Legitimate Interest Justifications for TCF Special Purposes

 

Special Purpose 1 - Ensure security, prevent and detect fraud, and fix errors 

Legitimate Interest Assessment (LIA)
A. Purpose Test
The processing is necessary to:

  • Identify invalid traffic or bot activity

  • Prevent ad fraud (click fraud, impression fraud)

  • Debug failures and ensure service uptime

  • Comply with industry standards for security and fraud prevention

These activities are essential for maintaining a safe and functioning digital advertising ecosystem.

B. Necessity Test
We cannot reliably prevent fraud or security breaches without:

  • Logging and analysing technical request-level data

  • Differentiating legitimate traffic from harmful traffic

  • Investigating abnormal behaviour

Only minimal data required to detect anomalies is processed, and it is retained only for operational periods.

C. Balancing Test
Impact on users is low because:

  • The data used is non-sensitive technical metadata

  • Data is used only for fraud/security purposes, never for advertising or profiling

  • Processing is short-term and subject to strict access controls

  • Users reasonably expect fraud prevention in online services

We conclude that processing does not override user rights, especially given strong safeguards.

 Safeguards

  • Data minimization (e.g., truncate IP where feasible)

  • Strict retention time (e.g., 7–30 days)

  • Pseudonymization, hashing and encryption where possible

  • No enrichment or combination with marketing data

  • Strict role-based access control

  • Security monitoring and auditing

Outcome
Legitimate Interest is appropriate and proportionate. The processing is essential for platform security and has minimal privacy impact.

Legal Basis
Legitimate Interest (GDPR Art. 6(1)(f)) — ensuring the security and proper functioning of our digital services.


Special Purpose 2 - Deliver and present advertising and content

Legitimate Interest Assessment (LIA)
A. Purpose Test
The processing is necessary to:

  • Respond to ad requests

  • Ensure ads are displayed properly in a user’s browser/app

  • Comply with the TCF operational requirements

Without this processing, content delivery would not function.

B. Necessity Test
Minimal technical data is required:

  • Device information (e.g., screen size)

  • Browser capability (e.g., supported formats)

  • Network type/performance

This is the least intrusive approach to ensure operational delivery.

C. Balancing Test
Risks are low because:

  • This processing is operational, not behavioural

  • Does not create user profiles

  • Data is ephemeral and short-lived

  • Users reasonably expect that requested content must be technically delivered

 Safeguards

  • No reuse of data for profiling or tracking

  • No cross-site linking or enrichment

  • Very short retention (often milliseconds to minutes)

  • Technical controls preventing secondary use

Outcome
Processing is proportionate and necessary. Legitimate Interest is suitable and balanced against user rights.

Legal Basis
Legitimate Interest (GDPR Art. 6(1)(f)) — delivering content or ads requested by users through their interaction with a digital property.

Special Purpose 3 - Save and communicate privacy choices

Legitimate Interest Assessment (LIA)
A. Purpose Test
The processing is necessary to:

  • Respond to ad requests

  • Ensure ads are displayed properly in a user’s browser/app

  • Comply with the TCF operational requirements

  • Verify information about the consent choices and/or status

  • Retrieve and/or pass on consent signals in the appropriate technical formats

  • Communicate with Consent Management Platform if managing consent

Without this processing, content delivery would not function.

B. Necessity Test
Minimal technical data is required:

  • Device information

  • Browser capability (e.g., supported formats)

  • Network type/performance

This is the least intrusive approach to ensure operational delivery.

C. Balancing Test
Risks are low because:

  • This processing is operational, not behavioural

  • Does not create user profiles

  • Users reasonably expect that requested content must be technically delivered and consent preference managed

 Safeguards

  • No reuse of data for profiling

  • No cross-site linking or enrichment

  • Technical controls preventing secondary use

  • Pseudonymization, hashing and encryption where possible

Outcome
Processing is proportionate and necessary. Legitimate Interest is suitable and balanced against user rights.

Legal Basis
Legitimate Interest (GDPR Art. 6(1)(f)) — enabling clients to understand the performance of their marketing and services by reconciling data they already lawfully possess.