GDPR Lawful Basis Legitimate Interest: What It Actually Means and How to Use It
Your marketing team just told you they're sending cold emails to a purchased list and citing "legitimate interest" as the lawful basis. Your DPO is on vacation. What do you actually need to check before Monday?
Understanding the GDPR lawful basis of legitimate interest - and its limits - is the difference between a defensible outreach program and a six-figure fine. Let's break it down.
Quick Answer
Legitimate interest is one of six GDPR lawful bases under Article 6(1)(f). To rely on it, you must pass a three-part test - purpose, necessity, balancing - and document it in a Legitimate Interest Assessment (LIA). It's not a default and it's not a loophole. The EDPB's 2024 draft guidelines tightened the methodology, and for electronic marketing, ePrivacy rules usually require consent on top of GDPR anyway.
What Is Legitimate Interest Under Article 6(1)(f)?
Article 6(1)(f) allows processing when it's "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."
It's the most flexible lawful basis. It's also the most abused.
The three-part test traces back to the CJEU's Rigas case (C-13/16, 4 May 2017), which made clear that controllers can't just declare an interest "legitimate" and move on. You need to prove purpose, necessity, and a balance against the data subject's rights. The r/gdpr subreddit is full of people confused by cookie banners that toggle "legitimate interest" on by default for dozens of vendors - and that confusion is warranted. Cookie-banner abuse isn't what Article 6(1)(f) was designed for.
The Three-Part Test
Every claim under this lawful basis must pass three cumulative tests. Fail one, and the whole thing collapses.
Purpose Test
You need a specific, clearly articulated interest that's real and present - not speculative. The ICO's guidance asks: What exactly are you trying to achieve? Who benefits? Is the purpose ethical and lawful?
"Improving our services" doesn't cut it. Name the actual interest.
Necessity Test
This is where most assessments fall apart. The EDPB Guidelines 1/2024 frame necessity as "strictly necessary" - not "reasonably useful," not "the most convenient way." If a less intrusive alternative achieves the same purpose, your necessity argument fails.
We've reviewed dozens of LIAs that collapse at this step because teams try to justify enriching entire contact databases when they only need data on 200 target accounts. Here's the thing: if you can achieve your goal with less data, you don't have a necessity case. Full stop.
Balancing Test
You weigh your interest against the data subject's rights, freedoms, and reasonable expectations. The EDPB is clear that reasonable expectations can't be inferred from industry practice - just because "everyone does it" doesn't mean people expect it. If you're processing sensitive data or targeting vulnerable groups, the bar goes up significantly.
Choosing the Right Lawful Basis
UK regulators are explicit: legitimate interest is not a default basis. No purposes automatically qualify. You must choose the most appropriate basis for each processing activity.
| Factor | Legitimate Interest | Consent | Contract |
|---|---|---|---|
| Opt-in required? | No | Yes | No |
| Can it be stopped by the individual? | Right to object (absolute for direct marketing) | Yes, anytime | Tied to contract |
| Documentation | Controller documents LIA | Controller collects + manages | Contract terms |
| Best for | B2B outreach, fraud prevention, analytics | Marketing, cookies | Service delivery |
Most B2B teams default to legitimate interest because they don't want to collect consent. That's backwards. Pick the basis that actually fits your processing activity, not the one that requires the least effort upfront. Legitimate interest often demands more ongoing documentation than consent does.
The CJEU's 4 October 2024 KNLTB judgment in Case C-621/22 confirmed that purely commercial interests can qualify as legitimate - the Dutch DPA had fined KNLTB EUR525,000 for arguing otherwise. But "can qualify" at step one doesn't mean it survives necessity and balancing.
Your LIA necessity test fails when you enrich entire databases instead of targeting the right accounts. Prospeo's 30+ search filters let you narrow to exactly the contacts you need - passing the necessity test by design. 98% verified email accuracy means no junk data inflating your processing scope.
Process less data, reach more buyers - that's necessity done right.
How to Document an LIA
An LIA is a "light-touch risk assessment" - it doesn't need to be a 40-page legal memo. But it must exist before processing begins.
Minimum structure:
- Describe the processing - what data, from where, for what purpose
- Purpose test - identify the specific legitimate interest and who benefits
- Necessity test - explain why this processing is strictly necessary and why less intrusive alternatives won't work
- Balancing test - assess impact on data subjects, their reasonable expectations, and your mitigating measures
- Decision - document whether legitimate interest applies and any conditions
The ICO provides a downloadable LIA template that walks through each step. Budget 30-60 minutes per processing activity - it's not a massive lift, but skipping it leaves you with no evidence of accountability when a regulator asks.
Transport for London published a Legitimate Interests Assessment for data enrichment of its marketing database in March 2025 - one of the few publicly available LIAs from a major organization. If you're building your first one, it's a useful benchmark for what "real documentation" looks like in practice.
The ePrivacy Trap for Marketing
Even if your legitimate interest assessment is bulletproof, electronic marketing has a second layer. The ePrivacy Directive generally requires opt-in consent for electronic marketing communications - email, SMS, automated calls. GDPR lawful basis arguments alone don't get you there.
The soft opt-in exception under Article 13(2) lets you email existing customers about similar products without fresh consent, as long as you offer a clear opt-out. B2B rules vary by Member State - some are more permissive, others aren't. Skip this research at your own risk.
Recent developments have tightened things further. The CJEU's Inteligo Media ruling in Case C-654/23 (13 November 2025) broadened the definition of direct marketing to include newsletters that promote paid services, even if they're mostly editorial. And the Belgian DPA's Draft Recommendation 01/2025 extends "direct marketing" to preparatory steps like profiling and segmentation. Article 21 GDPR gives data subjects an absolute right to object to processing for direct marketing - once they object, you stop, no exceptions.
If you're relying on legitimate interest for B2B outreach, data quality is a compliance factor that teams routinely underestimate. Stale records weaken your balancing test - you can't argue "minimal impact" when you're emailing people who left the company two years ago. In our experience, this is where most claims actually break down: not in the legal analysis, but in the data hygiene. Prospeo's 7-day data refresh cycle and 98% email verification accuracy mean your compliance case starts with data you can actually defend, rather than a database full of dead addresses that undermine your entire LIA.
What Changed in 2024-2026
EDPB Guidelines 1/2024 are the most current EU-level guidance on legitimate interest, building on the older WP29 Opinion 06/2014 framework. The headline: legitimate interest is "not an open door." The necessity standard is "strictly necessary," and the threshold for overriding an objection - "compelling legitimate grounds" - is higher than the initial balancing test.
CJEU KNLTB ruling clarified that legitimate interest is essentially a negative test: any interest qualifies so long as it doesn't conflict with the law. Good news for commercial processing, but the court reaffirmed that necessity and balancing still apply with full force.
UK Recognised Legitimate Interests under the Data (Use and Access) Act 2025 introduces a new lawful basis - Article 6(1)(ea) UK GDPR - for specified purposes. Organizations have until June 2026 to align. This creates a real divergence between UK and EU frameworks that multi-jurisdiction teams need to track closely.
For context on enforcement stakes: cumulative GDPR fines exceeded EUR5.88B by January 2025, with LinkedIn alone fined EUR310M for targeted advertising in October 2024. Lawful basis violations remain among the most common grounds for enforcement action.
Common Mistakes
Using legitimate interest as a default without completing an LIA. No documentation means no lawful basis. We've seen teams scramble to backfill LIAs after a complaint - regulators aren't impressed by retroactive paperwork.
Ignoring ePrivacy for electronic marketing. A valid GDPR assessment doesn't override the consent requirement under the ePrivacy Directive. These are two separate legal instruments, and you need to satisfy both.
Citing "legitimate interest" in privacy policies without naming the actual interest. "We process your data based on legitimate interest" tells the data subject nothing. Name the specific interest - fraud prevention, direct marketing to existing customers, network security - or your transparency obligation isn't met.
Confusing GDPR legitimate interest with cookie consent. Cookie banners that toggle "legitimate interest" on by default for tracking are deceptive design, not a legitimate use of Article 6(1)(f). The consensus on r/privacy is that these patterns erode trust across the entire ecosystem, and regulators agree.
The balancing test weighs your interest against data subject expectations. Prospeo's 7-day data refresh cycle ensures you're never contacting people who've changed roles or companies - reducing unexpected outreach and strengthening your legitimate interest case. GDPR compliant with DPAs available.
Stale data fails the balancing test. Fresh data passes it.
FAQ
Can I use legitimate interest for cold email outreach?
For B2B, yes - if you've documented an LIA, the data is accurate, and you offer a clear opt-out. But ePrivacy rules in many EU countries still require consent for electronic marketing. Check your local soft opt-in exception before sending.
Is legitimate interest a valid lawful basis under GDPR?
Yes - it's one of six lawful bases under Article 6(1)(f). But it demands a documented three-part test and gives data subjects the right to object. It shifts the entire compliance burden to the controller, making thorough documentation non-negotiable.
Do I need an LIA for every processing activity?
It's not legally mandated, but it's strongly recommended by both the ICO and EDPB. An LIA is your evidence of accountability. Without one, you've got no proof your balancing test was done - which is a problem when a regulator comes knocking.