How are GDPR's Legitimate Interests being used, and how do users feel about it?

What is it about?

Legitimate interest is one of the six legal grounds for collecting personal data under the GDPR. It is defined in Article 6(1)(f) as "processing (of data) that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party". Through a web crawl of 10,000 top sites' privacy notices, and a survey with 399 users, we identified how legitimate interests are being used in practice, and how users evaluate these practices. Our findings indicate that there is a lack of transparency in disclosing legitimate interests, often through the use of deceptive practices (at the UI and linguistic levels), and that users often disapprove of common legitimate interest practices. Based on our findings, we suggest several areas where legitimate interests are being taken advantage of, how to better incorporate Privacy by Design in the application of legitimate interests, and conclude that users should have a bigger role in data protection discussions.

Featured Image

Photo by Christin Hume on Unsplash

Photo by Christin Hume on Unsplash

Why is it important?

Legitimate Interest is the broadest and most flexible legal ground for collecting and processing personal data under the GDPR, therefore legal scholars have highlighted the potential for misuse by data controllers. This legal ground is receiving a lot of attention by regulators and courts, but there is a lack of empirical work focusing on legitimate interest applications. Therefore, we provide one of the first studies investigating how legitimate interests are being used in practice, and provide users' perspectives to understand how they evaluate these practices.