A Basic Privacy Laws Comparison

A Basic Privacy Laws Comparison

privacy laws comparison 1200x628
privacy laws comparison 1500x500

Customer data is the lifeblood of a company’s marketing strategy. But while marketing departments want to collect as much data as they can and use it forever, local privacy laws often won’t allow this. Companies must remain within strict guidelines. But even within these guidelines, marketing experts might find their new best friend: legitimate interest.

The legal term “legitimate interest” appears only in the EU’s privacy law, the GDPR. However, the concept is present in several other prominent regulations.

Quick Recap of the GDPR

The GDPR lists six acceptable reasons to process a customer’s personal data:

  1. The customer has given explicit consent. Consent cannot be assumed—it must always be clearly given.
  2. The personal data is necessary to meet obligations the customer has agreed to.
  3. The company needs the personal data to meet their own legal obligations. For example, a company that sells specialty alcohol will need to have enough personal data to know their customers are all of legal drinking age.
  4. The personal data is necessary to protect the customers’ vital interests. This principle largely applies only to saving someone’s life and will likely not surface outside of the medical field.
  5. The company needs the personal data for the public interest or to exercise some legal authority. Companies can retain and process personal data to support democratic engagement, carry out a governmental function, or administer justice.
  6. The company can prove legitimate interest. If the company can prove that a customer has shown genuine interest in something, and that processing the data for this purpose doesn’t infringe on the customer’s privacy or violate their rights, they’re allowed to process the data.


Unlike the GDPR, California’s privacy law doesn’t have a list of acceptable reasons to retain or process customer data. However, the CCPA (California Consumer Privacy Act) still places restrictions on businesses’ usage of the data in question.

  • If the company wants to use customer data in a for-profit manner, they must obtain explicit consent.
  • Customers may request that the company not sell their personal data, and the company is required to comply.
  • If a customer chooses to opt out, the company requires their explicit permission to sell and/or disclose their personal information.


CASL, the Canadian Anti-Spam Law, is far simpler than either the CCPA or the GDPR. CASL is primarily concerned with blocking spam or malware-ridden emails. In practical terms, the law focuses on making sure companies restrict their email marketing to a specific window of time. A consumer not interested in their products can simply not reply to their emails and wait for their permission to expire.

CASL lists two circumstances under which companies may send marketing emails to consumers:

  • Implied consent. A customer requesting more information about a product or service implicitly knows the company retains their information for marketing purposes. The company may market to them for up to 6 months. If the customer actually makes a purchase, the period of implied consent extends to 2 years.
  • Explicit consent. A customer that subscribes to an email chain or signs up for marketing updates is directly asking to be contacted. This explicit consent is valid until the customer asks to be removed.

Legitimate Interest

All three privacy laws contain some concept of legitimate interest even if the term itself doesn’t appear. And for our purposes, this principle is the most important. The European Commission defines legitimate interest in this way:

“Your company/organisation has a legitimate interest when the processing takes place within a client relationship, when it processes personal data for direct marketing purposes, to prevent fraud or to ensure the network and information security of your IT systems.”

Conventional marketing measures would say that making a purchase or taking advantage of an offer demonstrates legitimate interest to be contacted frequently, and for a long time. But a detailed understanding of most relevant legislation shows that’s not the case. Privacy laws are concerned with the customers’ interests above all else—and most customers don’t want to be contacted forever.

Expanding Privacy Awareness

The three privacy laws discussed above are the most famous and influential, but they’re far from the only ones. Virginia passed its own privacy law recently, as did Brazil. Large-scale businesses with customers around the globe have felt the effects of increasingly restrictive privacy legislations. Legitimate interest, while not exactly a loophole, allows you to continue your marketing efforts without breaking local privacy laws or annoying your customers.

Are you using legitimate interest correctly in your marketing strategy? Get in touch to start improving today.

This blog post is an excerpt from our white paper “Reinventing CTAs in a Privacy-Conscious World”. Download and read the full white paper here.