Can a UK business use legitimate interests for direct marketing?

Sometimes, but not always. UK GDPR recital 47 states that direct marketing can be a legitimate interest. However, PECR (the Privacy and Electronic Communications Regulations 2003) imposes separate consent requirements on top of UK GDPR for electronic direct marketing. That covers emails, texts and automated calls. If you are sending marketing emails to consumers, you need either consent under PECR or the soft opt-in exception. Passing the LI three-part test alone is not sufficient for electronic marketing.

What is the soft opt-in exception under PECR?

Regulation 22(3) of PECR allows a business to send marketing emails to existing customers without fresh consent. Four conditions apply. The business obtained the customer's contact details during a sale or negotiation of a sale. The marketing is for similar products or services. The customer was given an opportunity to opt out at collection and in every subsequent message. The customer has not opted out. This soft opt-in is separate from the UK GDPR LI assessment. It is a PECR-specific provision that sits alongside the GDPR lawful basis requirement.

Can we use legitimate interests for website analytics?

The ICO's position is that analytics cookies and tracking that involve processing personal data require either consent or legitimate interests under UK GDPR, alongside consent under PECR Regulation 6 for the cookies themselves. For analytics, LI may be available if the processing is proportionate and users have clear notice and a means to opt out. The ICO's own analytics guidance distinguishes between cookie-based analytics (which requires PECR consent for the cookie) and server-side analytics that do not use cookies (where PECR may not apply and LI is more straightforwardly available).

GDPR & Privacy

Legitimate interests for marketing: UK GDPR LIA test

Q: What is the three-part legitimate interests assessment (LIA)?

The LIA under UK GDPR Article 6(1)(f) has three parts. (1) Purpose test. Is there a genuine, specific and clearly articulated legitimate interest? (2) Necessity test. Is the processing necessary for that interest, meaning you cannot reasonably achieve the same result less intrusively? (3) Balancing test. Do the rights and interests of the data subject outweigh your legitimate interest, taking into account reasonable expectations, severity of impact and available safeguards? All three parts must be satisfied.

Steven | TrustYourWebsite · 8 May 2026 · Last updated: May 2026

Legitimate interests (LI) is one of the six lawful bases for processing personal data under UK GDPR Article 6(1)(f). It is the most flexible basis. It is also the one that requires the most active analysis. For UK businesses using personal data for marketing, analytics, fraud prevention and other commercial purposes, understanding when LI applies (and when it does not) is essential.

This guide explains the three-part legitimate interests assessment, the interaction between UK GDPR legitimate interests and PECR's electronic marketing rules and how to document an LIA that will satisfy the Information Commissioner's Office (ICO).

Quick summary

Legitimate interests is available as a UK GDPR lawful basis for marketing under Article 6(1)(f).

PECR consent rules still apply on top for unsolicited marketing emails, texts and automated calls to individuals.

You must document a three-part LIA: purpose, necessity, balancing. The ICO publishes a free LIA template you can adapt.

To check your website's current approach to consent and data collection, run a free scan at /uk/en/scan for marketing-compliance signals such as cookie banners, tracker placement and consent storage.

The three-part LIA test at a glance

Step	Question	What good looks like
1. Purpose	Is your interest real, specific and lawful?	"Marketing our printer ink to past printer buyers", not "business growth".
2. Necessity	Can you reach the same outcome less intrusively?	Aggregate analytics or first-party email instead of cross-site tracking.
3. Balancing	Do user rights and expectations outweigh your interest?	Clear notice at collection, easy opt-out and minimal data tip the balance.

When legitimate interests applies

UK GDPR Article 6(1)(f) permits processing where it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

Unlike consent or contract performance, legitimate interests is not a bright-line basis. It requires a genuine balancing exercise. The ICO's guidance on legitimate interests identifies three components that must all be satisfied.

The purpose test

The first question is whether you have a genuine, specific and clearly articulated legitimate interest. The interest must be real, not speculative. It must be specific enough to be tested against the balancing test. "Business purposes" is too vague. The interest must be lawful, though it does not need to be enshrined in law.

Examples of interests the ICO accepts as capable of being legitimate include commercial interests in preventing fraud, network security, marketing to existing customers, optimising website performance and employee monitoring for legitimate HR purposes.

The purpose test is usually easy to satisfy for most commercial activities. The substantive challenge is the necessity and balancing tests.

The necessity test

Processing is necessary for the legitimate interest only if you cannot reasonably achieve the same result by less privacy-intrusive means. This is a proportionality test, not a strict minimum. The ICO's guidance acknowledges that "necessary" in this context does not mean "absolutely essential". But it does require genuine consideration of alternatives.

For marketing analytics, this means asking whether aggregate, non-personal data would serve the same purpose as individual-level tracking. For direct marketing, this means asking whether a less targeted approach would be sufficient. Where there is a reasonably practicable, less privacy-invasive alternative, the processing is not necessary and LI cannot be relied upon.

The balancing test

The balancing test is the most complex part of the LIA. It requires weighing the controller's legitimate interest against the data subject's rights, interests and reasonable expectations. The ICO's guidance identifies factors relevant to the balance.

Nature of the interest: is it a fundamental business interest (fraud prevention) or a more peripheral one (targeted advertising)? More fundamental interests weigh more heavily in the balance.

Impact on the data subject: is the processing likely to cause damage, distress or restriction of rights? Processing that involves sensitive data, profiling or tracking has a higher impact.

Reasonable expectations: would data subjects reasonably expect their data to be used in this way, given the context in which it was collected? Collecting contact details at checkout creates a reasonable expectation of transactional communications. It does not create a reasonable expectation of sharing with third-party advertisers.

Available safeguards: what measures does the controller have in place to minimise impact? Offering an easy opt-out, minimising the data collected and using aggregated rather than individual data all reduce the weight of any negative impact.

Particular vulnerability: if the data subject is a child or otherwise vulnerable, the balance shifts further against the controller's interests.

If the balancing test is close, safeguards can tip the balance. The ICO's guidance on legitimate interests notes that if you are uncertain whether your interest outweighs the data subject's rights, adding safeguards such as clearer notice, an easy opt-out and data minimisation may make the balance sufficiently clear.

Legitimate interests and direct marketing

UK GDPR Recital 47 states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." The ICO's direct marketing guidance confirms that LI can be a lawful basis for offline direct marketing (postal mail and phone calls to registered users) and for some forms of digital marketing.

However, LI does not operate alone for electronic marketing. PECR imposes additional requirements on top of UK GDPR for electronic communications. The matrix below shows which lawful-basis combinations are valid by channel.

Channel and audience	Can LI alone cover it?	PECR consent required?	Soft opt-in available?
Postal mail to consumers or businesses	Yes	No	N/A (no PECR consent rule applies)
Email or SMS to individual consumers	No	Yes, unless soft opt-in applies	Yes, for existing customers buying similar products
Email to UK limited companies and LLPs	Yes	No	N/A (Reg 22 does not bite on corporate subscribers)
Email to sole traders or partnerships	No	Yes (treated as individual subscribers)	Yes, same conditions as B2C
Live-agent telephone calls (non-TPS numbers)	Yes for UK GDPR basis	No	N/A. TPS-registered numbers cannot be called regardless.
Automated voice calls	No	Yes (PECR Reg 19)	No soft opt-in for automated calls.

Emails and texts to consumers: Regulation 22 of PECR requires either prior consent or the soft opt-in exception (Regulation 22(3)) for marketing emails and texts to individual subscribers. Satisfying the UK GDPR LI three-part test does not remove the separate PECR consent requirement. A business that has carried out a flawless LIA but sends marketing emails to consumers without PECR-compliant consent is still breaching PECR.

Emails and texts to businesses: PECR's Regulation 22 consent requirement applies to "individual subscribers", which the ICO interprets as individuals (not incorporated companies). B2B electronic marketing to company email addresses may therefore rely on UK GDPR LI without a separate PECR consent basis. The distinction matters for the self-employed and sole traders, who are treated as individual subscribers even in a business context.

Phone calls: automated calls to consumers require consent under PECR Regulation 19. Non-automated calls (live agents) to numbers on the Telephone Preference Service (TPS) are prohibited under Regulation 21, regardless of LI. For live agent calls to numbers not on TPS, LI can provide the UK GDPR lawful basis. PECR Regulations 21 to 24 still impose separate requirements on the call itself.

The soft opt-in in detail

PECR Regulation 22(3) creates an exception to the general consent requirement for marketing emails. The soft opt-in is not a separate UK GDPR lawful basis. It is a PECR provision. Four conditions must all be met.

#	Condition	What this rules out
1	Details obtained during a sale or negotiation of a sale	Prospects who never bought. Third-party lists. Co-registration data.
2	Marketing is for "similar products and services"	Cross-selling outside the original product category (printer buyer to financial services).
3	Opt-out offered at the point of collection, at no cost	Pre-ticked consent. Hidden opt-out. Opt-out only available by phoning a paid number.
4	Opt-out offered in every subsequent message	Messages without a working unsubscribe link.

"Similar products and services" is interpreted by the ICO as products in the same category as those the customer bought, not as a blanket permission to market the full product range. A customer who bought a printer receiving marketing for printer ink is arguably similar. A customer who bought a printer receiving marketing for financial services is not.

The soft opt-in does not apply to prospects (people who did not complete a purchase), third-party list data or data from co-registration schemes.

Documenting the LIA

The accountability principle under UK GDPR Article 5(2) requires controllers to be able to demonstrate compliance. For legitimate interests, this means recording the LIA in a format that can be produced to the ICO on request. The ICO publishes a free LIA template you can adapt.

An LIA record typically covers the name and description of the processing activity, the legitimate interest identified, why the processing is necessary (necessity test reasoning), the impact assessment (balancing test factors considered and conclusion), any safeguards applied and the outcome with next review date.

The LIA does not need to be lengthy. What matters is that it demonstrates genuine analysis rather than a conclusion working backwards from the desired outcome. The ICO has been critical of LIAs that assert legitimate interests without substantive reasoning, particularly in direct marketing contexts.

For a practical review of your website's data practices against UK GDPR and PECR requirements, run a free scan at /uk/en/scan. For an overview of all UK GDPR obligations for websites, see UK GDPR compliance for businesses. For background on UK-specific rules diverging from EU GDPR, see UK Data Protection Act 2018 vs UK GDPR and DUAA changes 2025.

This article is technical analysis, not legal advice. For binding interpretation of UK GDPR or PECR consult a qualified data-protection practitioner.

Share this article

Check your website now

Scan your website for privacy issues and 30+ other checks.

Start free check

UK Website Guides

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

UK website privacy notice requirements after DUAA (2026)

The 14 mandatory elements of a UK GDPR privacy notice. DUAA 2025 changes, new complaint mechanism, recognised legitimate interests and ICO checklist for SMEs.

PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.

Data (Use and Access) Act 2025: UK website changes

Data (Use and Access) Act 2025 reforms UK GDPR and the DPA 2018 from Royal Assent on 19 June 2025. What changes for UK websites and what stays the same.