Does “legitimate interest” allow any email marketing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Here's a situation that comes up a lot. Your legal team or marketing manager says, "We don't need consent forms, we can just use legitimate interest." And technically, they're not wrong. But legitimate interest isn't a shortcut. It's a legal basis that requires actual work to justify, and if you can't show that work, regulators won't accept it.
Under GDPR, legitimate interest is one of six lawful bases for processing personal data. For email marketing specifically, it can apply, but only in narrow circumstances. The classic example is the soft opt-in rule: if someone bought something from you recently, you can email them about similar products or services without fresh consent, as long as you gave them a clear chance to opt out at the time of purchase and every email since.
That's probably the most common legitimate interest scenario in email. Everything outside that range gets harder to defend.
What a balancing test actually looks like
The balancing test (formally called a Legitimate Interest Assessment, or LIA) is a three-part question you need to work through and document in writing.
1. Is there a genuine legitimate interest? This has to be a real business purpose, not just "we want more sales." Examples that hold up: re-engaging existing customers, fraud prevention communications, notifying users of service changes related to their account.
2. Is the processing necessary? Could you achieve the same goal with less intrusive means? If you could just ask for consent and it wouldn't be a big deal, that's a signal you should. Legitimate interest is not meant to replace consent when consent is easy to get.
3. Do your interests outweigh the person's rights? This is the actual balancing part. You're weighing your business need against the recipient's reasonable expectation of privacy. Would a reasonable person be surprised or upset to receive this email? If yes, your interest probably doesn't win.
Your documentation should capture all three parts in plain language. Something like: "We email customers who purchased in the last 12 months about related products. They were informed of this at signup and have a clear opt-out in every email. The data used is limited to name and email address. We believe this is within the reasonable expectation of our customer relationship." That's the kind of record you want to be able to show a regulator.
What legitimate interest does NOT cover
- Cold outreach to purchased or rented lists where no prior relationship exists
- Marketing that goes beyond what the customer reasonably expected when they gave you their email
- Any situation where consent would be straightforward to obtain. If you could just ask, ask.
- Profiling or tracking without clear transparency about what you're doing and why
But the rule of thumb most privacy professionals use is this: if you'd feel uncomfortable explaining your reasoning to the person receiving the email, your balancing test probably doesn't hold up.
One more thing worth knowing. Legitimate interest doesn't eliminate the right to object. Anyone on your list can tell you to stop emailing them, and you must honour that immediately. It's not optional, and it's not the same as unsubscribing from a preference centre. An objection under GDPR means stop, full stop.
If you're genuinely unsure whether your use case qualifies, the honest answer is to talk it through with someone who isn't trying to sell you something. Getting this wrong isn't just a legal risk. It also tanks your deliverability when people who didn't expect your emails start hitting the spam button.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.