What is “legitimate interest” and how does it apply to B2B email?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've probably heard someone say "legitimate interest" like it's a magic phrase that makes cold email legal under GDPR. It isn't. It's a real lawful basis for processing personal data, but it comes with conditions that most senders don't fully think through.

Legitimate interest is one of six lawful bases for processing personal data under GDPR. Unlike consent, it doesn't require someone to actively opt in. That's why B2B senders reach for it. But "I want more customers" isn't a lawful basis on its own. You have to pass a three-part test first.

The purpose test. What specific interest are you pursuing? Business development can qualify, but it needs to be genuine and clearly defined. "Getting leads" is too vague. "Reaching procurement managers at mid-sized manufacturers who buy the type of software we sell" is closer to defensible.

The necessity test. Is emailing this person actually necessary to achieve that goal? Could you reach them another way? Regulators will ask this. If the answer is "not really," you've got a problem.

The balancing test. This is where most assessments fall apart. You have to weigh your interest against the individual's rights and reasonable expectations. If a professional receives an email that's directly relevant to their job, in a context they'd reasonably expect, the balance can tip in your favor. If it's irrelevant, frequent, or unexpected, it won't.

You're also required to document this reasoning in what's called a Legitimate Interest Assessment (LIA). Not a formality you fill in after the fact. An actual written analysis, done before you send.

For B2B email specifically, a few things work in your favor. Contacting someone at a business address about topics genuinely related to their professional role is more defensible than consumer outreach. Corporate email addresses usually carry lower privacy expectations than personal ones. And GDPR's recitals specifically acknowledge that legitimate interest can apply in a B2B context.

But a few things will sink you quickly. High sending volume, irrelevant content, no easy opt-out, and no record of your assessment are all red flags regulators look for. Recipients still have the right to object at any time, and you need to honor that without friction.

Legitimate interest isn't a shortcut. It's a documented legal position that you'd need to defend if challenged. If that sounds like a lot of work, there are other routes to compliant cold outreach worth exploring too.

Not sure where your current setup stands? Our SOS hotline is free and there's no pitch attached.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Run your legitimate interest assessment

I want to use legitimate interest as my lawful basis for B2B cold email under GDPR. Walk me through the three-part test honestly using my situation. My business objective is: describe your goal. My target recipients are: describe their role and sector. My sending volume is roughly: number per month. Based on this, how would you assess my purpose, necessity, and balancing tests? What would a regulator likely scrutinize?

Edit the yellow boxes, then send to the AI of your choice.