Legitimate Interests for Marketing: The UK GDPR Balancing Test

Legitimate interests (LI) is one of the six lawful bases for processing personal data under UK GDPR Article 6(1)(f). It is the most flexible basis, but also the one that requires the most active analysis. For UK businesses using personal data for marketing, analytics, fraud prevention, and other commercial purposes, understanding when LI applies — and when it does not — is essential.

This guide explains the three-part legitimate interests assessment, the interaction between UK GDPR legitimate interests and PECR's electronic marketing rules, and how to document an LIA that will satisfy the ICO.

To check your website's current approach to consent and data collection, run a free scan at /uk/en/scan.

When legitimate interests applies

UK GDPR Article 6(1)(f) permits processing where it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

Unlike consent or contract performance, legitimate interests is not a bright-line basis. It requires a genuine balancing exercise. The ICO's guidance identifies three components that must all be satisfied.

The purpose test

The first question is whether you have a genuine, specific, and clearly articulated legitimate interest. The interest must be real, not speculative. It must be specific enough to be tested against the balancing test — "business purposes" is too vague. It must be a lawful interest, though it does not need to be enshrined in law.

Examples of interests the ICO accepts as capable of being legitimate: commercial interests in preventing fraud, network security interests, marketing to existing customers, optimising website performance, employee monitoring for legitimate HR purposes.

The purpose test is usually easy to satisfy for most commercial activities. The substantive challenge is the necessity and balancing tests.

The necessity test

Processing is necessary for the legitimate interest only if you cannot reasonably achieve the same result by less privacy-intrusive means. This is a proportionality test, not a strict minimum — the ICO's guidance acknowledges that "necessary" in this context does not mean "absolutely essential." But it does require genuine consideration of alternatives.

For marketing analytics, this means asking whether aggregate, non-personal data would serve the same purpose as individual-level tracking. For direct marketing, this means asking whether a less targeted approach would be sufficient. Where there is a reasonably practicable, less privacy-invasive alternative, the processing is not necessary and LI cannot be relied upon.

The balancing test

The balancing test is the most complex part of the LIA. It requires weighing the controller's legitimate interest against the data subject's rights, interests, and reasonable expectations. The ICO's guidance identifies factors relevant to the balance:

Nature of the interest: is it a fundamental business interest (fraud prevention) or a more peripheral one (targeted advertising)? More fundamental interests weigh more heavily in the balance.

Impact on the data subject: is the processing likely to cause damage, distress, or restriction of rights? Processing that involves sensitive data, profiling, or tracking has a higher impact.

Reasonable expectations: would data subjects reasonably expect their data to be used in this way, given the context in which it was collected? Collecting contact details at checkout creates a reasonable expectation of transactional communications; it does not create a reasonable expectation of sharing with third-party advertisers.

Available safeguards: what measures does the controller have in place to minimise impact? Offering an easy opt-out, minimising the data collected, and using aggregated rather than individual data all reduce the weight of any negative impact.

Particular vulnerability: if the data subject is a child or otherwise vulnerable, the balance shifts further against the controller's interests.

If the balancing test is close, safeguards can tip the balance. The ICO's guidance on legitimate interests notes that if you are uncertain whether your interest outweighs the data subject's rights, adding safeguards — clearer notice, an easy opt-out, data minimisation — may make the balance sufficiently clear.

Legitimate interests and direct marketing

UK GDPR Recital 47 states explicitly: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." The ICO's direct marketing guidance confirms that LI can be a lawful basis for offline direct marketing (postal mail, phone calls to registered users) and for some forms of digital marketing.

However, LI does not operate alone for electronic marketing. PECR imposes additional requirements on top of UK GDPR for electronic communications:

Emails and texts to consumers: Regulation 22 of PECR requires either prior consent or the soft opt-in exception (Regulation 22(3)) for marketing emails and texts to individual subscribers. Satisfying the UK GDPR LI three-part test does not remove the separate PECR consent requirement. A business that has carried out a flawless LIA but sends marketing emails to consumers without PECR-compliant consent is still breaching PECR.

Emails and texts to businesses: PECR's Regulation 22 consent requirement applies to "individual subscribers," which the ICO interprets as individuals (not incorporated companies). B2B electronic marketing to company email addresses may therefore rely on UK GDPR LI without a separate PECR consent basis. The distinction matters for the self-employed and sole traders, who are treated as individual subscribers even in a business context.

Phone calls: automated calls to consumers require consent under PECR Regulation 19. Non-automated calls (live agents) to numbers on the Telephone Preference Service (TPS) are prohibited under Regulation 21, regardless of LI. For live agent calls to numbers not on TPS, LI can provide the UK GDPR lawful basis, but PECR Regulations 21–24 impose separate requirements on the call itself.

The soft opt-in in detail

PECR Regulation 22(3) creates an exception to the general consent requirement for marketing emails. The soft opt-in is not a separate UK GDPR lawful basis — it is a PECR provision. The conditions are:

The business obtained the contact details "in the course of the sale or negotiations for the sale" of a product or service to that individual. The marketing is only for "similar products and services." At the time the details were collected, the individual was given a clear opportunity to opt out of receiving marketing, at no charge. The individual is given a similar opt-out opportunity in every subsequent marketing message.

All four conditions must be met. "Similar products and services" is interpreted by the ICO as products in the same category as those the customer bought, not as a blanket permission to market the full product range. A customer who bought a printer is receiving marketing for printer ink — arguably similar. A customer who bought a printer receiving marketing for financial services — not similar.

The soft opt-in does not apply to prospects (people who did not complete a purchase), third-party list data, or data from co-registration schemes.

Documenting the LIA

The ICO's accountability principle under UK GDPR Article 5(2) requires controllers to be able to demonstrate compliance. For legitimate interests, this means recording the LIA in a format that can be produced to the ICO on request.

An LIA record typically covers: the name and description of the processing activity; the legitimate interest identified; why the processing is necessary (necessity test reasoning); the impact assessment (balancing test factors considered and conclusion); any safeguards applied; and the outcome and next review date.

The LIA does not need to be lengthy. What matters is that it demonstrates genuine analysis rather than a conclusion working backwards from the desired outcome. The ICO has been critical of LIAs that assert legitimate interests without substantive reasoning, particularly in direct marketing contexts.

For a practical review of your website's data practices against UK GDPR and PECR requirements, run a free scan at /uk/en/scan. For an overview of all UK GDPR obligations for websites, see UK GDPR compliance for businesses.