Legitimate Interest for Email Marketing: What the DUAA 2025 Actually Changed

"We rely on legitimate interest for our marketing emails." It is one of the most common things UK businesses say about their email programme — and one of the most commonly misunderstood.

The Data (Use and Access) Act 2025 made a change here that has been widely reported, often inaccurately. So let us be precise about what legitimate interest can and cannot do for email marketing, what the DUAA actually changed, and what you still have to do to rely on it.

The two-layer problem most businesses miss

There is a structural confusion at the heart of this topic. Sending a marketing email in the UK engages two separate laws, and legitimate interest only answers one of the two questions they ask:

• UK GDPR asks: do you have a lawful basis to process this person's personal data? Legitimate interest (Article 6(1)(f)) is one of six possible bases.
• PECR asks: are you allowed to send this person this electronic marketing message? For marketing emails to individuals, PECR gives you only two options — consent, or the soft opt-in exemption.

Here is the part that trips people up: legitimate interest is a GDPR lawful basis, not a PECR one. You can have a perfectly valid legitimate interest for processing someone's email address and still be prohibited from emailing them under PECR because you have neither their consent nor a valid soft opt-in. The two laws stack; satisfying one does not satisfy the other. Our PECR vs GDPR breakdown walks through this in more detail.

So legitimate interest is relevant to your GDPR position — but it never, on its own, makes a marketing email lawful to send.

What legitimate interest means under UK GDPR

Legitimate interest is set out in Article 6(1)(f) of the UK GDPR. It lets you process personal data where the processing is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party," except where those interests are overridden by the individual's interests, rights, and freedoms.

The ICO breaks it into a three-part test, and you must pass all three:

1. Purpose test — is there a genuine, specific legitimate interest? "We want to grow revenue" is too vague; "we want to tell existing customers about a product directly related to one they bought" is specific.
2. Necessity test — is processing the personal data necessary to achieve that interest, or could you reasonably achieve the same result in a less intrusive way?
3. Balancing test — do the individual's interests, rights, and freedoms override your interest? You weigh their reasonable expectations and the potential impact on them.

You record this analysis in a Legitimate Interests Assessment (LIA), and the ICO is clear that you should complete it before you start the processing — because the LIA is how you decide whether the basis applies in the first place.

What the DUAA 2025 actually changed

This is where the reporting has been sloppy. You may have read that the DUAA "made direct marketing a recognised legitimate interest" or "removed the balancing test for marketing." Neither is accurate.

Section 70 of the DUAA amends Article 6 of the UK GDPR to add direct marketing as an example of processing that may be necessary for the purposes of a legitimate interest. The operative wording inserted into Article 6 states that "examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include … processing that is necessary for the purposes of direct marketing."

Read that carefully. Two things follow:

• It is an example under Article 6(1)(f), not a "recognised legitimate interest" under the new Article 6(1)(ea). The DUAA created a separate, narrow category of "recognised legitimate interests" (in a new Annex) for which the balancing test is not required — things like safeguarding and emergency response. Direct marketing is deliberately not in that no-balancing-test category.
• The three-part test still applies in full. Because direct marketing sits under Article 6(1)(f), you still have to pass the purpose, necessity, and balancing tests, and you still need an LIA. The DUAA confirms direct marketing can be a legitimate interest; it does not make it automatically lawful.

So the practical change is modest. The statutory recognition strengthens your position and reduces ambiguity — it is now written into the legislation that marketing is capable of being a legitimate interest, which was already the ICO's settled view. But it does not hand you a free pass. The ICO's guidance is explicit that direct marketing can be a legitimate interest "as long as you carry out the marketing in compliance with electronic marketing rules" — which brings us straight back to PECR.

The PECR catch that legitimate interest never escapes

This is the single most important point in this article, so it gets its own section.

Legitimate interest under GDPR does not give you a basis to send marketing emails under PECR. For unsolicited marketing emails to individual subscribers, PECR Regulation 22 requires either consent or a valid soft opt-in. Legitimate interest is not a third option. The ICO has stated this directly and the DUAA did not change it.

What this means in practice:

• If you are emailing individual subscribers (consumers, sole traders, some partnerships), you need PECR consent or soft opt-in — full stop. Your GDPR legitimate interest is necessary but not sufficient.
• Where legitimate interest does genuinely carry weight for email is B2B marketing to corporate subscribers (limited companies, LLPs), where PECR's consent requirement does not apply to the company. There, legitimate interest is typically the GDPR basis for processing the named individual's business email address. See our PECR B2B email marketing guide for where that line sits.
• It also matters for postal direct marketing, which PECR does not regulate at all — there, GDPR legitimate interest can be your standalone basis.

For the full picture of how the two regimes diverge on lawful basis, see GDPR vs PECR for direct marketing.

How to rely on legitimate interest properly

If legitimate interest is genuinely your GDPR basis for a marketing activity — most defensibly B2B email or postal mail — here is what to document:

1. Write the LIA before you start. Work through the purpose, necessity, and balancing tests in writing. The DUAA naming direct marketing as an example helps you with the purpose test, but you still have to do the necessity and balancing analysis yourself.
2. Be specific about the interest. "Marketing our similar products to existing business customers" is defensible. "Sending offers to a purchased list of strangers" will fail the balancing test every time.
3. Check reasonable expectations. The balancing test turns heavily on whether the recipient would expect to hear from you. A business contact you have an existing relationship with is very different from a cold-acquired record.
4. Confirm the PECR position separately. Before any email goes out, confirm you have the right PECR basis — consent or soft opt-in for individuals, or the corporate subscriber exemption for companies. The LIA does not answer this question.
5. Honour objections. Individuals have an absolute right to object to direct marketing under Article 21(2) of the UK GDPR. Once someone objects, you must stop — there is no balancing test to apply at that point.

The bottom line

The DUAA 2025 wrote direct marketing into the UK GDPR as an example of a legitimate interest. That is a genuine, if modest, strengthening of the legal footing for marketing — but it changed none of the hard requirements:

• The three-part test and the LIA still apply.
• Direct marketing is not a no-balancing-test "recognised legitimate interest."
• And for marketing emails to individuals, PECR consent or soft opt-in is still mandatory regardless of your GDPR basis.

If your compliance story is "we rely on legitimate interest, so we are covered," you are answering only half the question. The half that generates ICO fines — can you show valid PECR consent for each individual you emailed? — is still wide open. Our PECR compliance checklist covers the evidence the ICO actually asks for, and the PECR compliance checker gives you a quick read on where your gaps are.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified legal professional. Legislative references verified against legislation.gov.uk and ICO guidance as at June 2026.