How do “consent” and “legitimate interest” differ in practice?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you send marketing emails, you're almost certainly relying on one of these two lawful bases. Here's the practical difference between them.
Consent means the person has actively agreed to receive marketing from you. They opted in through a form, checked an unchecked box, or took some clear affirmative action. The upside: it's the clearest basis and hardest to challenge. The downside: once they withdraw consent, you have to stop. And you need to be able to prove they consented, which means timestamped records with the source and the exact wording they agreed to.
Legitimate interest means you've determined that your interest in sending the communication outweighs the individual's privacy rights, and you've documented that assessment. The upside: it doesn't expire the way consent can, and you don't need an opt-in for every person. The downside: it requires a Legitimate Interest Assessment (LIA), it doesn't override the right to object, and it's under more scrutiny in consumer contexts. It works better for B2B outreach than B2C marketing.
In practice: for consumer newsletters and marketing campaigns, consent is the safer choice. For B2B prospecting or existing customer communications, legitimate interest can work if you've done the LIA properly.
One common mistake: using legitimate interest because you can't get consent. Regulators have rejected this reasoning. Legitimate interest requires a genuine assessment of competing interests, not a workaround for bad consent rates.
See the full list of GDPR lawful bases for context, and how the legitimate interest balancing test works if you're going that route.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.