Legitimate interest sounds like a shortcut. If your business has a good reason to process personal data, you might assume you can skip consent altogether. That assumption has cost organisations millions of euros in fines.
Article 6(1)(f) of the GDPR allows data processing when it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided those interests are not overridden by the rights and freedoms of the data subject. It is genuinely flexible - the GDPR does not provide a closed list of what counts as legitimate - but flexibility does not mean you can use it to avoid getting consent for cookies, tracking pixels, or behavioural advertising.
What Legitimate Interest Actually Means Under the GDPR
The GDPR recognises six legal bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interest. Each exists for different situations. Consent works when you need a clear opt-in. Contract applies when processing is needed to fulfil an agreement. Legitimate interest fills the gap where processing serves a real business or societal purpose and consent would be impractical or disproportionate.
Recital 47 of the GDPR states that a legitimate interest does not need to be enshrined in law. It can be commercial, organisational, or societal. The recital specifically mentions direct marketing as something that may constitute a legitimate interest - a point that has generated significant confusion. That word "may" is doing a lot of work. It does not mean direct marketing automatically qualifies.
In October 2024, the Court of Justice of the European Union (CJEU) settled a long-running dispute with its ruling in Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens. The Dutch Data Protection Authority had fined the Royal Dutch Tennis Association EUR 525,000 for sharing members' personal data with sponsors, arguing that purely commercial interests could never be legitimate interests. The CJEU disagreed, confirming that commercial interests can qualify as legitimate - but only if they pass a strict three-part test.
The Three-Part Legitimate Interest Test
Every use of legitimate interest requires a documented assessment. The UK's Information Commissioner's Office (ICO) calls this a Legitimate Interests Assessment (LIA), and while the GDPR does not mandate the term, the accountability principle in Article 5(2) effectively requires you to document your reasoning. The EDPB's Guidelines 01/2024, adopted in October 2024, reaffirm the three-step approach established by CJEU case law.
Step 1: Purpose Test - Is There a Legitimate Interest?
You must identify a specific, concrete interest. Vague statements like "improving our services" or "business development" are not enough. The interest must be lawful, clearly articulated, and real - not hypothetical.
Recital 49 of the GDPR gives network and information security as an explicit example. Fraud prevention is another. Processing employee data for internal administration, sharing data within a corporate group for internal purposes (Recital 48), and certain types of direct marketing to existing customers are all recognised starting points. The CJEU's KNLTB ruling confirmed that commercial interests such as generating revenue through sponsorship can pass this first step, provided they are not contrary to law.
Step 2: Necessity Test - Is the Processing Actually Needed?
This is where many assessments fail. The EDPB's 2024 guidelines stress that processing must be necessary, not merely useful. If you can achieve the same goal through less intrusive means - anonymisation, aggregation, or simply asking for consent - then legitimate interest does not apply.
The necessity test also ties into data minimisation under Article 5(1)(c). You cannot collect more data than the minimum required. The CJEU noted in the KNLTB case that the tennis association could have asked its members whether they wanted their data shared with sponsors, which would have been a less intrusive alternative. That observation is likely to influence how the Amsterdam District Court ultimately decides the case.
Step 3: Balancing Test - Do the Individual's Rights Override Your Interest?
Even if your interest is legitimate and the processing is necessary, you must weigh it against the impact on individuals. Key factors include:
| Factor | Weighs in Favour of Controller | Weighs Against Controller |
|---|---|---|
| Data subject expectations | Processing is expected given the relationship | Processing would surprise or concern the individual |
| Nature of data | Non-sensitive, limited scope | Special category data, children's data, financial records |
| Impact on individuals | Minimal or beneficial effect | Risk of discrimination, financial loss, reputational harm |
| Safeguards | Pseudonymisation, access controls, opt-out available | No safeguards, no opt-out mechanism |
| Power imbalance | Individual has genuine choice | Individual depends on the service (e.g., employment, essential services) |
The EDPB guidelines emphasise "reasonable expectations" as a central concept. If a data subject would not expect their data to be used in the way you intend, the balancing test is unlikely to go in your favour. A customer who buys hiking boots might reasonably expect the retailer to send related product recommendations by post. That same customer would not expect the retailer to share their purchase history with insurance companies.
Where Legitimate Interest Works in Practice
Legitimate interest is not a loophole, but it is not a dead letter either. Several common processing activities sit comfortably within its scope when the LIA is done properly.
Fraud prevention and network security are the textbook examples. Recital 49 explicitly recognises that processing data to prevent unauthorised access to networks, stop the spread of malicious code, and detect denial-of-service attacks constitutes a legitimate interest. A website logging IP addresses and monitoring traffic patterns for security purposes can rely on Article 6(1)(f) without difficulty.
Intra-group data transfers for internal administrative purposes also have explicit backing in Recital 48. A parent company processing employee contact details across subsidiaries for payroll coordination or IT support typically passes the three-part test.
Postal direct marketing to existing customers can work under legitimate interest in many EU jurisdictions, provided you offer a clear opt-out. Note the emphasis on postal - electronic direct marketing (email, SMS) is governed separately by the ePrivacy Directive and almost always requires prior consent.
CCTV and physical security of business premises is another area where legitimate interest frequently applies. The processing is clearly necessary, the interest is straightforward, and individuals generally expect to be recorded in commercial spaces when signs are displayed.
Where Legitimate Interest Fails: Cookies and Tracking Technologies
Here is where it gets complicated - and where most website owners go wrong.
Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device. The only exceptions are cookies that are strictly necessary to transmit a communication or to provide a service the user has explicitly requested. Analytics cookies, marketing cookies, social media pixels, and behavioural tracking tools do not qualify for either exception.
The ePrivacy Directive is lex specialis - a more specific law that takes precedence over the GDPR's general provisions in matters relating to electronic communications. This means that even if you could construct a valid legitimate interest argument under Article 6(1)(f) GDPR for the data processing that follows, you still need consent under the ePrivacy Directive for the act of placing the cookie on the user's device in the first place.
The EDPB's Guidelines 01/2024 address this directly. They confirm that consent requirements under Article 5(3) of the ePrivacy Directive must be respected when tracking techniques are used in the context of direct marketing activities. Any subsequent processing of personal data obtained through cookies must also have a legal basis under Article 6(1) GDPR, and the guidelines state that consent will "likely constitute the appropriate legal basis" in this context, "normally precluding reliance on Article 6(1)(f)."
Put simply: legitimate interest does not let you skip the cookie consent banner.
The IAB TCF and the Legitimate Interest Controversy
If you have ever configured a Consent Management Platform (CMP) using the IAB Transparency and Consent Framework (TCF), you may have noticed that some advertising vendors list "legitimate interest" alongside consent as a legal basis for certain processing purposes. This has been one of the most contested areas in European privacy enforcement.
The Belgian Data Protection Authority ruled in 2022 that IAB Europe, as a controller of the TCF system, had violated the GDPR in multiple ways. The case is still working through appeals, but the regulatory direction is clear: using legitimate interest as a basis for advertising-related data processing, particularly where Article 5(3) of the ePrivacy Directive applies, faces severe scrutiny.
The EDPB's 2023 cookie report found that "wrong legal bases" was among the most common compliance failures across EU websites. Some sites present users with an option to reject cookies via a consent button, while simultaneously pre-selecting legitimate interest toggles for advertising vendors in a separate tab - forcing users to deselect them manually, one by one. Data protection authorities across Europe have flagged this practice as non-compliant.
Real Enforcement: What Happens When You Get It Wrong
The consequences are not theoretical. The Irish Data Protection Commission fined LinkedIn EUR 310 million in October 2024 for processing user data for behavioural analysis and targeted advertising without a valid legal basis. The investigation found that LinkedIn's reliance on consent, legitimate interest, and contractual necessity were all insufficient for the processing it carried out.
In France, the CNIL fined Amazon France Logistique EUR 32 million for an employee monitoring system that tracked warehouse workers' scanning speed, idle time, and break duration. The CNIL found that the monitoring system's reliance on legitimate interest was unjustifiable given the intrusive nature of the data collection and the power imbalance between employer and employees.
The Belgian DPA fined a website operator EUR 15,000 specifically for relying on legitimate interest to set first-party analytics cookies without consent - confirming that even relatively small-scale cookie violations can attract enforcement action.
By March 2025, cumulative GDPR fines had reached approximately EUR 5.65 billion across 2,245 enforcement actions, with insufficient legal basis ranking among the most common grounds for penalties.
How to Conduct a Legitimate Interests Assessment
If you believe legitimate interest is the right legal basis for a specific processing activity (not involving cookies or tracking technologies), you need a documented LIA before you start processing. Doing it retrospectively is not permitted - processing data without an established legal basis is unlawful from the outset.
Your LIA does not need to follow a specific template, though the ICO publishes a useful one. At minimum, it should cover:
| LIA Section | What to Document |
|---|---|
| Purpose | The specific legitimate interest, stated precisely - not vaguely |
| Necessity | Why processing is needed, what alternatives were considered, how data minimisation is applied |
| Balancing | Impact on individuals, their reasonable expectations, nature and sensitivity of data, safeguards in place |
| Outcome | Clear conclusion on whether the interest overrides the individual's rights, or vice versa |
| Review date | When you will reassess - circumstances change, and your LIA must remain current |
If the balancing test is close, you can tip the scales by introducing additional safeguards: pseudonymisation, strict access controls, shorter retention periods, or a robust opt-out mechanism. But if the result is clearly negative - the processing is too intrusive, too unexpected, or involves sensitive data - you need to find an alternative legal basis or reconsider the processing entirely.
Transparency Requirements
Article 13(1)(d) of the GDPR requires you to inform data subjects about your legitimate interests at the time of data collection. Your privacy notice must state what those interests are - not just say "we rely on legitimate interest." The CJEU reinforced this point in the KNLTB ruling, noting that proper transparency could have given individuals the opportunity to retain control over their data.
The Right to Object
Article 21 of the GDPR gives individuals the right to object to processing based on legitimate interest at any time. When someone objects, you must stop processing unless you can demonstrate "compelling legitimate grounds" that override the individual's interests. For direct marketing specifically, the right to object is absolute - no balancing exercise, no exceptions. You must stop immediately.
Legitimate Interest vs Consent: A Quick Comparison
| Aspect | Legitimate Interest | Consent |
|---|---|---|
| Prior opt-in required | No | Yes |
| Documented assessment required | Yes (LIA) | No (but you must record consent) |
| Right to object | Yes, under Article 21 | Right to withdraw at any time |
| Works for cookies/tracking | Almost never (ePrivacy Directive requires consent) | Yes |
| Works for email marketing | Only in very limited cases (existing customers, soft opt-in where national law permits) | Yes |
| Data portability applies | No | Yes |
| Can be used for sensitive data | No (Article 9 requires explicit consent or another specific basis) | Yes, with explicit consent |
Common Mistakes Website Owners Make
The most frequent error is treating legitimate interest as a fallback when consent is inconvenient. If your real concern is that users might not consent - for instance, to analytics or advertising cookies - that reluctance is actually a signal that the processing may be too intrusive. Choosing legitimate interest to avoid giving people a choice defeats the purpose of the legal basis.
Another common mistake is conducting the LIA after starting the processing. An LIA must be completed before data collection begins. A retrospective assessment carries no legal weight and can be seen as evidence that you did not take your obligations seriously.
Some organisations treat the LIA as a one-off exercise. Your processing context changes over time - new data sources, new purposes, new risks. The EDPB expects ongoing review, particularly where the balancing test was borderline.
A fourth error is failing to distinguish between what the GDPR permits for data processing and what the ePrivacy Directive requires for device access. These are separate legal instruments with separate requirements. A valid legitimate interest under the GDPR does not override the consent requirement under Article 5(3) of the ePrivacy Directive.
What About the ePrivacy Regulation?
The ePrivacy Regulation was proposed in 2017 to replace the 2002 ePrivacy Directive and align cookie consent rules with the GDPR. As of early 2025, it remains in legislative limbo after multiple drafts and political disagreements. The European Parliament and the Council have been unable to agree on a final text, and there is no firm timeline for adoption.
Until the Regulation is adopted, the ePrivacy Directive - as transposed into national law by each EU member state - remains the governing framework for cookies and electronic communications. The practical implication: consent is still required for non-essential cookies, and legitimate interest remains unavailable for most tracking activities.
Frequently Asked Questions
Can I use legitimate interest instead of consent for Google Analytics cookies?
No. Placing analytics cookies on a user's device requires prior consent under Article 5(3) of the ePrivacy Directive. Legitimate interest under the GDPR does not override this requirement, because the ePrivacy Directive is the more sp
