This site has some of the clearest explanations I've been able to find. I am not a lawyer and not qualified to give legal advice. But essentially, you need to choose a legal basis for data collection and then clearly explain and be able to justify that position. Everyone right now is trying to avoid falling under the consent category by claiming 'Legitimate Interest', but we'll see soon how well that works out. The ability to opt-out in some ways may go against your claim that its required as part of providing the service. Because to use legitimate interest you're saying there is no reasonable other way to accomplish your goals, and that those goals are in the interest of your customer. Context matters, for example in advertising data collection it makes sense because you could say tracking a user's interests can provide them with a better experience - showing more relevant ads. A user can opt-out of this personalization aspect, but other aspects are still collecting personal data under legitimate interest - for example a device-id so you can limit/track how many ads have been shown. Another interesting example i read, was of a pizza company, do they have a legitimate interest claim to store/process your name, address, phone, location etc? absolutely, they're not going to require your opt-in consent because its required to do what you want them to do - deliver a pizza. But, that doesn't mean that they can keep that information, store it, pass it around the world, sell it to people, or use it for pretty much any other purpose. The basis only applies to the specific event of ordering that pizza.