This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
GDPR doesn't require consent for every use of personal data, it requires a lawful basis, and legitimate interest is a genuinely valid one for a lot of ordinary AI-assisted business activity. The instinct to add a consent checkbox to everything, out of caution, often creates unnecessary friction for a use case that legitimate interest already covers properly.
In short: GDPR offers several lawful bases for processing personal data, consent and legitimate interest are the two most relevant for ordinary AI use. Legitimate interest requires a genuine interest, necessity, and a documented balancing test showing the processing doesn't override the person's own rights and expectations. It doesn't require an opt-in checkbox, but it does require you to actually do and record the assessment, not just assume it applies.
The plain-English answer
Whether you need consent or can rely on legitimate interest depends on the specific processing, not on the fact that AI is involved. An AI tool recommending products a customer might like, based on what they've already bought from you, is a reasonable candidate for legitimate interest, it's a natural extension of an existing customer relationship, not a surprising new use of their data. An AI tool that profiles customers for a purpose they wouldn't reasonably expect, or that processes sensitive categories of data, is a much harder case to justify under legitimate interest, and often needs consent instead.
Why this matters for your business
A 10-person retail business adding AI-driven product recommendations is exactly the kind of ordinary commercial use case that GDPR's legitimate interest basis was designed to accommodate, but a lot of businesses either default to consent everywhere out of caution, adding friction that doesn't need to exist, or assume legitimate interest applies without actually doing the required assessment, which is its own compliance gap.
Getting this right matters commercially, not just legally. An unnecessary consent checkbox on an ordinary product recommendation feature can measurably hurt conversion for something the customer would likely welcome anyway, while skipping the legitimate interest assessment entirely, even when the conclusion would have been fine, leaves you with no documented basis if a regulator or the customer themselves ever asks why their data was processed this way.
What GDPR actually requires
The European Data Protection Board's Guidelines 1/2024 on legitimate interest set out a three-part test. First, is there a genuine legitimate interest being pursued, commercial interests like personalising a service to an existing customer generally qualify. Second, is the processing actually necessary for that interest, not just convenient, if a less intrusive method would achieve the same goal, legitimate interest is harder to justify. Third, and most substantively, a balancing test: do the person's own rights, freedoms, and reasonable expectations outweigh your interest in the processing. The EDPB guidance points to factors like the nature of the existing relationship with the person and whether they'd reasonably expect this kind of processing given that relationship.
Consent works differently, and is the right basis where the processing genuinely needs the person's active, informed agreement, marketing to someone with no existing relationship to you, or processing that a reasonable person wouldn't expect from the context. Consent under GDPR also has to be a real, specific, opt-in choice, not a pre-ticked box or a buried default, which is part of why it's a heavier mechanism to rely on for routine processing than legitimate interest, when legitimate interest genuinely applies.
What this looks like in practice
Picture the marketing manager rolling out the AI recommendation tool, initially planning to add a consent checkbox to be safe. Working through the three-part test instead: the legitimate interest is genuine, offering a customer more relevant products is a normal part of running a retail business. The processing is necessary, the recommendation feature can't work without looking at purchase history. And the balancing test favours the business, a customer who's already bought from you would reasonably expect product suggestions based on that history, this isn't a surprising or invasive use of their data.
The outcome is a documented legitimate interest assessment, kept on file, rather than a consent checkbox that would have added friction to a feature most customers would find genuinely useful anyway. If the business later wanted to use the same purchase history to sell that data to a third party, a very different use case, the same test would very likely come out the other way, and consent would be the right call instead.
What you can do about it
A practical way to decide, and document, the right basis for an AI feature:
- Write down the specific interest the processing serves, and check it's genuine and not just a business convenience dressed up as necessity.
- Confirm the processing is actually necessary for that purpose, not simply the easiest option available.
- Run the balancing test explicitly: would the person reasonably expect this, given their relationship with your business, and does your interest outweigh any risk or intrusion to them.
- Document the assessment, even briefly, this is what a regulator or the person themselves would expect to see if ever asked.
- Default to consent instead when the relationship is thin, the use is unexpected, or sensitive data is involved, don't force legitimate interest onto a use case it doesn't genuinely fit.
If the AI tool also makes or influences a decision that significantly affects a specific person, beyond a product recommendation, it may also need a GDPR Data Protection Impact Assessment. See our guide on when a DPIA is required for an AI system.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Tool Selector to get a personalised AI tool recommendation for your business.
Can I just rely on legitimate interest for everything to avoid consent friction?
No, legitimate interest only applies where the three-part test is genuinely satisfied, it's not a default fallback to avoid asking for consent. Using it where it doesn't actually fit, sensitive data, an unexpected use, no real prior relationship, is its own compliance risk, not a shortcut.
Do I need to tell customers I'm relying on legitimate interest?
Yes, your privacy notice should identify the lawful basis for each type of processing, including legitimate interest where it applies, and give the person the ability to object to processing based on it. Transparency is part of what makes legitimate interest a legitimate basis in the first place.
Does the balancing test need to be redone for every customer, or just once per feature?
Once per processing activity or feature is the practical approach, assessed against a reasonable average customer in that relationship, not individually for each person. If the feature or the data involved changes materially, revisit the assessment rather than assuming the original one still holds.
What if a customer objects to processing based on legitimate interest?
They have the right to object, and unless you can demonstrate compelling legitimate grounds that override their interests, you need to stop the processing for them specifically. Have a clear, working process for handling this, not just a theoretical right on paper.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Wondering if the same AI tool also needs a Data Protection Impact Assessment?
Check the DPIA requirement