GDPR: Which is best, 'Legitimate Interest' or 'Consent'

GDPR: Which is best, ‘Legitimate Interest’ or ‘Consent’?

‘GDPR’ can be a minefield. Nowhere is this more apparent than on the subject of marketing consent. Most firms will have a choice of either the legitimate interest route or consent. But which is best?

Let’s start by saying there are many different ways to obtain marketing permission under the General Data Protection Regulation (GDPR) and each one impacts the rights of your prospects/customers. The table below explains.

  Right to erasure Right to portability Right to object
Consent Yes Yes No*
Legitimate interests Yes No Yes
Contract Yes Yes No
Legal obligation No No No
Vital interests Yes No No
Public task No No Yes

* but with the right to withdraw consent

Most marketing executives will look at using either legitimate interest or consent (unambiguous or explicit). Let’s look at these in more detail.

Legitimate Interest

This requires you to prove the processing of a person’s data is necessary for your legitimate interests. It normally requires you to complete a Legitimate Interest Assessment where you detail the reasons why you believe you have the right to contact them.

It’s important this is documented and stored as evidence that you balanced the rights of individuals with your desire to contact them.

But as you can see from the table above, a person has the right to object which would mean you can no longer contact them. In addition, it has not been made clear that if one person successfully objects to your legitimate interest does that mean that everyone in the same group cannot be contacted? There could be a domino effect.

Also, if enough people challenge your legitimate interest and raise the issue with the Information Commissioners Office, you could be investigated and possibly fined.

An example of legitimate interest is contacting candidates on a job board. They may not have specifically given you consent to contact them, but uploading their CV suggests they are keen to hear about potential jobs.


Consent comes in two forms, unambiguous for most data and explicit for sensitive data. In both cases, the individual has given clear consent for you to process their personal data for a specific purpose (although they still have the right to withdraw consent at a later date).

An example would be a candidate registers with a recruitment agency on their website, they give their contact details and tick a box giving permission for the agency to contact them.

Which is best for marketing?

I believe consent is the best route. This is less to do with GDPR and more to do with permission marketing. Even if GDPR was not being introduced I would still recommend getting marketing consent.

It has been proved several times that you will get a better response and more loyalty from people that have given you permission (consent) to send them marketing messages.

They are clearly interested in what you are selling and therefore less likely to complain about the volume of marketing, less likely to unsubscribe and more likely to recommend your company to friends. They are clearly worth investment.

By contrast, individuals you contact on the basis of legitimate interest have never given you permission, may not have heard of your company and you are guessing they want/need your product at that time.

Talking to many executives, it seems the guys in the Data Department favour legitimate interest, but experienced marketers see the value of consent.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.