Skip to main content
tutorial Featured

Can I use «legitimate interest» to justify marketing emails and cold messages?

No, you may not. You may only do it if you have a prior sales relationship with the person. This is not regulated in the GDPR, but in Directive 2002/58/EC.

GDPR.Direct Team
September 1, 2023
6 min read
Share: Twitter LinkedIn Facebook

Can I use «legitimate interest» to justify marketing emails and cold messages?

Short answer: No, you may not. You may only do it if you have a prior sales relationship with the person.

This is not regulated in the GDPR, but in Directive 2002/58/EC (also known as the ePrivacy Directive).

What is “legitimate interest” under GDPR?

Under the GDPR, legitimate interest is one of the six lawful bases for processing personal data. It means that an organization can process personal data if they have a legitimate reason to do so, and if this reason is not overridden by the rights and freedoms of the data subject.

Legitimate interest can be used for a variety of purposes, such as:

  • Fraud prevention: Processing data to detect and prevent fraud
  • Network security: Ensuring the security of IT systems
  • Direct marketing: Marketing products or services to existing customers
  • Research and development: Improving products or services

However, organizations must conduct a legitimate interest assessment (LIA) to determine whether their legitimate interest is balanced against the rights of individuals.

Why can’t I use legitimate interest for cold marketing emails?

While legitimate interest is a valid legal basis under GDPR for processing personal data, the ePrivacy Directive (Directive 2002/58/EC) provides additional rules for electronic communications, including email marketing.

According to the ePrivacy Directive:

The use of electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

This means that for cold emails (emails sent to people who have not previously interacted with your business), you must obtain explicit consent before sending marketing messages. Legitimate interest is not sufficient.

The exception: existing customer relationships

There is one important exception to this rule:

If the contact details were obtained in the context of the sale of a product or service, you may use those contact details for similar products or services without additional consent, provided:

  1. The person was given a clear opportunity to opt-out when the contact details were collected
  2. The person is given an easy way to unsubscribe in every subsequent email
  3. The marketing is for similar products or services

What about B2B marketing emails?

The rules for B2B (business-to-business) email marketing vary by EU member state. Some countries allow more flexibility for B2B emails, but many still require consent or legitimate interest assessments.

Best practice: Always obtain consent before sending marketing emails, even in B2B contexts.

What are the consequences of non-compliance?

Sending unsolicited marketing emails without proper legal basis can result in:

  • GDPR fines: Up to €20 million or 4% of annual global turnover
  • ePrivacy violations: Additional fines under national implementations of the ePrivacy Directive
  • Reputation damage: Spam complaints can harm your sender reputation
  • Unsubscribes and blocks: Recipients may report your emails as spam

How to comply with GDPR and ePrivacy for email marketing

To ensure compliance, follow these best practices:

  1. Obtain explicit consent: Use clear, affirmative action (e.g., checkboxes) to collect consent
  2. Provide transparency: Explain what you’ll send and how often
  3. Make unsubscribing easy: Include a clear unsubscribe link in every email
  4. Keep records: Document when and how consent was obtained
  5. Honor opt-outs immediately: Process unsubscribe requests promptly
  6. Use double opt-in: Confirm email addresses before adding to your list

GDPR.Direct can help you create compliant privacy policies and consent forms that clearly explain how you collect and use personal data for marketing purposes.

Get started with GDPR.Direct’s free templates →

Conclusion

While legitimate interest is a valid legal basis under GDPR for certain types of data processing, it cannot be used as justification for sending cold marketing emails. The ePrivacy Directive requires explicit consent for electronic direct marketing, with limited exceptions for existing customer relationships.

Always prioritize compliance and respect for individuals’ privacy preferences. Not only is it legally required, but it also builds trust with your audience.

G

GDPR.Direct Team

Making GDPR compliance simple and affordable for businesses of all sizes with automated document generation and expert guidance.

Related Articles

tutorial

How to Create a Privacy Policy for Your Website

The privacy policy is a document that explains how you collect, use, and protect the personal information of your website's users in compliance with the General Data Protection Regulation.

Read Article
tutorial

Can I use data for different purposes to which the user consented originally?

Personal data must only be used for the purpose for which it was collected. If you want to use the data for a different purpose, you must first check whether this is compatible with the original purpose.

Read Article
tutorial

Is it necessary to include a checkbox in my contact form?

Short answer: No. A checkbox is not necessary. The 'Submit' button is enough. This is clearly explained in the GDPR.

Read Article
Back to Blog View Pricing Plans

Ready to Become GDPR Compliant?

Create your privacy policy and legal documents in minutes with GDPR.Direct

Get Started Free

No credit card required • Free forever plan available