Picture showing a user choosing between accept or deny

What Data Needs a User’s Consent?

GDPR

When legitimate interest is not enough under GDPR

Not all data processing under GDPR requires consent. Sometimes you can rely on legitimate interest, performance of a contract, or even a legal obligation.

But in certain cases, consent is absolutely mandatory. No shortcuts. No creative excuses.

Knowing when you must ask for consent is critical for compliance, and for maintaining user trust.

📋 When is consent required?

You need valid, informed, and freely given consent when you:

  • Collect or process special categories of personal data (sensitive data)
  • Track users for behavioral advertising (e.g., cookies, retargeting pixels)
  • Collect and process children’s personal data
  • Use biometric data (e.g., fingerprints, facial recognition)
  • Offer users email subscriptions (newsletters, promotions)
  • Track users across websites or apps (analytics beyond strictly necessary cookies)

⚠️ Special categories of personal data

Some types of data are extra sensitive under GDPR. If you handle any of these, consent is not optional:

  • Health data
  • Genetic data
  • Biometric data (when used for identification)
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Sex life or sexual orientation

Collecting this data without proper consent can lead to some of the heaviest GDPR fines.

🛑 Where legitimate interest is not enough

You cannot rely on "legitimate interest" if:

  • You track users online for advertising purposes
  • You collect sensitive data without an explicit reason and user agreement
  • You profile users based on behavior or interests
  • You use non-essential cookies (marketing, tracking)

In these cases, you must get consent first.

💬 Real-world examples

  • Allowed without consent: Sending an invoice to a customer who made a purchase (contract basis)

  • Consent required: Adding that customer to your newsletter list (opt-in only)

  • Allowed without consent: Saving strictly necessary cookies (for shopping carts or login)

  • Consent required: Loading tracking pixels or analytics cookies (unless fully anonymized)

🤔 Why it matters

Asking for consent when needed is not just a legal checkbox. It shows that you respect people's control over their data. It builds trust, and trust is a currency you cannot afford to lose.

How ToolHive helps

ToolHive helps you keep track of what data you collect, how you collect it, and why. With clear categories and tool documentation, you can easily see when consent is required and avoid risky assumptions.

Start building your compliance foundation the right way, based on clarity, not guesswork.

Want to map your tools, vendors, and data flows with consent in mind? Start your free trial with ToolHive today.