What is “legitimate interest” and how does it apply to B2B email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably heard someone say "legitimate interest" like it's a magic phrase that makes cold email legal under GDPR. It isn't. It's a real lawful basis for processing personal data, but it comes with conditions that most senders don't fully think through.
Legitimate interest is one of six lawful bases for processing personal data under GDPR. Unlike consent, it doesn't require someone to actively opt in. That's why B2B senders reach for it. But "I want more customers" isn't a lawful basis on its own. You have to pass a three-part test first.
The purpose test. What specific interest are you pursuing? Business development can qualify, but it needs to be genuine and clearly defined. "Getting leads" is too vague. "Reaching procurement managers at mid-sized manufacturers who buy the type of software we sell" is closer to defensible.
The necessity test. Is emailing this person actually necessary to achieve that goal? Could you reach them another way? Regulators will ask this. If the answer is "not really," you've got a problem.
The balancing test. This is where most assessments fall apart. You have to weigh your interest against the individual's rights and reasonable expectations. If a professional receives an email that's directly relevant to their job, in a context they'd reasonably expect, the balance can tip in your favor. If it's irrelevant, frequent, or unexpected, it won't.
You're also required to document this reasoning in what's called a Legitimate Interest Assessment (LIA). Not a formality you fill in after the fact. An actual written analysis, done before you send.
For B2B email specifically, a few things work in your favor. Contacting someone at a business address about topics genuinely related to their professional role is more defensible than consumer outreach. Corporate email addresses usually carry lower privacy expectations than personal ones. And GDPR's recitals specifically acknowledge that legitimate interest can apply in a B2B context.
But a few things will sink you quickly. High sending volume, irrelevant content, no easy opt-out, and no record of your assessment are all red flags regulators look for. Recipients still have the right to object at any time, and you need to honor that without friction.
Legitimate interest isn't a shortcut. It's a documented legal position that you'd need to defend if challenged. If that sounds like a lot of work, there are other routes to compliant cold outreach worth exploring too.
Not sure where your current setup stands? Our SOS hotline is free and there's no pitch attached.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.