Data Protection Network
CONTACT US
NEWSLETTER

When is direct marketing a legitimate interest?

Philippa Donn
April 2026

“We don’t need consent, we can use legitimate interests!” You may have heard these words from your marketing team or agency – excitedly saying direct marketing is a legitimate interest, and consent is not needed.

They aren’t wrong, but only up to a point and you might not have the whole picture. Alarm bells should ring if the marketing you’re planning is by email, SMS or telemarketing and they fail to reference the direct marketing rules under the Privacy & Electronic Communications Regulations (PECR) or the ICO’s direct marketing guidance.

UK GDPR plays its part, but perhaps more crucially organisations need to make sure their electronic direct marketing activities comply with PECR. This sits alongside UK GDPR, has been around an awful lot longer (since 2003) – yet still I get blank faces when I mention it.

So here’s a reminder of how to make sure direct marketing campaigns comply with both UK GDPR and PECR. And a quick heads up – sometimes legitimate interests just isn’t an option.

What UK GDPR says about legitimate interests and direct marketing

Examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include: (a) processing that is necessary for the purposes of direct marketing.

The significant word in the law is ‘may’ – this means direct marketing is not automatically okay under the lawful basis of legitimate interests.

Which brings us neatly onto…

What the ICO says about legitimate interests and direct marketing

Legitimate interests can apply for direct marketing but only where the Privacy and Electronic Communication Regulations (PECR) don’t require consent.

It couldn’t be clearer.

What PECR says about consent

PECR specially sets out the circumstances in which we must collect and rely on consent for email, SMS and telemarketing. Here I’m going to focus on email and SMS (as the rules are the same), but if you’re conducting telemarketing see UK telemarketing rules.

The law states we must collect prior consent before sending email or SMS marketing to individual subscribers. This means people who personally subscribe to their email service provider such as when you collect people’s Gmail, Hotmail, Yahoo or BT internet email addresses. The definition of individual subscribers also extends to sole traders and some partnerships. In marketing terms this is often referred to as Business-to-Consumer (B2C).

PECR exemptions to consent

Since PECR was enacted back in 2003 there’s been an exemption available for commercial purposes commonly known as the ‘soft opt-in’. This means organisations don’t require prior consent for future email/SMS marketing messages IF they can meet ALL of the following criteria:

The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication
You only send marketing about your own similar products and services.

More recently, from February 2026, PECR has been amended to include the charitable purpose soft opt-in. This can be used IF you can meet ALL of the following criteria:

You’re a charity – as defined under the law in England, Scotland or Northern Ireland.
The sole purpose of your direct marketing is to further one or more of your charitable purposes.
You obtained the contact details directly from the recipient.
You obtained the details in the course of the recipient: expressing an interest in one or more of your charitable purposes or offering/providing support to further one or more of your charitable purposes.
An opportunity to refuse or opt out is given at the point of collection and in every subsequent communication.

If you can meet the criteria for either of the above exemptions to consent (i.e. the commercial soft opt-in or the charitable purposes soft opt-in) it’s likely you can look to rely on the lawful basis of legitimate interests under UK GDPR. It’s your choice, you can choose to rely on prior consent or legitimate interests. But remember for both these lawful bases you need to meet requirements under UK GDPR, which I’ll come to in just a moment.

It’s worth noting the PECR rules on consent and the soft opt-in don’t apply to corporate subscribers – in other words people’s work email addresses (as long as they are not sole traders). The ICO has published the following useful table setting out when legitimate interest may be an appropriate lawful basis for different direct marketing methods:

Please also see ICO direct marketing choosing your lawful basis.

I’m afraid you can’t relax just yet, there’s a little more to factor in…

We still need to meet the requirements for specific lawful bases. If relying on consent, this needs to meet the UK GDPR standard of consent. See UK GDPR and consent

The three part test for legitimate interests

If relying on legitimate interests, the UK GDPR requires us to apply a three-part test. As the ICO sets out:

1. Purpose test: Do you have a legitimate interest for using the personal information?
In terms of the purpose test, some forms of direct marketing may not be legitimate if they don’t comply with:
• other legal or ethical standards; or
• industry codes of practice.
2. Necessity test: Is your use of personal information necessary for that purpose?
3. Balancing test: Do the person’s interests, rights or freedoms override the legitimate interest you’ve identified?

The ICO would advise conducting a Legitimate Interests Assessment (LIA). This doesn’t need to be overly detailed especially if you’re clearly meeting the criteria to rely on the commercial or charitable purpose soft opt-in, but it’s a very useful exercise to make sure you’re covering what needs to be in place. It will also give you evidence should the ICO ever come calling. For more detail see ICO can we use legitimate interest for our direct marketing activities.

To conclude – yes direct marketing may be a legitimate interest, but it isn’t as simple as just providing an opt-out. To save any unwelcome complaints further down the line, electronic direct marketing activities need to comply with PECR alongside the requirements for either consent or legitimate interests under UK GDPR.

Talking about complaints, are you prepared for the new data protection complaints requirements which take effect from 19 June? We’ll be chatting through the requirements at our online event on 28 April ☛ Book your place.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

Quick Guide to UK GDPR, Marketing and Cookies

How UK GDPR and PECR work together and apply to direct marketing, and use of cookies and similar technologies

UK email marketing rules

The UK regulator frequently issues fines to businesses for contravening the email marketing rules. Find out how to avoid making a mistake

UK telemarketing rules

Avoid falling foul of the UK telemarketing rules with this six-point guide to making compliant marketing calls

DPN Legitimate Interests Guidance and LIA Template (v 3.0)

Key considerations and how to assess legitimate interests as a lawful basis under GDPR, with updated LIA template and case studies.
Data Protection Network