{# Generated per-post OG image: cover + headline rendered onto a 1200×630 PNG by apps/blog/og_image.py. Cached for 24 h via cache_page on the URL pattern; the ?v= bust ensures editing the title or swapping the cover forces a fresh render in the very next social preview (Facebook/LinkedIn/Twitter cache by URL incl. query). #} {# LCP-image preload — kicks off the AVIF fetch in parallel with HTML parse instead of waiting for the tag in the body. imagesrcset + imagesizes mirror the banner's responsive set so the browser preloads the variant it actually needs. Browsers without AVIF ignore the preload and grab WebP/JPEG from the as usual. #} Skip to content
>_ KeyGroup / blog

Understanding Legitimate Interests Under UK GDPR in Adtech Models

The General Data Protection Regulation (GDPR) has had a profound impact on the data-driven advertising industry, known as adtech. One of the most complex areas of GDPR compliance in adtech models is the concept of legitimate interests. Under UK GDPR, businesses can process personal data based on legitimate interests, b

updated 1 week, 6 days ago Legal consulting Victoria Hayes 9 min read 17 views
{# Banner is the LCP image. The post container is `container-narrow` (max ~720px on lg+ but the banner breaks out to ~960px); on mobile it fills the viewport. 640/960/1280/1680 cover the realistic slot widths at 1× and 2×. fetchpriority=high stays on the so the LCP starts loading before AVIF/WebP source selection completes. #} Understanding Legitimate Interests Under UK GDPR in Adtech Models
{# body_html is precompiled at save time (apps.blog.signals.precompile_body_html). Fall back to runtime `|md` on the off-chance an old post slipped past the backfill — keeps the page from rendering blank. #}

The General Data Protection Regulation (GDPR) has had a profound impact on the data-driven advertising industry, known as adtech. One of the most complex areas of GDPR compliance in adtech models is the concept of legitimate interests. Under UK GDPR, businesses can process personal data based on legitimate interests, but this legal basis requires a careful balancing of interests between the data controller and the data subject.

In this article, we will explore how legitimate interests under UK GDPR apply to adtech models, how businesses can ensure compliance, and the challenges they face in balancing business needs with privacy concerns. As digital advertising continues to evolve, understanding the legal framework for processing personal data is more crucial than ever for adtech companies.

What Are Legitimate Interests Under UK GDPR?

Under UK GDPR, legitimate interests represent one of the six lawful bases for processing personal data. Article 6(1)(f) of the UK GDPR states that data processing is lawful if it is necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.

For businesses in the adtech industry, this lawful basis can be a useful tool for processing personal data, particularly when consent is difficult to obtain or impractical to collect. However, the use of legitimate interests requires a careful assessment to ensure that the processing does not infringe upon individuals' privacy rights.

How Legitimate Interests Relate to Adtech

In adtech, data processing activities include collecting, storing, and analyzing consumer data for targeted advertising, behavioral tracking, and profiling. Given the vast amounts of personal data used in these processes, businesses in the adtech space often seek to rely on legitimate interests as a lawful basis for processing data.

Legitimate interests allow adtech companies to process personal data to improve user experiences, enhance advertising effectiveness, and create business value through personalized advertising. However, this must be balanced with the obligation to protect users' privacy and adhere to GDPR principles such as transparency, fairness, and accountability.

The Legitimate Interests Assessment (LIA)

To use legitimate interests as a lawful basis for processing personal data under UK GDPR, businesses must conduct a Legitimate Interests Assessment (LIA). This is a structured process that helps determine whether the processing is justified by legitimate business interests and whether those interests override the privacy rights of individuals.

The LIA consists of three key steps:

1. Identify the Legitimate Interest

The first step in the LIA is identifying the legitimate interest that justifies the processing of personal data. For adtech companies, this could include legitimate business purposes such as:

  • Improving advertising effectiveness

  • Enhancing user experience through personalization

  • Monitoring and optimizing advertising campaigns

  • Preventing fraud or abuse

2. Necessity Test

The second step is to assess whether the processing of personal data is necessary to achieve the legitimate interest. This test examines whether the same goal could be achieved using less intrusive methods or less personal data. In adtech, this often involves evaluating whether the use of personal data is the most effective means of achieving the desired outcome, or whether anonymized or aggregated data could suffice.

3. Balancing Test

Finally, businesses must conduct a balancing test, weighing the legitimate interest against the potential impact on individuals' privacy rights. This involves considering how intrusive the processing is, the potential risks to data subjects, and the safeguards in place to mitigate those risks. In the context of adtech, businesses must assess the extent to which the data processing may affect individuals' rights, such as their right to privacy or their right to object to data processing.

If the interests of the data subject outweigh the legitimate interests of the controller, the processing cannot proceed under legitimate interests. This requires careful consideration, especially in adtech, where data subjects may not always be fully aware of how their data is used for targeted advertising.

Practical Examples of Legitimate Interests in Adtech

The use of legitimate interests in adtech models is common, but it is important to apply this legal basis in a compliant manner. Here are some practical examples of how legitimate interests might apply in adtech:

1. Targeted Advertising

Adtech companies often rely on personal data to create user profiles and serve personalized ads. This processing can be justified under legitimate interests if it is necessary for the business to effectively reach its target audience. However, the data subjects' interests must be considered, and platforms should provide opt-out options for users to control their data.

2. Fraud Prevention

Adtech platforms may process personal data to detect and prevent fraud or abuse on their networks. This could involve monitoring patterns of behavior to identify fraudulent activity or malicious actors. Since fraud prevention is a legitimate interest in protecting both users and businesses, it is typically considered an acceptable use of personal data.

3. Improving User Experience

Adtech companies can use personal data to personalize user experiences, such as customizing content, recommendations, or advertisements based on previous interactions. This type of data processing is usually permissible under legitimate interests, as long as the data is not overly intrusive and users can opt-out or control their data preferences.

Risks and Challenges in Using Legitimate Interests in Adtech

While legitimate interests offer a flexible and valuable legal basis for processing personal data, there are several risks and challenges that businesses in the adtech industry must consider. Failure to comply with the principles of the UK GDPR can lead to significant penalties, including fines and reputational damage.

1. Increased Scrutiny

The use of legitimate interests is subject to increased scrutiny by data protection authorities (DPAs). Regulators, including the Information Commissioner’s Office (ICO) in the UK, are closely monitoring how businesses use this legal basis, particularly in adtech. If businesses fail to demonstrate that their processing is necessary and that they have conducted a proper LIA, they may face regulatory action.

2. Consumer Trust and Transparency

Consumers are increasingly concerned about how their data is used for advertising purposes. Even when processing is lawful under legitimate interests, businesses must be transparent about their data practices. Clear privacy notices, user consent mechanisms, and easy-to-understand opt-out options are essential to maintaining consumer trust.

3. Difficulty in Balancing Interests

The balancing test in the LIA can be difficult to navigate, especially in adtech where there is a delicate balance between business objectives and privacy concerns. As the adtech landscape continues to evolve, businesses must continuously assess the impact of their data practices on individuals' privacy rights and ensure that they have implemented adequate safeguards to protect user data.

4. Third-Party Data Sharing

Adtech companies often rely on third-party data processors to deliver advertising services. When using legitimate interests, businesses must ensure that their contracts with third-party vendors include appropriate data protection clauses. Additionally, data sharing agreements must ensure that third parties also comply with the GDPR and respect individuals' rights.

Steps to Ensure Compliance with Legitimate Interests in Adtech Models

To avoid legal pitfalls, adtech companies must take proactive steps to ensure that their use of legitimate interests complies with the UK GDPR. These steps include:

1. Conduct a Legitimate Interests Assessment (LIA)

Before processing personal data based on legitimate interests, adtech businesses must conduct a thorough LIA. This assessment should be documented and include a clear justification for the processing, a necessity test, and a balancing test to ensure that the interests of the data subject are respected.

2. Provide Clear and Transparent Privacy Notices

Adtech companies must be transparent about how they process personal data. Privacy notices should clearly explain the legal basis for processing, the types of personal data collected, and how data will be used. Users should be informed of their right to object to the processing of their data and how they can exercise that right.

3. Implement Opt-Out Mechanisms

While legitimate interests allow businesses to process personal data without consent, individuals must still have the right to object to processing. Adtech companies should provide easy-to-use opt-out mechanisms that allow users to control how their data is used for advertising purposes.

4. Review and Update Data Processing Activities

As adtech models evolve and new technologies emerge, businesses should regularly review their data processing activities to ensure that they remain compliant with the UK GDPR. This includes revisiting their LIA and privacy policies to account for changes in data processing practices or shifts in the regulatory environment.

Conclusion

The use of legitimate interests under UK GDPR is a complex but important aspect of adtech models. Adtech companies must carefully assess their data processing activities to ensure that they comply with the legal requirements while balancing the legitimate interests of businesses with the privacy rights of consumers. By conducting thorough LIAs, maintaining transparency with users, and implementing effective opt-out mechanisms, businesses can mitigate risks and stay on the right side of the law.

As data privacy regulations continue to evolve, adtech companies will need to remain vigilant and adaptable, ensuring that their advertising models respect users' privacy while enabling businesses to thrive in an increasingly digital landscape. Understanding and applying legitimate interests appropriately is a crucial step in navigating this ever-changing regulatory environment.

📚 More on EU Digital Law

tags

#B2B #Startups #Legal

subscribe

Stay in the loop

Get new articles on AI, growth, and B2B strategy — no noise.

{# No on purpose — see apps.blog.views.newsletter_subscribe for the reasoning (anon pages must not Set-Cookie: csrftoken or the nginx edge cache skips them). Protection is via Origin/Referer in the view, not via the token. #}
$ cd .. # All posts
X / Twitter LinkedIn

ls -la ./legal-consulting/

Related posts

{# Browsers pick the smallest supported format (AVIF → WebP → JPEG) AND the closest width for the layout. Cards render at ~320 px on mobile, ~400 px on tablet, ~480 px in the 3-up desktop grid; 320 / 640 / 960 cover those at 1× / 2× / 2×-large-desktop. `sizes` tells the browser the slot is roughly one-third of viewport on large screens. #} The Legal Status of Ratings and Reviews under EU Consumer Law

The Legal Status of Ratings and Reviews under EU Consumer Law

Understand the legal status of ratings and reviews under EU consumer law, and how online platforms and traders must ensure transparency and authenticity.

~/legal-consulting 9 min
{# Browsers pick the smallest supported format (AVIF → WebP → JPEG) AND the closest width for the layout. Cards render at ~320 px on mobile, ~400 px on tablet, ~480 px in the 3-up desktop grid; 320 / 640 / 960 cover those at 1× / 2× / 2×-large-desktop. `sizes` tells the browser the slot is roughly one-third of viewport on large screens. #} Withdrawal Rights and Digital Goods: Lessons from Recent EU Case Law

Withdrawal Rights and Digital Goods: Lessons from Recent EU Case Law

Discover how recent EU case law shapes withdrawal rights and digital goods. Learn about legal precedents and their impact on consumer protections.

~/legal-consulting 10 min
{# Browsers pick the smallest supported format (AVIF → WebP → JPEG) AND the closest width for the layout. Cards render at ~320 px on mobile, ~400 px on tablet, ~480 px in the 3-up desktop grid; 320 / 640 / 960 cover those at 1× / 2× / 2×-large-desktop. `sizes` tells the browser the slot is roughly one-third of viewport on large screens. #} Secondary Ticketing and Marketplace Liability: EU and National Laws Explained

Secondary Ticketing and Marketplace Liability: EU and National Laws Explained

Learn about secondary ticketing and marketplace liability laws in the EU and various national legislations. Understand the key legal aspects and regulations.

~/legal-consulting 10 min