"legitimate interests" are subject to interpretation on purpose; either legitimate interests on a given instance are lawful, or you're better off relying on consent, since your interpretation and the regulator's interpretation may be different. Check page 7 of https://www.edpb.europa.eu/system/files/2024-10/edpb_guideli...
You are required to inform the affected users, however.
Legitimate interest of the user, not yours. Rule of thumb, if its not a legal requirement, you need consent.
That’s not true. From the law as written:
> legitimate interests pursued by the controller or by a third party…
There are six lawful bases for processing, consent is only one of them.
"legitimate interests" are subject to interpretation on purpose; either legitimate interests on a given instance are lawful, or you're better off relying on consent, since your interpretation and the regulator's interpretation may be different. Check page 7 of https://www.edpb.europa.eu/system/files/2024-10/edpb_guideli...