What is the 3-Part Test for Legitimate Interests Under the GDPR?
Table of Contents
Giving your customers a better experience through personalized, targeted content is one of the best ways to increase conversion rates and loyalty with your customers. These tactics come with a cost though — you first need access to your customers’ personal data.
With more customers becoming savvy about their personal data and how to protect it, it’s harder than ever to encourage them to consent to data collection and processing. This means a lot of Shopify store owners rely on an alternative lawful basis — legitimate interests.
In this guide, we’ll explore what the legitimate interests basis covers, plus how to apply the 3-part test to see whether it’s a viable way for you to use customer data or not.
What Does Legitimate Interests Mean?
Under Article 6 of the General Data Protection Regulation (GDPR), six legal bases for data processing are outlined. Under these you’ll find the two most popular options — consent and legitimate interests. These are often favored because they’re the simplest ways to meet your legal obligations to collect, use, or store personal data.
Consent is often one of the easiest legal bases to prove, as you can demonstrate that someone has given explicit permission for you to collect or use data in a specific way. If you can’t gain consent, ‘legitimate interests’ is often people’s next best option.
Article 6 of the European Union's GDPR defines legitimate interests as the following:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
There’s a lot of flexibility here, which is often in your favor. This legal basis for processing allows you as the Shopify store owner to make an assessment on whether it applies to your specific purpose or not. You don’t require the permission of your website visitor or customer to act on it.
However, there is one disadvantage to this flexibility — you can never be totally certain about the ability to use this data into the future. That’s because data subjects or data protection authorities could challenge a legitimate interests assessment, which could result in regulatory action or fines. Still, if you follow the legitimate interest test and feel confident in your results, you should be on the right path.
What is A Legitimate Interest Test?
There’s no detailed roadmap on how to complete a legitimate interests assessment, but there is a handy tool that can help. The UK’s Information Commissioner's Office (ICO) has put together a three-part legitimate interest assessment that you can use.
The ICO’s recommended three-part test includes the following steps:
- Step 1: Identify a legitimate interest
- Step 2: Show that your processing is necessary to meet it
- Step 3: Balance the processing against data subject rights and freedoms
This three-part test is a great way to help you understand how the legitimate interests basis works, before exploring whether you can apply this lawful basis to your own specific use case or not. It helps simplify the experience and gets you a step closer to using that personal data for growth and customer service excellence.
How to Apply the 3-Part Test for Legitimate Interests
We know that the three-part test covers three separate stages, each designed to get you thinking more closely about data collection and what’s appropriate. Let’s explore how you apply the three-part test and what you need to consider when working out if you can rely on legitimate interests to collect and process data or not.
Step 1: Do I Have a Legitimate Interest for Processing This Personal Data?
In the first step, there are three main questions you need to answer. Let’s take a look at these questions in a little more detail.
1. What Are You Trying to Achieve?
You need to identify and explain each specific purpose for collecting, processing, and storing this data. Consider your goals and what you’re trying to achieve through this process as part of the purpose test.
For example, say you want to run targeted ad campaigns to show more relevant content to your audience. To add this functionality you’d need to collect some personal data, but this is arguably a legitimate reason for doing so — especially if you’re providing an enhanced customer shopping experience.
2. Who Benefits From This Processing Activity?
Think about who ultimately benefits from what you’re doing. Of course there’s naturally a benefit to you for holding customer data — it’s a valuable insight into your audience. If you can demonstrate value to others, then even better.
Take information security and fraud prevention, for example. If you collect device information, IP addresses, and login attempts, you’re able to help secure the accounts of your customers. This means they benefit from this data collection, and it’s a legitimate reason for holding this information.
3. Why Are Those Benefits Important?
You should also explain in detail how and why these benefits are so valuable. If there aren’t really any benefits, you could argue there’s no legitimate reason for you to collect, use, profile, or share personal data in that way.
Looking back at our previous examples, you could cite a customer survey that shows an overwhelming desire for more personalized content as a reason to pursue targeted advertising. From the fraud prevention angle, it’s hugely important to demonstrate a commitment to customer account security and safeguard where possible.
Step 2: Is the Processing Necessary for This Purpose?
In this step, you need to demonstrate that the processing of personal data is necessary to achieve the legitimate interest you defined in the first step. This necessity test is a key deciding factor that can help you figure out whether your reasons really are justified, or if there’s a better way to serve everyone’s interests without collecting further personal data.
If you discover the processing isn’t necessary, it doesn’t need to happen — you could find a better way to achieve your goal. Even if you find a need to collect and use personal data, this step should help you uncover the least intrusive way to do it.
Let’s take a look at our targeted advertising example again. You’ve demonstrated a valid purpose, and decided that the benefits mean it’s necessary to collect and process this information. You should still seek out the best way to make this happen. For example, you could consider whether contextual advertising that uses anonymized data would create a similar impact to targeted ads based on your shopper’s buying history.
Step 3: Do Individuals’ Interests and Rights Override Your Legitimate Interests?
This step requires you to weigh your legitimate interests against the risk and impact on the rights of individuals. It’s all about balance, and you should find a way to determine whether the benefits outweigh an individual’s personal concerns about data privacy or is in the public interest.
If it’s likely that individuals will face negative consequences as a result of your processing, it’s unlikely you could call that a legitimate interest. However, where anonymized data or unobtrusive cookies are concerned, there’s often a smaller impact on the freedoms of the individual.
In this stage, there are four main questions to consider. Let’s take a look at them in sequence.
1. Is It Reasonable To Expect That Personal Data Would Be Used This Purpose?
If you can show that processing personal data for a certain purpose falls within reasonable expectations, you can easily pass this step. Using a customer’s email address to send them shipping updates is a simple example that passes this test.
As another example, using data on clothing sizes from previous purchases to suggest the best fit for an item is a reasonable way of using this information. Not only is it a great way to make the most of the data you hold, but it’s really useful for your customer too.
2. What Is Your Relationship With the Individual?
You need to look at what your relationship is with the data subject and how this could affect the balance. If you have a pre-existing relationship, certain data processing is more reasonable than if they were a total stranger.
For example, someone that’s an existing customer or has spent a certain amount of time browsing your website is a more relevant audience to serve targeted ads to than someone that lands on your website for the first time.
3. What Is The Potential Impact On Individuals?
Next, decide whether the data is sensitive or not. Personal information like names, shipping addresses, religious beliefs, gender, and phone numbers could all be considered to be sensitive. You should be more careful with data in special categories like this, and consider your users’ rights in great detail.
If you can take mitigating measures such as encrypting data, determining clear data retention periods, and limiting the number of users who can see customer data, the effect on individuals will be minimal — tipping the balancing test in your favor.
4. Can Individuals Object To The Processing Of Their Data Or Opt-Out?
Giving people choices is always a good idea. Take cookie consent banners for example — the ones that offer people the opportunity to personalize their experience are highly welcomed.
If you can give individuals a similar choice when it comes to the processing of their personal data, you’re more likely to win this balance test. Simple ways to do this include giving people a way to opt out of data processing, to adjust their preferences at any time, or to reverse any decisions made.
Case Study: Using Legitimate Interests for a Targeted Ad Campaign
Let’s run through a case study example, based on European Data Protection Board’s guidelines on the targeting of social media users. Imagine that you decided to run targeted ads on Facebook, tailored to a specific customer segment that may be interested in the products you sell in your Shopify store.
Here’s how to run through the three-part legitimate interests test.
Step 1: Identify a Legitimate Interest
You have an economic interest in targeting relevant customers with ads tailored to them. The social media service provider also has a financial interest in allowing you to reach the most relevant customers, as you’re more likely to invest further in their ads product.
You can also argue that targeted ads benefit social media users because they get to learn about products and services that may be of interest to them, or even reap the benefits of discounts and promotions. They’ll also see fewer generic ads, which can become frustrating if they’re completely outside their interests and hobbies.
Step 2: Is Processing Necessary?
In this step, you can show that targeted ads have a high return on investment (ROI) and are a more effective way to increase conversion rates than other, more obtrusive strategies like cold calling or direct marketing.
Compare targeted ads with other marketing channels and provide details and evidence about why you feel targeted ads are necessary, and why it’s a way better option than the alternatives. Highlight benefits for your customers too, so you can show that you’re considering them in your decision.
Step 3: Do Individuals’ Rights Override the Legitimate Interest?
Consider any impact on individuals and their rights or wants, and look for ways to minimize that impact as much as possible.
Firstly, if social media users have the right to opt out of targeted ads, then this will tip the balance in your favor. Secondly, you should consider other ways to make the impact more reasonable — like any methods of anonymizing data or grouping it together to make it less identifiable.
Here you can also reference credible studies that demonstrate that most social media users expect to be exposed to targeted ads, and any insights you’ve found that suggest they prefer relevant, personalized content over generic content.
Simplify Your Decisions With the Three-Part Test for Legitimate Interests
Using the legitimate interests basis can be a huge relief. You don’t need to worry about proving absolute consent, which can scare lots of people away from collecting and using personal data. While you don’t need to gain consent, you still need to show that you’ve considered the impact of your decision and whether it’s truly reasonable or not.
Use this guide and the three-part legitimate interests test to help guide your decision. Consider your goals, the benefits of collecting the data, any negative impacts, and whether you’ve chosen the best way to do this. Once you’re satisfied with your outcome, you can turn that data collection idea into reality and start using customer data respectfully to create a better experience for everyone.
Nicola Scoon
Nicola is a freelance content writer for HR tech & SaaS. She's written for Polly, Zapier, Pyn & more and is passionate about remote work, employee wellbeing & productivity.