GDPR Consent and the Legitimate Interest Alternative

The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. With it, email inboxes continue to be flooded with updated privacy policy notices for U.S. companies subject to GDPR, requesting that recipients renew consent for marketing communications.

Direct marketers that process the personal data or EU residents or are otherwise subject GDPR must have a lawful basis to do so and bring their privacy policies into compliance.

In terms of opt-in consent and in contrast to the U.S., it must be affirmative, unequivocal, specific, informed and freely given. Records must be retained to demonstrate consent, including who consented, when they consented, how they consented, what they were told at the time they provided consent and whether they have withdrawn consent.

Much like “prior written consent” in the TCPA-context, GDPR consent cannot be bundled with other terms, individuals cannot be required to consent in order take advantage of the products/services being offered and consent must be capable of being revoked at any time.

GDPR provides additional bases for processing information of EU residents, including, but not limited to, compliance with a contractual or legal obligation, and legitimate interests. The legitimate interest basis is a potential bonus of marketers with consent fatigue and may include processing personal information for targeted marketing purposes. However, depending upon the manner of direct marketing, the legitimate interest justification may be a risky proposition – one that necessarily involves balancing legitimate business needs and individual interests.

In terms of efforts to request renewed consent for marketing and data processing purposes, the UK Information Commissioner’s Office recently stated that “it may not be appropriate to seek fresh consent” if companies are uncertain how they obtained the data in first place. In such circumstances, unless governed by an exception, companies may not possess legal grounds to contact the user.

With respect to consent, GDPR sets a high standard. It means offering people genuine choice and control over how their data is used. Relevant guidance sets forth how the ICO interprets GDPR, recommended approaches to compliance and good practice, when to rely on consent for processing and when to look at alternatives. It sets forth what qualifies as valid consent, and how to obtain and manage consent in a way that complies with GDPR.

Takeaway: GDPR sets a high standard for consent. An indication of consent must be unambiguous and involve a clear affirmative action. Consent should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service. No s pre-ticked opt-in boxes. Consent must be granular and for distinct processing operations. Records to demonstrate consent must be maintained. GDPR provides a specific right to withdraw consent. Individuals must be informed of their right to withdraw consent and offered a simple mechanism it at any time. Review existing consents, related mechanisms and whether there is a need to obtain fresh consent. Private-sector organizations may be able to process personal data without consent if there exists a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.

Consult an experienced FTC defense lawyer to discuss GDPR guidance, including updating privacy policies and related disclosures.

Richard B. Newman is an advertising compliance and regulatory litigation defense attorney at Hinch Newman LLP.

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.

Please contact us at (212) 756-8777, via email to or via our Online Case Submission Form.