Is that my legitimate interest or your legitimate interest?

As a website owner I can’t just store all the information I gather about visitors and sell it to companies for money without facing legal repercussions (side note: However, as we’ll see below, some websites do exactly that.).

The European Union’s General Data Protection Regulation (GDPR) states that personal data can only be processed for specific reasons. Most of these require explicit permission from the user, except for legitimate interest, which is defined as processing that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. This only requires that users have the right to object.

This sounds like a good idea in theory, but its implementation leaves a lot to be desired – mostly because it is very ambiguous and can be interpreted quite broadly. Another major issue is that it is, for all intents and purposes, not enforced by national regulators and courts. This allows legitimate interest to be exploited by data controllers (side note: Website owners) as a loophole for dubious data practices.

Article 6 of the GDPR lists six potential legal grounds for the processing of personal data to be legitimate: consent of the data subject, performance of a contract with the data subject, compliance with a legal obligation imposed on the controller, protection of the vital interests of the data subject, performance of a task carried out in the public interest, or “legitimate interests” pursued by the data controller, subject to an additional balancing test against the data subject’s rights and interests.

Legitimate interest benefits data controllers as it gives them the ability to innovate and provide better services, and data subjects as it can help prevent consent fatigue or over-reliance on things like contracts.

At the same time, data controllers must be able to justify why they need to override the data subject’s interests and right to privacy. Legitimate interest comes with obligations to the data controller, who must:

• perform a balancing decision as to whether data collection is justified;
• inform users about the specific legitimate interests that are being pursued, and about the right to object to those interests;
• pursue legitimate interests that are lawful, transparent, and make sense; and
• clearly describe how the data is processed, in a way that is understood in the same way by everyone involved.

According to Article 25 of the GDPR, data controllers must implement appropriate technical and organisational measures which are designed to implement data protection principles and ensure that by default, only personal data which are necessary for each specific purpose of the processing are processed, i.e. data protection by design.

Content management platforms (CMPs) provide privacy notices that website owners can easily embed on their websites. These are supposed to enable streamlined compliance with all legal requirements, but in practice many employ deceptive design (side note: You may be more familiar with the (deprecated) term “dark patterns”.) to entice data subjects to give up as much of their data as possible.

An analysis of 10,000 websites from the Tranco top sites list identified 474 English-language websites containing the term “legitimate interest(s)” in their privacy notice. Out of these sites, 273 (58%) mentions the term on the first page of their privacy notice, while 201 (42%) only mentions it after one click (e.g. a “next” or “show purposes” button).

When privacy notices describe the purpose of legitimate interest, it is almost always for third-party vendors such as advertising partners – only a few mention that the service provider themselves collects the data for their own legitimate purposes.

The researchers found several (side note: Curiously, the paper says that the researchers organised their findings into three categories, but then goes on to list five of them.) categories of deceptive design in privacy notices:

1. The option to object to all legitimate interest-based purposes is often conspicuously absent. Instead, users must manually deselect all purposes per purpose or vendor, or click through several pages to access them.

2. Complicating decision making by providing toggles that rely on both consent and legitimate interest for collecting data for the same purposes (which is illegal), or by making it difficult to object to legitimate interests, for instance by sending the user to a third-party website.

3. The use of linguistic deceptive design, which includes not explaining what legitimate interest means in general, mentioning the term without providing a definition, or not mentioning whose legitimate interests the data processing would benefit.

4. The use of positive framing when describing why users should accept data collection, which makes users pay less attention to negative aspects.

5. Using legitimate interest for advertising purposes is arguably unlawful, yet many private notices disclose that they process data for this reason.

A survey was conducted among 399 respondents (side note: There were supposed to be 400 respondents, but one apparently said they had never encountered a privacy notice before…) to better understand how users react to various data collection purposes.

In general, respondents understand that when data is collected for legitimate interest purposes, those are the legitimate interests of the service provider and third-party vendors. However, a non-negligible number of respondents (at least 16%) incorrectly believes that data is collected in the legitimate interests of themselves, other users, or society.

The survey tested eight legitimate interest purposes. Respondents feel most comfortable sharing data without their permission for security and debugging and fraud and law enforcement, while they feel least comfortable with personalised ad delivery and measurement. Users are also not very comfortable with develop and improve products, archiving data, future innovations, analytics, and personalised content and measurement, but do not view them as negatively.

When asked about purposes that are deemed essential, respondents agree that functional, strictly necessary is essential, but sharing with third parties and UX improvement are not.

User acceptance of data collection purposes is impacted most by whom the data collection purpose is believed to benefit. Users are more likely to accept the purpose if it benefits themselves, society, or other users.