Can I use «legitimate interest» to justify marketing emails and cold messages?

No. No, you can’t.

You can only send unsolicited communications if you have a prior sales relationship with the person.

It’s true that the regulation on this matter is not as straightforward as other GDPR matters, but a proper reading of European law clarifies that you cannot email a person without their consent.

Also, it is worth noting that the UK GDPR may differ from the EU GDPR in this matter.

This is not regulated in the GDPR, but in Directive 2002/58/EC

Instead of the General Data Protection Regulation, we must look at Directive 2002/58/EC of Privacy and Electronic Communications (also known as the ePrivacy Directive).

This is because Article 95 of the GDPR, which is called “Relationship with Directive 2002/58/EC”, explains precisely that Directive 2002/58/EC should prevail regarding these matters.

Here’s what the Directive 2002/58/EC on privacy and electronic communications says in its Article 13:

Article 13: Unsolicited communications

1. The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax), or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

As you can see, the Directive clearly says that you cannot email people without their consent.

The exception: existing customer relationships

However, there is a second paragraph, which refers to the specific situation where a person is already a customer:

2. Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

This means you can actually send marketing emails to a person if they are already your customers, as long as:

1. The contact details were obtained in the context of a sale of a product or service
2. The marketing is for similar products or services
3. The customer was given a clear opportunity to opt-out when details were collected
4. Every subsequent email includes an easy way to unsubscribe

National legislation may vary

The 3rd paragraph of Article 13 goes on to say that each European country may write its own measures:

3. Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

Local example: Spain’s Ley Orgánica 3/2018

To offer a concrete example, let’s check what one European country, Spain, has to say in this regard. This is regulated in Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales.

Article 19. Processing of contact information of individual entrepreneurs and liberal professionals

1. In the absence of evidence to the contrary, the processing of contact data and, where appropriate, data relating to the function or position held of natural persons providing services in a legal person shall be presumed to be covered by the provisions of Article 6.1.f of Regulation (EU) 2016/679 provided that the following requirements are met:

(a) that the processing relates only to data necessary for their professional location.

In summary, the Spanish regulation says that no, you cannot reach out to someone via electronic means if you don’t have a legitimate basis. You can only send physical mail to the company address.

Interestingly, in Spain, you are allowed to send unsolicited marketing by post to a company’s physical address but not by email.

No, “legitimate interest” does not mean that your product may be interesting

This is tightly related to the issue of Article 6 of the GDPR: the legal basis for processing. To fully understand this issue, it is essential that you understand what Article 6 is saying.

In summary, Article 6 of the GDPR says that you need someone’s prior consent in order to process their data. There are five other possible justifications, but none of them will offer you a way to justify sending unsolicited communications.

One of the justifications is “legitimate interest”, but as you can see in Directive 2002/58/EC, “legitimate interest” does not suffice as an excuse to send marketing emails and cold emails to your prospects – and remember that Directive 2002/58/EC prevails over the GDPR in this matter (per Article 95 GDPR).

Furthermore, “legitimate interest” is only applicable to cases such as preventing harm from falling upon someone, like preventing fraud or ensuring security systems. The European Commission clarifies this on their page: What does ‘grounds of legitimate interest’ mean?

However, it should be obvious that “legitimate interest” is a very specific situation; otherwise, it would mean that anyone could contact anyone about anything, rendering the whole GDPR obsolete.

What are the consequences of non-compliance?

Sending unsolicited marketing emails without proper legal basis can result in:

• GDPR fines: Up to €20 million or 4% of annual global turnover
• ePrivacy violations: Additional fines under national implementations of the ePrivacy Directive
• Reputation damage: Spam complaints can harm your sender reputation
• Deliverability issues: Recipients may report your emails as spam, affecting future campaigns

How to comply with GDPR and ePrivacy for email marketing

To ensure compliance, follow these best practices:

1. Obtain explicit consent: Use clear, affirmative action (e.g., checkboxes) to collect consent
2. Provide transparency: Explain what you’ll send and how often
3. Make unsubscribing easy: Include a clear unsubscribe link in every email
4. Keep records: Document when and how consent was obtained
5. Honor opt-outs immediately: Process unsubscribe requests promptly
6. Use double opt-in: Confirm email addresses before adding to your list

Document your compliance properly

GDPR.Direct can help you create compliant privacy policies and consent forms that clearly explain how you collect and use personal data for marketing purposes.

Get started with GDPR.Direct’s free templates →

Conclusion

While legitimate interest is a valid legal basis under GDPR for certain types of data processing, it cannot be used as justification for sending cold marketing emails. The ePrivacy Directive requires explicit consent for electronic direct marketing, with limited exceptions for existing customer relationships.

Always prioritize compliance and respect for individuals’ privacy preferences. Not only is it legally required, but it also builds trust with your audience.