“Can’t we just use legitimate interest?” is the question I hear most often from product teams who want to avoid a cookie banner. The honest answer is: sometimes, but almost never for the thing you actually want to do. Legitimate interest is a real GDPR basis, but it sits on top of two common misunderstandings that make it look like a loophole and turn out not to be.
This post explains when legitimate interest holds up, when it doesn’t, and why the ePrivacy Directive often makes the question moot before you even reach GDPR Article 6. I’ll cover the three-part legitimate interest assessment, a decision tree you can apply today, and a matrix of common processing activities with the basis that actually works under current EDPB, CNIL, and BfDI enforcement.
The Two Frameworks You Have to Satisfy
Most teams confuse one thing for the other. There are two separate laws stacked on top of each other:
- GDPR Article 6 — covers processing of personal data. Lists six lawful bases, including consent and legitimate interest. Applies to everything.
- ePrivacy Directive — covers storing or reading anything on a user’s device. Requires consent unless the storage is strictly necessary for a service the user asked for. Applies before GDPR.
The ePrivacy Directive is what makes “we can use legitimate interest for our cookies” wrong. You can’t even get to the GDPR question for cookie-based analytics — ePrivacy requires consent first, full stop. Legitimate interest only becomes an option when no device storage is involved.
The Decision Tree
The first question is always the ePrivacy question: does this involve storing or reading something on the user’s device? If yes, you’re in ePrivacy territory — consent unless strictly necessary. Only if the answer is no do you get to pick between GDPR bases.
When Legitimate Interest Actually Works
Legitimate interest is a valid GDPR Article 6(1)(f) basis when all three tests below pass. It’s not a shortcut around consent — it’s a genuinely different basis with different requirements, trade-offs, and user rights.
The Purpose Test
There must be a real business interest. “Marketing” is not specific enough. “Detecting account takeover attempts” is. The EDPB has rejected vague purpose formulations repeatedly in enforcement decisions since 2019. Write down what the processing actually accomplishes, concretely.
The Necessity Test
The processing must be necessary — not just useful. If you can achieve the same purpose with less data, you must. For analytics, this usually means aggregated or sampled data rather than individual-user tracking, and 30-day retention rather than 2 years. If you can’t justify why you need more, you can’t use legitimate interest for the more.
The Balancing Test
The hardest one. Your interest must not override the user’s fundamental rights. Factors include: would a reasonable user expect this processing, is it intrusive, can they easily object, are children involved. The balancing test is where most legitimate interest arguments fail under scrutiny — usually because teams underweight the “user expectation” side.
Document Everything
You must write down the three-part assessment before starting processing. This is called a Legitimate Interest Assessment (LIA). GDPR Article 5(2) requires you to demonstrate compliance — no LIA means no proof. Regulators treat absence of a documented LIA as evidence the basis was chosen without analysis.
Common Processing and Which Basis Actually Works
Analytics cookies
Consent required — ePrivacy Directive blocks any other basis. Legitimate interest is not available for storing analytics cookies on the device. This is the single biggest misconception I encounter.
Server-side aggregate analytics
Legitimate interest works. No device storage, aggregated data, no individual profiling — the three LIA tests pass easily. This is the foundation of “cookieless analytics” when implemented correctly. See cookieless tracking in Europe for the technical side.
Fraud prevention and security
Legitimate interest is strong here. Processing necessary to detect fraud is specifically recognized as a legitimate interest in GDPR Recital 47. The balancing test passes for most reasonable security logging.
Product improvement telemetry (logged-in users)
Legitimate interest works for authenticated users where the processing is reasonably expected. Users must be able to object, and objection must be honored — this is the GDPR Article 21 right. Many teams forget to implement this right, which invalidates the basis.
Marketing emails to existing customers
Legitimate interest with a soft opt-in works under ePrivacy Article 13(2) — you can email existing customers about similar products, but they must be able to object at the point of data collection and in every subsequent email.
Cross-site advertising
Consent only. The EDPB and national DPAs have consistently rejected legitimate interest for behavioral advertising. The balancing test fails because users do not reasonably expect tracking across sites they never asked to be linked.
Special category data
GDPR Article 9 requires explicit consent (not the regular GDPR consent — a stricter version) for health, biometric, sexual orientation, religious, political, and genetic data. Legitimate interest is not available.
Legitimate Interest for Product Analytics — A Practical Pattern
Here’s the setup that actually works under legitimate interest for product analytics:
- Authenticated users only. Processing anonymous visitors under legitimate interest is harder to justify because expectations differ.
- No device storage. Use server-side event collection keyed by your internal user_id, not cookies.
- Aggregate first. Compute metrics in aggregate, retain individual events only as long as needed for cohort analysis (30-90 days typical).
- Clear privacy notice. Tell users what you collect and why at the point of signup. Link to your LIA.
- Working objection flow. A “don’t track my usage” toggle in user settings, and the technical pipeline to honor it within 30 days.
- No cross-domain or third-party enrichment. Keeps the processing clearly within user expectations.
This setup covers product analytics for a B2B SaaS or authenticated consumer product without needing consent. It does not cover marketing analytics, attribution, or any cross-site tracking — those require consent regardless.
What Changes After NOYB’s 2024 Rulings
The 2023-2024 wave of EDPB decisions and NOYB complaints has tightened what legitimate interest allows. Three changes worth knowing:
- “Direct marketing” recital narrowed. GDPR Recital 47 lists direct marketing as a potential legitimate interest, but post-2024 decisions confirm this does not extend to tracking technologies or cross-site profiles.
- Right to object must be easy. Buried opt-out links have been treated as equivalent to no opt-out. The objection mechanism must be as accessible as the processing it disables.
- LIA must be current. A 2021 LIA doesn’t necessarily justify 2026 processing if enforcement guidance has changed. Review annually.
When to Just Use Consent
Consent is easier to defend than legitimate interest in a supervisory authority investigation. If any of the following is true, pick consent:
- Processing involves device storage
- Users would be surprised by the processing if asked
- You can’t articulate the business interest in one sentence
- Children may be involved
- You’re not confident you can operationalize the right to object
- The processing involves special category data
Consent has its own risks — it must be freely given, specific, informed, and unambiguous — but the failure modes are better understood and more forgivable than a failed LIA.
FAQ
Can I use legitimate interest for Google Analytics?
No. GA4 and similar tools use cookies or similar local storage, which triggers the ePrivacy Directive regardless of the GDPR basis. Consent is required. The only way to use analytics without consent is server-side collection without device storage — and even then, only aggregate analytics clearly pass the legitimate interest test.
What is the difference between consent and legitimate interest?
Consent is the user actively saying yes; legitimate interest is you making a documented case that processing is reasonable without asking. Consent gives users control and places the burden of proof on them to revoke it. Legitimate interest gives you control but places a higher documentation and objection-handling burden on your side, and applies only when the data is not governed by ePrivacy.
Do I need a lawyer to do a legitimate interest assessment?
Not for a template LIA covering standard activities like fraud detection or basic product telemetry – the ICO and CNIL publish free LIA templates. For anything involving special category data, cross-border transfers, or novel processing, yes — legal input prevents costly mistakes. The LIA is ultimately your accountability document, so ownership has to sit inside the organization.
Can I switch from consent to legitimate interest later?
No. Once you’ve asked for and obtained consent for a processing activity, you cannot retroactively decide it was actually legitimate interest. Users would reasonably expect the consent route to continue. The EDPB has been clear on this since 2019. Pick the correct basis before processing begins.
If legitimate interest is so restricted, why do companies use it?
For genuinely appropriate uses: fraud prevention, security monitoring, internal product improvement on authenticated users, existing-customer marketing under the soft opt-in. These are real and defensible. The problem is when teams try to stretch it to cover activities that should be consent-based — analytics cookies, third-party tracking, behavioral advertising — where enforcement keeps pushing back.
The Short Version
If it touches the device, consent is required — end of question. If it doesn’t touch the device and you can document the purpose, necessity, and balancing tests, legitimate interest works. Anything in between, pick consent. The regulatory direction since 2023 has been consistently toward requiring consent for more, not less, of what analytics teams do. Building for consent today is building for the path of least resistance tomorrow.