How to Track Website Visitors Based on Your Legitimate Interests
Legitimate interests are one of the most widely misunderstood concepts in data protection. Many businesses rely on them to process users' data, but often they do it unlawfully and violate the GDPR or another applicable data privacy law.
One of the most commonly misunderstood topics in data protection is legitimate interests. Many businesses rely on them to process user data, but they frequently do so illegally, in violation of the GDPR or another applicable data privacy law.
You've probably heard other business owners mention how they leverage legitimate interests for marketing, website analytics, or other purposes. Many of them even avoid utilizing cookie banners because they believe they can rely on legitimate interests to use cookies anyway. However, this is simply not true. Legitimate interests can be a tricky issue for online businesses. They can fit anywhere, but it is advisable not to rely on them. Business owners often believe that any business interest is permissible for user tracking, but this is not the case. There are very few genuine business interests that could allow you to track visitors without their consent. This article will guide you how to track your website visitors based on your legitimate interests the correct and safe way.
Here you can read about:
- What legitimate interests are
- How to decide if legitimate interests are a good fit for your processing purposes
- How to conduct and necessity test
- How to run a balancing test
- Can you rely on legitimate interest for marketing purposes
What is Legitimate Interest?
Legitimate interest is one of the legal bases for data processing under the GDPR and other data protection laws. You can rely on them when your legitimate business interests outweigh your users', i.e., data subjects', rights and freedoms, while keeping in mind the users' reasonable expectations.
It means that you can process users' personal data when:
- You have a specific business interest
- Your interest does not hurt the rights and freedoms of the users, and
- Users can reasonably expect to be tracked due to your purposes.
The tricky part is how to make sure that you rely on legitimate interests without violating the law.
You cannot rely on legitimate interests by default. They are only used as a last option. When other basis, such as contract execution or consent, are unavailable, you should only consider relying on legitimate interests.
How to Decide If your Business Interests Are Legitimate Interests for Personal Data Processing?
You need to conduct a Legitimate Interests Assessment (LIA). The LIA is made of the purpose, necessity, and balancing tests. They will demonstrate whether or whether you have legitimate interests in the processing of personal data.
The purpose test determines what your purpose is in processing your users’ personal data.
The necessity test aims to determine whether personal data processing is necessary.
The balancing test determines whether your interests are vital enough to rely on them. This is a simple comparison between your and your users' interests. When your interests override theirs, you are good to go with the processing. When your interests do not outweigh the rights and freedoms of other users, you cannot rely on legitimate interests and must establish another legal basis for processing.
How to Conduct the Purpose Test?
You conduct the purpose test by simply identifying the purpose for personal data processing. You need to know why you process the data. The purpose test does not differ in any way from determining any other processing purpose.
Once you have determined the purposes of your processing, you can proceed to the necessity test.
How to Conduct the Necessity Test?
The necessity test is straightforward. You must consider whether the processing of personal data is required for your purpose.
Ask yourself:
- Is data processing necessary?
- Can you fulfill the processing purpose without processing personal data?
- Can you satisfy the processing purpose in another and less intrusive way?
For example, if you want to process personal data due to website security concerns, you need to examine whether you can protect it without personal data processing. If you discover that protection is feasible and commercially viable, i.e., the charges will not bankrupt your business, you should evaluate such technology and refrain from processing personal data.
If you find that the existing technology is insufficient or too expensive for your business, your necessity test has found that personal data processing is required for your purposes.
You can proceed to the balancing test.
How to Conduct the Balancing Test?
The balancing test compares your interests to the interests of your users. You can only process users' personal data if you can demonstrate that your interests outweigh theirs.
In the case of the processing due to website security, you must demonstrate that your business interest in having a secure website is more important than your users' privacy rights.
Assume you process IP addresses to guarantee that your users are safe and that no user poses a threat to the website. In that instance, you must decide if users' online privacy trumps the need for a safe website.
The balancing test is not a one-size-fits-all procedure. Nobody can tell you whether your interests are more important than the interests of other users. It is up to you to make your decision.
The UK's Information Commissioner's Office (ICO) provides an excellent foundation for you to consider. According to them, legitimate interests may be appropriate when:
- the processing is not required by law but is of a clear benefit to you or the users,
- The intrusion on your users' privacy is limited.
- The user should reasonably expect you to use their data in that way, and
- You cannot, or do not want to, bother users with disruptive consent requests when they are unlikely to object to the processing.
What Are the Areas Where Legitimate Interests May Apply?
Legitimate interest may apply for processing for any reason and in any field. However, practice indicates that they are more prevalent in some areas than others.
However, if you process personal data for the purposes of fraud prevention, network and information security, or crime prevention, you are extremely likely to meet the standards.
You are also likely to meet the standards if you depend on legitimate interests in direct marketing activities, data processing of staff and clients, and intra-group data transfers.
Direct Marketing and Legitimate Interests
Personal data can be processed based on legitimate interests in specific instances. But not in every case. You must still complete the three-part test to evaluate whether you can achieve your objectives through alternative ways.
Many businesses are mistaken when they believe that every direct marketing attempt is covered by the legitimate interest justification for processing. Recital 47 of the GDPR expressly specifies that direct marketing may come within this category, but this does not guarantee that it will.
Again, before relying on legitimate interests, you must use the three-part test.
Here are two examples that illustrate how to do this:
- You own an ecommerce store and want to reach out to new customers via influencers. You send emails to influencers using their email addresses. This is likely to fall within legitimate interests because you cannot approach influencers in any other way, and contacting them for collaboration is in their best interests.
- You offer loans to customers. You contact a customer who has fallen behind on their payments with another bank and offer them a new loan. Because the new loan will aggravate their financial circumstances, this message does not appear to be in their best interests.
When conducting the balance test for marketing purposes, evaluate whether people would anticipate you to contact them in that manner, whether the marketing efforts could be seen as nuisance communications from the other side, and how frequently you receive them.
It may be okay to contact prospects infrequently to offer benefits. You still can't do it on a regular basis, even if they gave you their phone number or email address.
Employee and Client Data Processing and Legitimate Interests
As with the case of direct marketing, you need to do the three-part test. However, there are many situations where it is likely that you can rely on legitimate interests for processing employee personal data.
In the case of employee personal data, it is wise to rely on the execution of a contract as a legal basis for processing. You have a contract with your employee, and to execute it, for example, to give them a salary, you need to process their data.
Intra-Group Data Transfers and Legitimate Interests
The data transfers between companies from the same group (same holding company) may share data with each other. In some situations, the sharing may occur based on legitimate interests.
For example, if a subsidiary firm lacks an HR department, the data is sent to the main company, where employment decisions are made. The processing will be carried out in accordance with legitimate interests.
Final Thoughts
The golden rule of legitimate interests processing is to employ it only as a last option. If you can rely on another legal basis, such as contract execution or permission, you will be on the right side of the law.
If you believe you must do it, make sure you follow the three-part criteria and confirm that there is some advantage to the data subject, or that their rights and freedoms do not outweigh yours.
Secure Privacy solution gives you control over the tracking. If you need to wait until the user opts in, it won’t let cookies out before obtaining valid consent.
Data Privacy and Responsible AI: A Guide for DPOs
Learn how to implement responsible AI while ensuring data privacy compliance. Discover practical strategies for Privacy by Design in AI systems, data minimization, and navigating privacy regulations. Essential reading for Data Protection Officers.
- Legal & News
Vietnam's Personal Data Protection Decree: Key Insights on Data Law
Explore Vietnam's new data privacy law, Decree 13/2023, which introduces strict regulations on personal data handling and cross-border transfers.
- Data Protection
Navigating Israel’s Data Protection Landscape: Key Compliance Insights for Businesses
Learn how Israel's Privacy Protection Law affects your business, including compliance requirements, data transfer rules, and key obligations.