Four little letters. One massive headache.

From opting in every customer we have ever engaged with, to now taking a more relaxed approach. What was once perceived as Marketing Armageddon, now appears to encourage a blasé response.


Because we all have a ‘legitimate interest’ with our customers. Or, at least, that’s what we keep telling ourselves.

And here lies the problem.

We have used the legitimate interest as the default, rather than the goal to aim for.

As time has gone on, the ICO has tried to give more clarity. As well as go for the big boys. Unfortunately for them, they didn’t catch Facebook on the right side of the 25 May 2018.

However, as with these things, the execution of such change is problematic.
GDPR works alongside the PECR legislation (Privacy and Electronic Communication Regulations), which despite the grey areas of GDPR, are very explicit about obtaining consent.

Hence the confusion and misinterpretations.

Under GDPR, many have defaulted to the ‘legitimate interest’ position as they’re more concerned about their marketing database numbers. Rather than having something people want (a previous rant of mine).

In doing so, we have left ourselves open.

The ICO strikes back

The problem with the legitimate interest stance is that it must be in favour of the customer. Now, this may seem obvious, but we all know this isn’t actually what’s happened.

At face value, it’s all about the customer, in reality, we’re more concerned about having the numbers for next week’s newsletter.

We have fitted a square peg into a round hole and smashed it in with Thor’s hammer (I re-watched Endgame the other day. Amazing film.).

The ICO knows this is the case. They know what we have done and why we have done it. In fact, their latest blog is their warning shot. Here’s an excerpt:

“For instance, we have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient.

“Furthermore, the Data Protection Impact Assessments we have seen have been generally immature, lack of appropriate detail and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual. We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient.”

(Source: ICO)

“…. justification is insufficient…”

“…generally immature…”

“…. lack of appropriate detail…”

This isn’t about whether we can send an email. It’s EVERYTHING.

All comms. All tracking cookies. All direct marketing. Including biddable media. It’s not just GDPR, it’s the PECR regs too.

Illegitimate, legitimate interest

It’s not that we can’t use legitimate interest. Of course, we can. It’s a legal position.

What this is about is ensuring we have the PROOF to justify this stance. Not what we THINK is a legitimate interest. The type of legitimate interest that says:

“Our customers enjoy reading and engaging with our content, accompanied by banner ads showcasing our latest offers while they browse online.”

We all know this is bollocks.

We must accept the fact that arguing legitimate interest for customers, means it’s NOT in our interests. The evidenced-based balancing test should be in their favour. Period.

The truth is, from a business perspective, it’s difficult to prove a legitimate interest. Far easier to have explicit consent.

This will lead to smaller marketing databases and less data for profiling operations. But, at least those that are left might actually be interested in what we have to offer.

Who knows, they may even make a purchase!

Our actual target

The default response of legitimate interest, in my opinion, is due to us going off tangent. We need to refocus our attention.

Vanity metrics mean nothing.

Having a database of leads is useless if those customers don’t buy. A sale pays the bills. Click-through rates don’t. We need to keep it in perspective. These types of metrics are a guide for campaign performance. They’re not the target.

There are many ways of gaining permission. And Legitimising, legitimate interest. Ideas on how to do so I’ve covered in a previous blog.

Check the paperwork

Irrespective of the ICO now playing catch-up, the fact they’re doing it, should be a wake-up call.

People are vigilant. Adtech is being questioned. Facebook and Google are now seen as untrustworthy. Digital marketing is coming under a lot of scrutiny for many different reasons.

A smaller marketing database will be the least of our troubles if the ICO discover we have insufficient audits and systems.

If you take anything from this blog, check you have the evidence to support the lawful basis on which you have decided.

Having had the experience of mitigating the impact of an ICO investigation, trust me, it’s not worth the risk. 


Since writing this blog, Google is now planning to move all UK accounts out of the European jurisdiction.

When your entire business model is selling data, you’re going to do everything you can to protect it.

So, all of this may not even matter in a few months…watch this space.

Share your thoughts

What do you think of the latest blog from the ICO? How have you justified legitimate interest? Do you agree Endgame is the best MCU film to date? Let me know in the comments below, send me a tweet @CJPanteny, or get in touch.

And if you liked this blog, don’t forget to share it on your socials and bask in its ranty goodness.

See you next time.


  1. It depends on whether we can justify the stance we’ve taken. It has to be seen in favour of the individual. Treating data privacy as a transaction, is the best approach. Give something of value, in return for the exchange.

    With upcoming changes in iOS, there’s going to be even more focus on this. The thinking around why someone would give consent, will result in that transactional thinking – what’s in it for them?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: