Iubenda logo
Start generating

Documentation

Table of Contents

Understanding Legitimate Interest and Cookies in Online Business

In this article, we will explore the concept of legitimate interest and how it applies to the use of cookies in online business, providing insights into the legal requirements and practical considerations for website operators.

Legitimate Interest Cookies

If consent is required under the Cookie Law, you cannot rely on the full range of possible lawful grounds provided by the GDPR, as Cookie

What is legitimate interest cookies?

Legitimate interest cookies refer to cookies that are used for legitimate interests other than the user’s consent. Legitimate interests may include, but are not limited to, preventing fraud, enhancing website security, and improving user experience.

Under the General Data Protection Regulation (GDPR), website operators are required to obtain user consent before collecting and processing personal data through cookies or other tracking technologies. However, if the use of cookies is necessary for the website operator’s legitimate interests and does not infringe on the user’s privacy rights, then the operator may use such cookies without obtaining the user’s consent.

It is important you carefully assess your legitimate interests and ensure that your use of cookies is necessary and proportionate to achieve those interests, and that you provide clear information to users about the use of cookies on their website.

What counts as legitimate interest?

Determining what counts as legitimate interest requires a balancing act between the interests of the data controller and the privacy rights of the data subject. In general, legitimate interest may include:

  1. Fraud prevention and security: Protecting against fraud, malware, and other security risks.
  2. Direct marketing: Sending promotional or marketing communications to customers who have previously shown an interest in the product or service.
  3. Statistical analysis: Using aggregated data to generate insights about user behavior and trends.
  4. Improvement of products or services: Analyzing user behavior to improve product or service offerings.
  5. Personalization of user experience: Tailoring the user experience based on the user’s behavior or preferences.

No, consent is not the only possible legal basis for the use of cookies. 

Under the General Data Protection Regulation (GDPR), legitimate interest can also be a legal basis for the use of cookies, provided that the use of cookies is necessary for the legitimate interests of the website operator or a third party, and does not infringe on the privacy rights of the user. 

If you’re setting cookies, you need to look at Cookie Law first and comply with its specific rules, before considering any of the general rules of the GDPR.

It’s worth remarking that in the following circumstances, the use of cookies is not subject to the user’s consent requirement:

  • for any technical storage or access, the sole purpose of which is to transmit a communication over an electronic communications network, or
  • if strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

That said, according to the ICO, UK’s Data Protection Authority, certain “strictly necessary” cookies (essential to provide an online service at someone’s request) are unlikely to require consent. However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

Legitimate interest and consent are two legal bases under the General Data Protection Regulation (GDPR) for processing personal data. Legitimate interest refers to processing personal data when it is necessary for the legitimate interests pursued by the website operator or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject. Consent, on the other hand, refers to the user’s explicit agreement to the processing of their personal data, which must be freely given, specific, informed, and unambiguous.

When it comes to choosing between legitimate interest and consent, website operators should carefully assess their specific situation and determine which legal basis is appropriate. Legitimate interest may be appropriate when the processing of personal data is necessary for a specific purpose and the data subject’s interests do not override those of the website operator. However, consent may be required when processing personal data for certain purposes, such as marketing or tracking cookies.

👉 Regardless of which legal basis is chosen, it is important you provide clear and transparent information to your users about the processing of their personal data, and to ensure that your users have the ability to exercise their rights under the GDPR, such as the right to access, rectify, or erase their personal data.

Yes, consent to cookies is generally needed for analytics, unless the use of cookies falls under the legitimate interest of the website operator.

The General Data Protection Regulation (GDPR) requires that you obtain user consent before collecting and processing personal data through cookies or other tracking technologies. This includes the use of cookies for analytics, which involves collecting and analyzing data about user behavior on a website to improve the website’s performance and user experience.

However, there are some circumstances where the use of cookies for analytics may be considered as falling under the legitimate interest of the website operator. For example, if the website operator can demonstrate that the use of cookies for analytics is necessary for their legitimate interests, and that it does not infringe on the privacy rights of the user, then they may be able to rely on legitimate interest as a legal basis for processing personal data through cookies without obtaining user consent.

For some countries (i.e., Germany), analytics cookies could be based on a legitimate interest, but, in general, they are not exempted and—according to the ICO—⁣strong>always require consent.

Guidelines for cookie consent storage range from just a few months to 12 months. It’s important to check the guideline specific to the EU country that applies to you.

Anyway, according to the ICO, it depends on the purpose of the cookie. You need to ensure that your use of the cookie is:

  • proportionate in relation to your intended outcome; and
  • limited to what is necessary to achieve your purpose.

About us

iubenda

Cookie consent management for the ePrivacy, GDPR and CCPA

www.iubenda.com

See also