[lordlarm]

Without any precedent on concrete examples of what is legitimate and what is not, this clause in the GDPR is its biggest weakness.

If a company sells something online they only really need your address & name for delivery + credit card details. Then you could argue it is legitimate to use an email to create an account, fair enough. But without precedent it's so easy to just say 'in order to increase revenue (legitimate intrest) we're going to use all emails to send a newsletter, boosting sales'. And then you could use the 'Right to object' in the GDPR as a fallback for your actions.

I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.

[lwyr]

The legitimate interest has been around for a while. It was also a legal basis to process personal data under the 1995 Data Protection Directive which the GDPR replaced. If you are interested in learning more about the notion of legitimate interest and balancing it against the interests of individuals, there is a 2014 opinion from the body of EU data protection regulators that explains the concept with a number of examples. [1]

> If a company sells something online they only really need your address & name for delivery + credit card details.

That would likely be "necessary for the performance of a contract" which is also a legal basis to process personal data. [2]

> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.

That could be a violation of the ePrivacy Directive which provides that email marketing requires consent. [3]

[1] https://ec.europa.eu/justice/article-29/documentation/opinio...

[2] See Article 6.1(b) GDPR at https://eur-lex.europa.eu/eli/reg/2016/679/oj

[3] For information about how this rule is implemented in the UK, see: https://ico.org.uk/for-organisations/guide-to-pecr/electroni...

[MatthewWilkes]

The PECR regulations specifically state that consent is the only basis for electronic marketing. The ICO guidelines also state that legitimate interest is fine for marketing, but not electronic marketing.

Anyone who dropped explicit consent for emails, text messages or phone calls is a fool.

[nroach]

Can you point to explicit guidance for this (legit. interest as insufficient for electronic mktg)? I'd love to see a reference as we're having this discussion internally.

[akvadrako]

> You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.

source: https://ico.org.uk/media/about-the-ico/consultations/2013551...

You only need consent when legit interests don't apply, so this is basically saying it isn't sufficient.

Also:

(47) … The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

source: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

[MatthewWilkes]

Sure. I admit, I simplified things because hackernews can be a rather hostile environment on this topic. It's not that you can't use consent, it's (as you say) that legitimate interest is insufficient as most types of electronic marketing require consent and those where it is possible is made much harder to justify as a long-term strategy.

The PECR section on the ICO website is a good start: https://ico.org.uk/for-organisations/guide-to-pecr/electroni...

Also, the ICO has an FAQ on exactly this at https://ico.org.uk/for-organisations/guide-to-the-general-da... . It is the question "Can we use legitimate interests for our marketing activities?". The whole thing is useful, but the bit below the yellow call-out is specifically about electronic marketing, and says:

"If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR." There's also a helpful table of possibilities below.

There's still the so-called 'soft opt-in', which is for cases where you're emailing someone that you've recently sold something to (or given a quote to) about a similar product or service and that you've given the explicit choice to refuse communications both when you collected the data and every time you've subsequently used it.

It's certainly possible to use legitimate interest for some forms of electronic marketing, but only in very specific circumstances. To give you an idea of it in practice, one of my clients has a marketplace style site. If you try and book a service but the booking falls through, for example because the service provider is unavailable, they'll email you within a couple of days if you don't look for someone new, pushing some suggestions. Then they'll stop emailing. That's legitimate interest through soft opt-in. They also send emails periodically about new service providers in your area, that is not covered by the soft opt-in so requires consent. Same for their general service newsletters.

There is also a PDF guide at https://ico.org.uk/media/1555/direct-marketing-guidance.pdf which has some good info. The header for the electronic marketing section is "General rule: only with consent", which I think is good advice. As others have said, there are other obligations under GDPR, so even if you can stretch the soft opt-in beyond what was intended, you're likely to run up against hurdles when it comes to the balancing test, or your data minimisation obligations. The soft opt-in is specifically for cases where a member of the public would expect to get communications because of the recent sale or enquiry, as time passes that expectation goes away and it starts to become very hard to justify in a GDPR context.

[donohoe]

After sitting in on more legal meetings than I care to recall, this isn't as weak as it sounds.

The big arguments you can make 'Well I need to collect lots of user data for ad targeting because it is a legitimate interest that I make money to support the costs of the site' have already been clarified (you can't without explicit consent).

The data authority in each EU country has some freedom to rule on this as necessary but they feedback from the EU is that they will err on the side of telling you to justify in string terms your need for data.

[cm2012]

The explicit consent being the pop-ups no one reads, I assume.

[matt4077]

No, actually. Even before GDPR, it was illegitimate to use a pre-checked checkbox, or any other process that required out-out from the user.

This requirement was generally respected–I actually don't remember a single instance of it not being followed by European organisations.

[blowski]

That is exactly the legal advice we received (UK online estate agent). My guess is that so many companies are doing this, it will end up in the UK Supreme Court (post-Brexit). Even if they rule against the companies, there will most likely be a moratorium on those currently failing to comply rather than 1000s of companies being fined.

[snowwolf]

I forget where I saw it, but I thought this was a good test of whether it is legitimate interest. It went something like:

"Would a 'reasonable' person be surprised if you told them about how you were using the data?"

[JoeAltmaier]

That scale slides around every day. And 'being surprised' and 'being happy' are very different things also.

I'd prefer to have hard limits. No collecting any info from my computer about me that aren't explicit in the interaction itself (asking for email is ok; scraping installed apps while doing that to gauge my interests is not)

[matthewmacleod]

“Reasonable person” tests are pretty common and well-understood in general. One of the reasons that the GDPR in particular avoids being overly prescriptive about how to meet its requirements is to avoid situations where it becomes inapplicable or obsolete due to changes in technology or habits.

[true_religion]

In the US, a reasonable person test is meaningless without a body of precedent setting cases.

If the language of a new law uses it with regards to a new technology, then no one can be sure what the courts will decide.

It may be different in the EU, as the legal system is quite different.

[usrusr]

It's a valid concern, but I don't think the line is as muddy as it seems at first glance: would I expect a Pyongyang hotel room to be bugged? No. But I also would not assume that it's not. With this construction you get two kinds of being surprised, with one taking all the variability derived from suspicions and the like while the other should remain quite stable. Just like most people were simultaneously surprised and not surprised at all by the Snowden revelations.

Obviously one would have to explicitly exclude from the "reasonable" test the kind of surprise that was not triggered by Snowden, because otherwise all our greatest fears would become legal by definition.

[isostatic]

And recording your IP address in the apache log?

[dmurray]

That's part of the "balancing test", which is one of the three tests mentioned in the article. It's definitely not sufficient to show your data processing fits the legitimate interest basis.

[TheRealPomax]

technically, they do not need your creditcard details. That's transient information that is only relevant at the time of purchase, as it needs to be forwarded to a financial institution to process the payment. Immediately after forwarding, the credit card information becomes entirely irrelevant (the financial institution's clearance or rejection is the ultimate goal here, to enable a transfer of funds).

And technically (at least in terms of "if it comes to litigation") your name is equally irrelevant: there is no reason to store it, there only needs to be an agreement on which label markings the buyer specifies are to be used. While the name is common, any sequence of letters or even emoji would work just fine, as long as the recipient can recognize the shipping label as being "theirs" rather than "we don't know who this package is for".

The only truly required information is the address, without which delivery cannot be made. That information will have to be stored for a longer period of time (as delivery is almost never an in-house affair), at which point it is subject to GDPR.

(But of course, in the real world, people typically consent to their information being stored in a profile locked behind some kind of login. Sometimes, though, once a case goes to trial, the real world becomes less important than the unrealistic ideal one based on requirements imposed by law)

[vertex-four]

Processing data, even ephemerally, is subject to GDPR. GDPR is not primarily about storage. The fact of the matter, though, is that most ephemerally-processed data is necessary to perform a contract, and thus legal under GDPR.

[antaviana]

I suppose the law probably is very easy to game because I remember receiving a letter via regular postal mail from one of the top utilities company in Spain that literally said "to comply with GDPR we will contact you for marketing purposes in _OUR LEGITIMATE INTEREST_. If you do not agree, contact us at this website."

Their turnover is 50B EUR so my understanding is that they earmarked some budget to check with a lawyer to ensure GDPR compliance.

Moral: ensure that your legitimate interest is to sell more and then you are fine.

[MatthewWilkes]

That's not gaming it, it's a feature. GDPR isn't designed to stop companies contacting you, it's designed to ensure companies have to think through what they're doing and have process for handling objections and problems. You have to do a "balancing check" to document your reasoning for why your legitimate interest is sufficient for what you're proposing to do.

[eli]

> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.

Can you name names? Not saying I don't believe, it's just that this seems like a pretty nonsensical approach. If companies though that some pre-GDPR law required them to get consent than isn't that law still in force post-GDPR?

[josteink]

> in order to increase revenue (legitimate intrest)

Legitimate interests represents the legitimate interest of the customer not the company.

Maybe I’m naive, but I assumed that this much would be blatantly obvious.

[savanaly]

Advertisement like newsletters can be in the interest of the customer.

[jiveturkey]

you have very little understanding of GDPR and shouldn’t be posting. what you say companies are doing may be true, but it isn’t compliant.

[DanBC]

PECR is still in force.