User Consent vs. Legitimate Interest: Which Legal Basis Should You Use?

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 19 June 2025.

User Consent vs. Legitimate Interest: Which Legal Basis Should You Use?

The GDPR only lets you process personal data for specific reasons. The most relevant for businesses involve either your "legitimate interests" or the consent of the person in question. You must identify the most appropriate "legal basis" whenever you process personal data. Here's what you need to know and do.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:

    3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  3. Answer a few questions about your business:

    4. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  4. Enter the country and click on the "Next Step" button:

    5. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  5. Continue with building your Privacy Policy while answering on questions from our wizard:

    6. FreePrivacyPolicy: Privacy Policy Generator - Answer on questions from our wizard - Step 3

  6. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



While the GDPR sets out many rights and responsibilities, it has an overriding principle: it's only lawful to process personal data when it's necessary for one of six reasons. (Process means handling data in any way, including collecting, using, sharing or deleting. Personal data is anything that relates to an identified or identifiable individual.)

The six reasons are as follows:

  • The person the data is about has consented to the processing.
  • The processing is necessary to live up to a contract,
  • The processing is required by law.
  • The processing is necessary to protect somebody's vital interest.
  • The processing is necessary to act in the public interest.
  • The processing is necessary for legitimate interests.

Each of these reasons is known as a legal basis, also called a lawful basis. If you process data, or decide how somebody processes it on your behalf, you must be able to show which legal basis applies to any particular set of data processing.

As a business, the most appropriate basis will usually be legitimate interests if it applies, or consent if it does not. We'll go through both of those in detail in this guide, then quickly run through the other legal bases and why they won't usually apply to a business.

Legitimate Interests

The GDPR defines legitimate interests as follows:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Despite the name, "legitimate interests" doesn't involve any value judgment about your data processing. Instead, it means you are processing the data as part of your ordinary business activity that will benefit you in a specific way, and that the processing is necessary to achieve this benefit.

British Gas Energy Trust gives some examples of its legitimate interests:

A screenshot showing examples of legitimate interests from the British Gas Energy Trust website

Balancing Legitimate Interests and People's Rights

Whether your legitimate interests override the "interests of fundamental rights and freedoms" of the person the data is about will depend on several factors set out in the text of the GDPR and in its recitals (notes which explain the law's purpose). These include:

  • Why you originally collected the data (particularly if you now want to use it for a different reason.)
  • What security safeguards you use.
  • The consequences of the processing for the person the data is about, including any risks and potential harm.

A useful rule of thumb, set out in the GDPR's recitals, is that legitimate interests should only outweigh somebody's data rights if they would reasonably have expected you to use their data in a particular way and for a particular reason.

For example, imagine you sold alcoholic goods online and a customer provided their date of birth to prove they were old enough to buy alcohol. Legitimate interests would likely cover you using that data internally to figure out if particular brands appealed to particular age groups, helping you choose what to include in an advertisement in a magazine with older readers. However, it would probably not cover you selling a list of customers aged over 50 to a funeral planning company.

Experian explains its use of the legitimate interests basis:

Experian webpage screenshot explaining its usage of the legitimate interests basis for data processing

Direct Marketing

The GDPR says direct marketing (to boost your sales) can count as a legitimate interest. However, other laws such as the ePrivacy Directive and specific rules on unsolicited emails and messages may require consent. In that case, consent may be a more suitable legal basis for the GDPR. Remember also that the GDPR gives people the right to specifically object to you using their data for direct marketing; if they do so, the legitimate interests basis cannot apply.

The Burden of Proof

As legitimate interests can be a gray area, the burden is on you to show why it applies in a particular situation. You must detail what your legitimate interests are, and why they apply, in your Privacy Policy.

Normative AB gives an example of a type of processing where legitimate interests is the legal basis:

Normative AB's privacy policy example depicting how legitimate interests is being used as a legal basis for data processing

The main exception to these principles is that processing for the following reasons will normally qualify as a legitimate interest by default:

  • To prevent fraud.
  • To secure your network or data.
  • To reveal threats to public security or possible criminal acts.

You must always be able to show that legitimate interests is the most appropriate legal basis in any particular situation. You cannot simply treat legitimate interests as a default that applies to all your data processing.

Sensitive Personal Data

The GDPR defines "special categories" of personal data, sometimes called "sensitive data" as follows:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation....

A business cannot use the legitimate interests basis to process any data in this category. You will need to use a different lawful basis.

The GDPR says the consent legal basis applies when "the data subject has given consent to the processing of his or her personal data for one or more specific purposes". This option comes with several conditions and restrictions.

Purpose

Unlike legitimate interests, which can cover all relevant processing, consent works on a "purpose" basis. This means that you can't just get consent from somebody to process their data for one reason and then rely on this consent in all situations. The consent must cover a specific purpose or purposes.

You can have broad categories of purpose, for example having somebody consent to you using their data for analysis of customer buying patterns and then use this consent for similar projects later on. You can't use this consent to cover using the data for a clearly different reason such as sending promotional mailouts.

Nora Club Hotel & Spa makes clear that some data processing is necessary to complete the contract. It also asks for consent for a specific, optional purpose of processing. This consent would not cover processing for any other reason.

Nora Club Hotel and Spa website showcasing their consent request format for performing a specific data processing task

If you use the consent legal basis, you must be able to prove the person gave consent. You can't simply treat people as consenting unless they say otherwise. You'll need to have clear processes and keep records of people's consent.

You must ask for consent in an "intelligible and easily accessible form, using clear and plain language." You must not hide the request for consent among information about other topics. The person must give a clear indication of consent.

A key part of consent being meaningful, and thus valid, is that the person must have clear information about how and why you will use your data. A Privacy Policy is the best way to do this.

MSC R&D requires active and clear consent where the user ticks a clearly-marked box, having an opportunity to read a linked Privacy Policy for full details:

A demonstration of MSC R&D's consent request format with a clearly marked checkbox and a linked Privacy Policy

Other Restrictions

People have the right to withdraw their consent at any time, though this only affects future processing and not any processing you have already done. You must tell people about this right before they originally give consent, and you must make it as easy to withdraw consent as to give it in the first place. For example, if you let people give consent online, you can't insist they phone you to withdraw consent.

Admetrics explains the implications of withdrawing consent:

Extract from Admetrics' privacy policy explaining the implications of withdrawing consent

You must offer a meaningful choice about consent. This means you can't make it a contractual requirement to consent to data processing in order to get a product or service. (This rule doesn't apply if the processing is necessary to complete the contract, for example using somebody's postal address to mail out a product they bought online.)

Consent is only normally valid from people aged at least 16. For children aged under 16 you'll need the consent of their parent or guardian. (Individual European countries can set their own minimum age, though it must be between 13 and 16.)

The GDPR allows for four other legal bases.

Contractual Performance

This applies if your data processing is necessary to complete a contract with the person the data is about, or to follow their instructions before you enter into a contract. For example, the fact somebody has bought a particular book from your online store is personal data. The contractual performance basis covers you using this purchase data to send the book to the customer as there's no way you could fulfil your contract otherwise.

The contractual performance basis doesn't apply to you using the purchase data to show the customer personalized recommendations for books by the same author (which would likely come under legitimate interest) or including their name on a list of customers you share with the book's publishers (which would likely need to come under consent.)

This applies if you have to carry out the processing to comply with a legal obligation that affects you. It won't necessarily apply if there's another way of complying with the legal obligation that doesn't involve the processing.

For a business, legal obligations might involve something like sharing customer data with the police if they have a search warrant.

Vital Interest

This applies if the processing is necessary to protect the vital interest of a person (which could be the person the data subject is about, or somebody else). "Vital interest" means somebody's life is at stake. The most common example is sharing somebody's medical details such as allergies to drugs when they require emergency treatment and cannot give the information themselves.

Public Interest

This isn't about whether the processing itself is "in the public interest". Instead, it means the processing is necessary to perform a task in the public interest such as law enforcement, preventing crime, journalism and public research. It's very rare this would cover processing by a business.

The GDPR says you must always use the most appropriate legal basis. None are considered more important or higher priority, so you need to consider the nature of the processing and the relationship between you and the person the data is about. Remember that the processing must always be necessary to achieve the relevant outcome.

As a business, you could use the following rules of thumb:

If the processing is necessary to comply with a legal obligation, protect somebody's vital interest, or (rarely for a business) complete a task in the public interest, the relevant basis is most appropriate.

If none of these apply, consider whether the processing is necessary to fulfil your contract with a customer (or supplier), and there's no other way to get the same outcome. If so, the contractual performance basis is the most appropriate.

If the contractual performance basis doesn't apply, consider whether the processing is necessary to achieve something that benefits your business (with no other way to achieve the same outcome), and this does not outweigh the person's data rights. If so, the legitimate interests basis is the most appropriate.

If no other bases apply, you will need to use the consent basis. This means you must gather meaningful, clear consent before any data processing, including collecting data. Remember the consent must cover a specific purpose or purposes. You will need to get fresh consent (or find another applicable legal basis) to use the data for any other purpose.

Summary

The GDPR says all personal data processing must be necessary for one of six legal bases. You must be able to identify a necessary basis for any specific processing; this should be the most appropriate basis if more than one could apply.

Three of the legal bases (legal obligation, vital interest, public interest and contractual performance) will rarely apply to businesses. A fourth, contractual performance, is relevant to businesses but will likely only cover a small element of your data processing.

In many cases, "legitimate interests" will be the most appropriate basis. This means that the processing is necessary as part of your business activity and this does not outweigh the privacy rights of the person the data is about. This balance often comes down to the question of whether the person would reasonably expect you to use their data for this particular type of processing.

If no other legal basis is appropriate, you'll need to use consent. This must be freely and clearly given by somebody who has the necessary detail to make a meaningful and informed choice. A clear Privacy Policy is vital for meeting this rule.

About this article

Last updated

This article was last updated on 19 June 2025.

Author

John Lister

FreePrivacyPolicy Legal writer

Category

Disclaimer

Please note that legal information, including legal templates and legal policies, is not legal advice.

Try out our free generators

Free Privacy Policy Generator

Free Cookie Consent

Free Terms and Conditions Generator

Free Cookies Policy Generator

Free Disclaimer Generator

Free EULA Generator

Free Return & Refund Policy Generator



What our customers says

I like the steps to create a Privacy Policy.

— Anonymous



Thank you for making it so simple and easy to create a proper and compliant privacy policy!

— Andrea - Toronto Success Coach



Quick and easy way to secure our company website. Thanks for making this a great user experience.

— Anthony - Canine Behavioral Services



Thank you for your time and help. Setting up a Privacy Policy, and Terms of Service is easier than I thought.

— Casey H - Casis Boutique

Read more from our blog

NY SHIELD and Your Data Breach Notices

NY SHIELD and Your Data Breach Notices

If you handle private data about any New York resident, you likely fall under the jurisdiction of the SHIELD Act. As well as requiring data security measures, the act says...

Appointment of GDPR Data Protection Officer Letter

Appointment of GDPR Data Protection Officer Letter

One of the main objectives of the EU General Data Protection Regulation (GDPR) privacy law is to protect individuals' privacy rights. It can be enforced by private legal claims, and...

California Consumer Privacy Act (CCPA/CPRA)

California Consumer Privacy Act (CCPA/CPRA)

California's Consumer Privacy Act (CCPA) was passed unanimously in 2018, giving Californians more control over which companies have their personal information, and what they do with it. It was then...