“Under EU privacy law, we are used to thinking about “opt-in consent” as the ground normally used to legitimise the processing of personal data for marketing purposes. “Opt-out mechanisms” are instead an exception allowed only (i) for using email addresses already obtained by the data controller in the context of the sale of a product/service and (ii) for direct marketing of its own similar products or services, i.e. excluding direct marketing of third party’s products.
The General Data Protection Regulation (GDPR) apparently has strengthened this approach although it does not formally repeal the E-Privacy Directive, the latter will be soon amended to conform with it – otherwise a dual regime would make little sense. Personal data shall be processed on the basis of the consent of the data subject or some other legitimate basis including “legitimate interest”.” – Francesco Banterle, IPlens, July 12th 2016
In this article Francesco Banterle provides what we view as the best breakdown of legitimate interest on the web. It is perhaps the most contentious and confusing issue of the entire regulation particularly for us marketers.
In lieu of any official guidance, this article is immensely valuable and covers exactly what is and isn’t acceptable for marketers under the new regulations using scenarios and past legal cases. Well worth a read for anyone considering using legitimate interests as a basis for avoiding seeking consent.