GDPR requires that every time you process someone's personal data, you must have a lawful basis for doing so. There are six lawful bases in total, but two come up constantly in online business contexts: consent and legitimate interests. Choosing the wrong one — or applying legitimate interests where consent is required — is one of the most frequently cited compliance failures in regulatory enforcement actions.
What is consent under GDPR?
Consent under GDPR is defined far more strictly than the word implies in everyday usage. For consent to be valid, it must be:
- Freely given — the individual must have a genuine choice. Consent bundled into terms of service, or made a condition of service, is not valid.
- Specific — blanket consent for all marketing is insufficient. Consent for email newsletters is separate from consent for SMS messages.
- Informed — the person must understand what they are consenting to, who will process their data, and for what purpose.
- Unambiguous — it must be given by a clear affirmative action. Pre-ticked boxes are explicitly prohibited.
- Withdrawable — individuals must be able to withdraw consent as easily as they gave it, at any time.
Consent is the right basis for: sending marketing emails, setting non-essential cookies, and any processing that goes beyond what is strictly necessary to deliver the contracted service.
What are legitimate interests?
Legitimate interests allows you to process personal data without consent when you have a genuine, proportionate business reason to do so and that reason is not overridden by the individual's interests or rights. Before relying on it, you must conduct a three-part test: identify the legitimate interest; confirm the processing is necessary to achieve it; balance your interests against the individual's reasonable expectations.
Legitimate interests is the right basis for: fraud prevention, network security, maintaining records for legal purposes, direct marketing to existing customers about similar products (with an easy opt-out), and certain internal analytics.
Which basis applies to common online business activities?
Here are the most common processing activities online businesses perform and the correct lawful basis for each:
- Processing a purchase order — Contract. You need the data to fulfil the contract.
- Sending transactional emails (receipts, course access, password resets) — Contract.
- Sending promotional newsletters — Consent. Always.
- Non-essential website analytics (Google Analytics, Clarity, Hotjar) — Consent. These tools set cookies and process behavioural data beyond what is necessary for the site to function.
- Storing customer records for legal and tax purposes — Legal obligation.
- Fraud detection and platform security — Legitimate interests.
- Sending marketing to past customers about similar services — Legitimate interests (with opt-out clearly provided).
If you are unsure which basis applies, the rule of thumb is this: if the individual would be surprised or uncomfortable to learn you were processing their data for this purpose, consent is probably required. If the processing is something a reasonable person would expect as part of doing business with you, legitimate interests or contract is likely the right basis.