6 July 2026 · Last reviewed 6 July 2026
How to Complete a Legitimate Interest Assessment for Email Marketing (UK Guide)
Before you can rely on legitimate interest as your GDPR lawful basis for email marketing, the ICO requires you to work through a three-part test and document the result. That documented analysis is your Legitimate Interest Assessment — or LIA.
This guide walks through the LIA process specifically for email marketing contexts. It covers what the test requires, a worked example you can adapt, common mistakes that fail the balancing step, and what happens if the ICO asks to see it.
What is a Legitimate Interest Assessment?
An LIA is a structured record of your reasoning for relying on legitimate interest under Article 6(1)(f) of the UK GDPR. The UK GDPR does not formally require you to produce an LIA document — but the ICO says you should do one anyway, for two reasons:
- You cannot know whether legitimate interest applies unless you work through the three-part test. The test is what determines whether the basis is available at all.
- If challenged — by a data subject, a regulator, or in litigation — you need to be able to show your reasoning. A retroactive justification carries far less weight than a contemporaneous record.
The ICO also provides a sample LIA template (Word document) you can download and adapt.
Before you start: the PECR reminder
Completing an LIA only covers your GDPR position. For marketing emails to individual subscribers (consumers, sole traders, most small partnerships), the Privacy and Electronic Communications Regulations 2003 impose a separate consent requirement that legitimate interest does not satisfy.
You can pass all three parts of the LIA and still need separate PECR consent or a valid soft opt-in before you can legally send a marketing email to an individual. The two laws operate in parallel.
Where legitimate interest as a GDPR basis genuinely matters for email is B2B marketing to corporate subscribers — limited companies and LLPs, where PECR's consent requirement does not apply to the company itself. In those cases, legitimate interest is often the GDPR basis for processing the named business contact's email address. Read our GDPR and email marketing guide for how the two frameworks interact.
The three-part test
The ICO's guidance on when to rely on legitimate interests sets out the test in three parts. You must pass all three.
Part 1: Purpose test
The question: Is there a genuine, specific legitimate interest — yours or a third party's?
This is about identifying and articulating the interest clearly. "We want to grow our business" fails the specificity requirement. "We want to inform existing customers about an upgraded version of a product they have already purchased from us" passes.
The interest needs to be a real business objective, not a legal fiction invented to justify the processing. You also need it to be lawful — processing for a purpose that is itself illegal cannot be a legitimate interest.
For email marketing specifically: Direct marketing has been recognised in law as something that can constitute a legitimate interest. Section 70 of the Data (Use and Access) Act 2025 inserted an example into Article 6 of the UK GDPR stating that "examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include … processing that is necessary for the purposes of direct marketing." This does not make direct marketing automatically lawful — it confirms that direct marketing is capable of being a legitimate interest and removes any ambiguity on that point. You still need to pass the full test.
Part 2: Necessity test
The question: Is processing personal data necessary to achieve the identified interest, or could you achieve the same result through a less privacy-intrusive means?
For email marketing, this question usually has a clear answer: email marketing requires email addresses, and there is no less privacy-intrusive way to conduct email marketing. The necessity test is generally straightforward here.
Where it becomes more complex is around:
- Volume: Are you processing data for all contacts in your database, or only those for whom the particular marketing is relevant? Processing data to send every contact every campaign may not pass necessity if a segment-based approach would achieve the same legitimate interest for each communication.
- Retention: Processing data for active contacts is necessary; retaining it indefinitely after someone stops engaging raises the necessity question again.
Part 3: Balancing test
The question: Do the rights and interests of the data subject override your legitimate interest?
This is the step most LIAs fail when challenged. You weigh your interest against:
- The nature of the personal data (email address and marketing interaction data is relatively low-sensitivity)
- The reasonable expectations of the data subject (did they provide their email expecting marketing? In what context?)
- The impact of the processing on them (commercial emails have limited impact; volume or intrusiveness increases it)
- The relationship between you and the data subject (customer vs stranger)
The "reasonable expectations" element is where most marketing LIAs are weakest. If someone gave their email address in a context that has no obvious connection to your marketing — signing up for a whitepaper, entering a competition, providing details to receive a specific service — they have no reasonable expectation of receiving marketing. The balancing test is unlikely to succeed.
Where the balancing test is most likely to succeed:
- Customers who purchased a product and did not opt out of hearing from you about directly related offers
- Contacts who signed up to a professional newsletter or email list where marketing was clearly signalled
- B2B contacts who provided business email addresses in a context where commercial communication was expected
Where it regularly fails:
- Consumer addresses collected in a high-volume, loosely described consent process ("by providing your email you agree to our privacy policy")
- Third-party data where there is no direct relationship with you
- Long-dormant contacts with no engagement in 12+ months
Worked example: existing customer B2B marketing
Here is how the three-part test might look for a software company doing B2B email marketing to its existing customers:
Context: SaaS company. Customer signed up, used the product for 6+ months, is employed at a limited company. Company wants to email about a new product feature.
Purpose test: Genuine interest — inform an existing customer about a directly relevant product update that may improve their use of the product they already pay for. Specific and plausible.
Necessity test: Email is necessary — the information is personalised to their use of the product; other channels (in-app notification, account page) are additional, not substitutes for direct communication. Necessary: yes.
Balancing test:
- Nature of data: business email address; low sensitivity.
- Reasonable expectations: customer of a SaaS product has reasonable expectation of receiving product communications from that product.
- Impact: low — a single email about a relevant product update.
- Relationship: active paying customer.
- Outcome: legitimate interest not overridden.
LIA outcome: Legitimate interest applies. GDPR basis confirmed. Note: must still check whether PECR corporate subscriber rules apply — if the customer is an employee of a limited company, PECR consent requirement does not apply to the company (but individual unsubscribe rights apply under GDPR Article 21).
Recording your LIA
Your LIA does not need to follow a specific format. The ICO's guidance recommends recording:
- The date and the processing activity it covers
- The legitimate interest identified (Purpose test outcome)
- Why the processing is necessary (Necessity test outcome)
- Your balancing assessment and the factors you weighed (Balancing test outcome)
- The conclusion: whether legitimate interest applies, and any mitigating measures you are applying
Keep the record. If someone raises their right to object under Article 21 — which they can always do for direct marketing — you will need to be able to demonstrate that you considered their interests in the first place.
Update the LIA when circumstances change. If you extend marketing to new segments, change the nature of communications, or the regulatory environment shifts significantly, the original LIA may no longer cover the new processing.
What the ICO checks
If the ICO investigates a marketing complaint and you are relying on legitimate interest, the key questions are:
- Did you complete a three-part test before relying on this basis?
- Was your assessment of the balancing test reasonable, given what you knew about the contacts and the context?
- Can you demonstrate that you had a procedure for honouring opt-outs promptly?
A thin or retrospective LIA — one completed after the complaint arrived — will not carry the same weight as one produced before you started the marketing activity. The ICO's guidance on the how to apply legitimate interests in practice makes this point explicitly.
An LIA does not immunise you against complaints. It demonstrates that you took a reasoned, documented approach to a genuinely contested lawful basis — and that you understood where the limits were. That distinction matters in regulatory investigations.
Sources
- ICO — Legitimate interests (lawful basis overview)
- ICO — How do we apply legitimate interests in practice? (LIA guidance)
- ICO — When can we rely on legitimate interests?
- Data (Use and Access) Act 2025, s.70 — legitimate interest for direct marketing
- Privacy and Electronic Communications Regulations 2003
This article is for informational purposes only and does not constitute legal advice. Legitimate interest assessments involve factual and legal judgements specific to your circumstances. For guidance specific to your business, consult a qualified legal professional or data protection officer.