GDPR Legitimate Interests: The Most Misused Lawful Basis

What Legitimate Interests Actually Is

Article 6(1)(f) allows processing if it's "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

That last clause is doing a lot of work. Legitimate interests isn't just "we have a reason" — it requires that your interest outweighs the individual's rights. This requires an actual balancing exercise, not a line in your privacy policy saying "we rely on legitimate interests for analytics."

The Three-Part Legitimate Interests Assessment (LIA)

The ICO's guidance (which most European DPAs echo) describes a three-part test you must be able to demonstrate:

• 1.Purpose test: Is there a legitimate interest? Your interest must be real, genuine, and not trivial. "We want better ad targeting" doesn't pass. "Preventing fraud on our payment platform" does.
• 2.Necessity test: Is the processing necessary for that purpose? Could you achieve the same goal with less data or a less privacy-invasive method? If you could use anonymised data instead, the necessity test fails for personal data.
• 3.Balancing test: Do your interests override the individual's rights? Consider how sensitive the data is, whether the person would expect this processing, what harm could result, and the power imbalance between you and the user.

You need to document this assessment. Not necessarily in public, but internally — if a DPA asks, you need to show you thought it through.

Where It Genuinely Applies

Legitimate interests is a valid basis in some common scenarios:

• →Fraud prevention and security. Logging IP addresses and detecting anomalous login patterns. Users generally expect this and the alternative (no fraud detection) is worse for them.
• →B2B direct marketing. Emailing a business contact about a product relevant to their role, with a clear opt-out. Must be proportionate and not involve sensitive data.
• →Internal analytics. Aggregated, non-intrusive analysis of how your product is used — page views, feature usage — where the data doesn't leave your infrastructure and isn't used to profile individuals.
• →Network and IT security. Monitoring for intrusions, maintaining logs for incident response.

Where It Doesn't Apply — And People Claim It Does

The abuse pattern is using legitimate interests as a substitute for consent when you expect users would refuse if asked. The balancing test is designed to prevent exactly this.

• ✗Behavioural advertising. The EDPB has been explicit: targeted advertising based on profiling doesn't pass the balancing test. IAB's claim that behavioural advertising constitutes legitimate interests was rejected by Belgian DPA in 2022.
• ✗Social media tracking pixels on third-party sites. Meta argued legitimate interests for the Facebook pixel on external sites. The CJEU rejected this in the Fanpage.it ruling.
• ✗Analytics cookies. Cookies require consent under ePrivacy Directive regardless of your GDPR lawful basis. Legitimate interests cannot substitute for cookie consent.

The Opt-Out Right

When you rely on legitimate interests, individuals have an absolute right to object (Article 21). You must honour objections unless you can demonstrate "compelling legitimate grounds" that override their interests. In practice, this means you need a functioning opt-out mechanism for every processing activity based on legitimate interests.

Your privacy policy must name which activities use legitimate interests and explain the right to object. Many privacy policies list "legitimate interests" as a lawful basis without explaining for what, or providing any objection mechanism — that's non-compliant.