Legitimate interest is the most widely used legal basis under the EU’s General Data Protection Regulation (GDPR). It’s also the most misunderstood. Marketing teams lean on it to avoid consent workflows. Legal teams struggle to document and defend it. And enforcement actions across the EU show that regulators are taking a harder look at how it’s being applied.
Understanding how data protection legitimate interest works under Article 6(1)(f) GDPR matters now more than it did a year ago. October 2024 brought a landmark Court of Justice of the European Union (CJEU) ruling and new European Data Protection Board (EDPB) guidelines that raised the bar on documentation and tightened the interpretation of the three-part test.
At a Glance
- Legitimate interest under the GDPR requires a documented three-part assessment covering purpose, necessity, and balancing of individual rights before any processing can begin.
- Commercial interests can serve as a legitimate interest under GDPR, but only if an organization passes all three steps of the assessment and documents the outcome.
- Consent is always required for non-essential cookies and online tracking, regardless of what GDPR legal basis an organization claims.
- In October 2024, the CJEU ruling in Case C-621/22 and the EDPB Guidelines 1/2024 updated how legitimate interest is interpreted across the EU.
- Legitimate interest cannot be used for sensitive data categories, processing children’s data for marketing, or selling personal data to third parties.
What Is GDPR Legitimate Interest?
GDPR Legitimate Interest (Art. 6(1)(f) GDPR) allows an organization to use someone’s personal data without asking for consent if it has a real and reasonable reason to do so. However, it can only do this if that reason is not more important than the person’s privacy rights and freedoms.
For example, a company may rely on legitimate interest to prevent fraud or improve its services, but not if doing so would be unfair, intrusive, or harmful to the individual.
That condition is important because legitimate interest is not a blanket permission. It requires a documented assessment that weighs the business need against the impact on individuals. If that balance tips in the individual’s favor, the legal basis does not hold.
Recent Updates: What the EDPB and CJEU Have Changed
Evolution of legitimate interest guidance
GDPR 2018
WP29 Opinion 06/2014 (superseded)
CJEU C-621/22 October 2024
EDPB Guidelines 1/2024 October 2024
In October 2024, two developments reshaped how GDPR legitimate business interest is interpreted across the EU.
The Court of Justice of the European Union (CJEU) ruled on Case C-621/22 on 4 October 2024. It confirmed that purely commercial interests can qualify as legitimate interests under the GDPR. Profit motive alone does not disqualify a purpose. The ruling also made clear that the three-part test remains non-negotiable: a commercial justification does not bypass the necessity and balancing steps.
Following that ruling, the European Data Protection Board (EDPB) published Guidelines 1/2024 on legitimate interest (PDF). These are the most significant regulatory guidelines on this topic since GDPR came into force in 2018. They supersede the earlier WP29 Opinion 06/2014 and are currently in their final adoption phase.
The EDPB reinforced that the three-part test must be applied rigorously, that the right to object must always be honored, and that data controllers cannot rely on vague or generic legitimate interest claims. The bar for documentation has effectively risen.
Legitimate Interests GDPR Examples: What Qualifies and What Doesn’t
Not every business purpose can be considered a legitimate interest for GDPR processing purposes.
The cases below reflect the current positions of the EDPB and supervisory authorities. For cases marked as risky, a documented Legitimate Interest Assessment (LIA) is the minimum requirement, and consent is often the safer route.
| Use Case | Likely To Qualify? | Notes |
| Fraud prevention | Yes | Explicitly referenced in Recital 47 GDPR |
| IT and network security monitoring | Yes | Covered under Recital 49 GDPR; applies to internal system protection |
| Direct marketing to existing customers | Likely | Recital 47 acknowledges this; an easy opt-out must be provided |
| B2B direct marketing to commercial contacts | Often | Lower threshold than B2C; a prior business relationship is expected |
| Employee data processing for internal HR | Often | Depends on national law and the specific processing context |
| Analytics (aggregated and non-identifiable) | Often | Only if the data is truly aggregated and cannot identify individuals |
| Direct marketing to cold B2C prospects | Risky | High burden to demonstrate a relationship or reasonable expectation; consent is safer |
| Behavioral profiling for ad targeting | Risky | ePrivacy Directive may require consent regardless; document carefully or switch basis |
| Online tracking via cookies or pixels | No | ePrivacy Directive overrides the GDPR here: consent is always required |
| Processing children’s data for marketing | No | Individual rights typically override; explicit consent is required |
| Selling personal data to third parties | No | Individuals have no reasonable expectation of this; it does not pass the legitimate interests balancing test |
| Analytics via Google Analytics (EU) | No | Multiple EU data protection authorities have ruled that consent is required |
A Legitimate Interest Assessment is the structured process used to determine whether legitimate interest applies to a specific processing activity. Without one, there is no legal basis, only an assumption.
The assessment follows three sequential steps. Failing any one of them means legitimate interest cannot be used as a GDPR legal basis for processing.
Step 1: Purpose Test — Is the Interest Legitimate?
The purpose test questions whether you are processing personal data in pursuit of a legitimate interest. So the first question is whether the interest is real, specific, and lawful.
Vague justifications like “improving our services” or “business development” will not hold up. The purpose needs to be clearly articulated, with a direct connection to a genuine organizational or societal need.
Commercial interests can pass this step. The CJEU confirmed this in October 2024. What matters is that the purpose is defined precisely and is not in conflict with the law.
Consider a financial services company that screens existing customer accounts for unusual transaction patterns to detect fraud. The interest is specific, lawful, and named in Recital 47, so it passes the purpose test.
Step 2: Necessity Test — Is Processing Necessary?
Even where the purpose is legitimate, processing is only justified to the extent it is genuinely necessary to achieve that purpose.
This is where data minimization becomes critical. If the same goal could be achieved with less data or a less privacy-intrusive method, the processing as planned does not pass.
“Necessary” does not mean “useful” or “more efficient.” It means there is no reasonably available alternative that achieves the same purpose with a smaller privacy footprint.
Using the same fraud prevention scenario: if transaction patterns over two years are sufficient to detect fraud, processing ten years of data fails the necessity test. The purpose is valid, but the scope is not proportionate.
Step 3: Balancing Test — Do Data Subjects’ Rights Override the Interest?
The final step weighs the legitimate interest against the impact on the individuals whose data is processed. The EDPB’s 2024 guidelines identify several factors relevant to this assessment:
- The nature of the personal data (is it sensitive or particularly private?)
- The reasonable expectations of the individuals (would they anticipate this use?)
- The potential consequences of the processing (what is the risk of harm?)
- The relationship between the organization and the individuals
- Any safeguards in place to mitigate the impact
If the processing could cause real harm, involves sensitive personal data, or would not be expected by the individuals involved, the balance is likely to tip in their favor.
Sending a promotional email to a customer who purchased a product six months ago is something they would reasonably anticipate. Passing that customer’s email address to a third-party advertiser they have never heard of is not. The first may pass the balancing test; the second will not.
How to Document Your Legitimate Interest Assessment (LIA)?
A Legitimate Interest Assessment is a written record demonstrating that the three-part test was applied to a specific processing activity. Supervisory authorities can request it during an investigation or audit. Without it, the legal basis cannot be defended.
A compliant LIA should include:
Description of the processing activity
What data is being collected, from whom, and for what specific purpose? Precision matters here. Listing “Marketing” is not sufficient. “Sending product update emails to customers who purchased within the last 12 months” is.
Identification of the legitimate interest
State whose interest it is and why it qualifies as legitimate. Reference the specific business need and, where applicable, any relevant Recitals or regulatory guidance.
Necessity assessment
Explain why this specific processing is necessary to achieve the purpose, and document why less privacy-intrusive alternatives were considered and ruled out.
Balancing assessment
Work through the factors in the EDPB’s 2024 guidelines: the nature of the data, individuals’ reasonable expectations, the potential for harm, and any safeguards in place.
Outcome and review date
Record the conclusion and set a date to review if circumstances change, for example, if the scope of processing expands or a new regulatory decision is issued.
The LIA is a living document. If the processing changes, the assessment must reflect that.
Legitimate Interest vs Consent: When to Use Which?
The choice between legitimate interest and consent is not a matter of preference. It depends on the nature of the processing, the relationship with the individual, and whether sector-specific rules apply.
However, it’s worth noting that if an organization switches from legitimate interest to consent, previously collected data cannot be retroactively validated. Fresh consent is required before processing continues under the new basis.
| Scenario | Legitimate Interest | Consent |
| Existing customer relationship | Often appropriate | Not always required |
| Cold outreach with no prior relationship | High risk; document carefully | Preferred |
| Non-essential cookies and tracking pixels | Not applicable | Required |
| Email marketing (B2B, commercial contacts) | Often appropriate | Alternative |
| Email marketing (B2C, no prior relationship) | Risky | Preferred |
| Analytics (aggregated and non-identifiable) | May apply | Not required |
| Behavioral profiling for advertising | Risky | Preferred |
| Sensitive data categories | Not applicable | Required |
| AI-based automated decision-making | Risky; assess carefully | Preferred |
| Processing children’s data | Not applicable | Required (or parental consent) |
Legitimate Interest for Marketing Purposes
Marketing is where legitimate interest is used most often and where it creates the greatest compliance risk. The strength of the argument generally depends on the existing relationship with the individual, the communication channel, and whether tracking or profiling is involved.
Marketing to Existing Customers
Direct marketing to existing customers is the clearest example of legitimate interest holding up. Recital 47 GDPR specifically identifies it as a qualifying use.
Where someone has purchased, subscribed, or otherwise entered into a relationship with an organization, there is a reasonable expectation of follow-up communication about related products or services. An easy opt-out must always be available, and any objection must be honored immediately.
B2B Marketing
B2B marketing to professional contacts generally sits in safer territory. When someone is contacted in their professional capacity, through a business email address, there is a stronger expectation that commercial communication may occur. The threshold is therefore lower in a B2B context than in B2C.
Cold B2C Outreach
Cold outreach to B2C prospects is where things become much less certain. Without a prior relationship, the balancing test is far more difficult to satisfy. In these situations, consent is not just preferable. It is often the only defensible legal basis.
Profiling, Tracking, and ePrivacy
Behavioral profiling and ad targeting introduce a separate issue through the ePrivacy Directive. Even if a three-part LIA could theoretically support profiling, the ePrivacy Directive independently requires consent for the cookies and tracking technologies that make profiling possible. Legitimate interest cannot be used to avoid that requirement.
The Right to Object
Across all marketing activities, the right to object applies without exception. Individuals can object at any time to processing based on legitimate interest, and the organization must stop processing for that purpose unless it can demonstrate compelling overriding grounds. This must be explained clearly at the first point of contact.
Learn more about GDPR data subject rights.
When Not to Use Legitimate Interest?
There are situations where legitimate interest simply cannot apply, either because GDPR rules it out, because sector-specific law overrides it, or because the balancing test will always fail.
Tracking cookies and online tracking are the most consequential examples. The ePrivacy Directive requires consent for non-essential cookies and tracking technologies, regardless of any GDPR legal basis. This covers analytics cookies, advertising pixels, social media tracking, and fingerprinting. The EDPB’s 2024 guidelines also reaffirm this position.
Sensitive data categories are also outside the scope. Health data, racial or ethnic origin, political opinions, biometric data, and the other categories listed in Art. 9 GDPR require either explicit consent or a specific Article 9 exception.
Processing for the purpose of selling personal data to third parties will also fail the legitimate interest balancing test. Individuals have no reasonable expectation that their data will be sold. No LIA will change that.
Lastly, processing children’s data for marketing or profiling purposes will almost always fail as well. Children’s rights carry additional weight in the balancing test — they are explicitly referenced in Art. 6(1)(f) — and supervisory authorities have consistently held that their interests override commercial ones in this context.
Legitimate Interest and AI
AI-based processing creates particular challenges for legitimate interest, and regulatory scrutiny in this area is increasing.
Where AI is used to make fully automated decisions that have legal or similarly significant effects on individuals, Art. 22 GDPR applies. In those cases, legitimate interest is not an available legal basis. Consent or contractual necessity are generally the more appropriate options.
Legitimate interest may still be available for less significant uses of AI, such as aggregated analytics, fraud detection, or content moderation. Even then, the assessment is not straightforward.
The LIA has to take into account both the scale of the processing and the fact that AI systems are often difficult for individuals to understand. They can process large amounts of data in ways that are not obvious, predictable, or transparent. That lack of visibility weighs against the organization in the balancing test.
Regulators have also signaled that guidance on AI and data protection is still developing. As a result, organizations using AI-driven profiling, scoring, or recommendation systems should not assume that legitimate interest will automatically apply. It should be treated as the starting point for the analysis, not the conclusion, with both the necessity and balancing stages requiring careful justification.
Learn more about evolving AI regulatory requirements in our Guide to the EU AI Act.
Compliance Is Not a One-Time Decision
Legitimate interest comes with ongoing obligations: documented assessments, maintained records, and immediate response to objections.
The October 2024 CJEU ruling and EDPB guidelines did not make it harder to use. They made it harder to use without proper groundwork.
For organizations with structured assessments already in place, the new guidance confirms what good practice already looked like. For those relying on undocumented assumptions, particularly for marketing, analytics, and cookie-related processing, a structured review of legal basis choices is overdue.
A useful place to start is mapping every processing activity against the right legal basis, and checking whether the documentation to support each one actually exists.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
