensure that there is some benefit for the data subject, or at least that their rights and freedoms do not override yours.

Secure Privacy solution gives you control over the tracking. If you need to wait until the user opts in, it won’t let cookies out before obtaining valid consent. Find the best plan for your organization and sign up here for a free trial.

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!