Better Sharing Lawful Groundwork
Consent vs. Legitimate Interest—and When You Need Which One
If your platform processes user-supplied contact data, you need a legal basis for doing so. This isn’t just a formality—it’s a fundamental requirement under privacy laws worldwide, and choosing the wrong basis can expose your business to significant legal and reputational risks.
Consent isn’t just polite—it’s often mandatory. But legitimate interest might sometimes be enough in specific circumstances, if you tread carefully and meet certain criteria.
This article breaks down which legal bases apply when building contact-powered features, and how to select the right one for your specific situation to ensure compliance while still achieving your product goals.
Built on Core Privacy Principles
This article connects to concepts from:
How to Handle Contacts Without Breaking Privacy Laws
Key supporting reads:
- The Consent Playbook – Structuring and collecting permission
- Your App, Their Data – Platform responsibility for contacts
- Privacy UX – Transparency-driven design for consent flows
The Six Lawful Bases Under GDPR
Under GDPR (and similar laws), you can only process personal data if you have one of these six bases:
| Basis | Description | Examples |
|---|---|---|
| Consent | The individual has given clear permission for you to process their personal data for a specific purpose | User explicitly agrees to contact upload with a checkbox |
| Contract | The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract | Necessary to fulfill a contract (rare for referrals) |
| Legal obligation | The processing is necessary for you to comply with the law | Required by law (e.g., tax reporting—not relevant for contact features) |
| Vital interests | The processing is necessary to protect someone’s life | Protecting someone’s life (not applicable for contact features) |
| Public task | The processing is necessary for you to perform a task in the public interest or for your official functions | Official authority or task in public interest (not applicable for contact features) |
| Legitimate interest | The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests | Business purpose that benefits users, balanced with privacy rights |
In reality, only two bases are typically relevant for contact integrations:
- Consent: Explicit permission from the user
- Legitimate Interest: Business purpose balanced against privacy rights
The other four bases rarely apply to contact-powered features in typical business applications.
When You Must Use Consent
Consent is the safest—and often required—option when:
- Processing third-party contacts (who didn’t sign up for your service)
- Sending marketing invites to non-users
- Offering rewards for bringing in friends (financial incentives)
- Storing contact data beyond the immediate matching or invitation process
- Creating social graphs or relationship maps from contact data
Requirements for valid consent under GDPR:
- Freely given: Users must have a genuine choice and control, with no penalty for refusing
- Specific: Consent must be granular for different types of processing
- Informed: Users must understand what they’re agreeing to
- Unambiguous: Requires a clear affirmative action (not pre-ticked boxes or silence)
- Easily withdrawable: Users must be able to withdraw consent as easily as they gave it
Best practice:
Always use explicit consent (e.g., checkbox) before importing or matching contacts. This provides the clearest legal basis and builds user trust through transparency.
For detailed guidance on implementing effective consent mechanisms, see: The Consent Playbook
When You Might Rely on Legitimate Interest
Legitimate interest can apply only if:
- You’re matching contacts without sending messages
- You minimize data use (collecting only what’s necessary)
- You store the data for a limited time
- You provide clear information about the processing
- You balance your platform’s interest against the data subject’s rights
You must conduct a Legitimate Interest Assessment (LIA), which includes:
- Identify the interest: Clearly articulate the legitimate interest (e.g., making it easier for users to connect with people they know)
- Show necessity: Demonstrate there is no less intrusive way to achieve the same purpose
- Balance the impact: Assess and document how the processing affects the data subject, showing that your interest is not overridden by their rights and freedoms
Pro tip:
You should not rely on legitimate interest if:
- You’re sending unsolicited messages (this typically requires consent)
- You’re offering rewards tied to invites (financial incentives usually require explicit consent)
- You can’t easily let contacts opt out (data subjects must be able to object to processing)
- The processing would be unexpected or intrusive to the contact
For more on the distinction between facilitating connections and marketing, see: Friends Aren’t Leads
Real-World Example: When Legitimate Interest Failed
In the Twoo case, a social network allowed users to import contacts and automatically sent invitations without full transparency.
The Belgian Data Protection Authority investigated and ruled that:
- Legitimate interest did not apply for sending invitation emails
- Prior consent was required for this type of processing
- Failure to properly inform contacts about the source of their data breached GDPR
- The platform’s approach to contact importing lacked transparency
Outcome: The company faced fines, corrective orders, and significant reputational damage. They were required to change their practices and implement proper consent mechanisms. (Source)
Lesson: When in doubt, get consent. The cost of implementing proper consent flows is far less than the potential penalties and brand damage from getting it wrong.
Common Mistakes in Choosing a Legal Basis
| Mistake | Why It’s a Problem | Better Approach |
|---|---|---|
| Relying on general Terms of Service for contact processing | General agreement to TOS does not constitute specific, informed consent | Implement separate, clear consent for contact processing |
| Assuming legitimate interest covers messaging | Messaging usually triggers marketing rules requiring consent | Get explicit consent before sending any messages to non-users |
| Using pre-checked boxes | Pre-checked boxes are explicitly invalid under GDPR | Use unchecked boxes that require affirmative action |
| Not offering opt-out for matched contacts | Violates data subject rights to object to processing | Provide clear, easy-to-use opt-out mechanisms |
| Bundling consent for multiple purposes | Consent must be granular and specific to each purpose | Separate consent for different processing activities |
| Failing to document your legal basis | You must be able to demonstrate compliance | Keep records of your legal basis assessment and implementation |
Best Practices for Lawful Processing
| Feature | Best Approach | Why This Works |
|---|---|---|
| Contact import | Explicit consent with opt-in checkbox | Clearly establishes user permission and meets GDPR requirements |
| Matching contacts without messaging | Possible under legitimate interest, with documented LIA | Can be justified if properly balanced and minimized |
| Messaging non-users | Only with prior consent | Avoids triggering anti-spam laws and respects privacy |
| Retaining contacts | Only as long as necessary for matching or sending invites | Complies with data minimization and storage limitation principles |
| Opt-out mechanisms | Mandatory for both matching and messaging workflows | Respects data subject rights and builds trust |
| Documentation | Record your legal basis assessment | Demonstrates compliance if questioned by regulators |
For more on minimizing data collection and retention, see: Minimize Contact Exposure
How Other Laws Handle Legal Basis
| Law | Jurisdiction | Approach to Legal Basis | Key Requirements |
|---|---|---|---|
| GDPR | EU/UK | Consent or legitimate interest, strict balancing required | Explicit consent for most contact processing; legitimate interest requires documented assessment |
| CPRA | California | Disclosure and opt-out for sharing personal information | Must disclose sharing practices and honor opt-out requests |
| CASL | Canada | Express consent required for any commercial electronic message | Strict consent requirements for electronic messages; limited exceptions |
| CAN-SPAM | USA | No consent needed for one-time messaging, but opt-out required | Must honor opt-outs and include specific disclosures in messages |
| LGPD | Brazil | Consent or legitimate interest; rights to access and deletion | Similar to GDPR, requires legal basis and respects data subject rights |
Different jurisdictions have varying requirements, so your approach may need to be tailored to where your users are located. For a more comprehensive analysis of global privacy laws, see: What Other Privacy Laws Say About Contact Sharing
Summary: When in Doubt, Get Consent
Use consent if:
- You’re sending invites or messages to non-users
- You’re offering rewards or incentives for referrals
- You’re matching contacts visibly to users
- You’re storing contact data beyond immediate use
- You operate globally and need to comply with multiple laws
Legitimate interest is viable only if:
- You’re matching quietly without messaging
- You minimize data collection and retention
- You can demonstrate no significant impact on the data subject
- You’ve conducted and documented a proper assessment
Without a clear legal basis, your contact-powered features could trigger regulatory audits, financial penalties, and lasting reputational damage. Investing in proper legal compliance from the start is far more cost-effective than addressing issues after they arise.
Up Next
Next, we’ll dive into how to structure your consent flows so they actually meet legal standards while maintaining a positive user experience.
Read The Consent Playbook
Or revisit your data controller obligations:
Your App, Their Data