---

title: 'Legitimate Interest for AI Marketing: Practical LIA' meta_desc: 'Practical guide to using legitimate interest for AI marketing: three-part test, copy-ready LIA template, field-level controls, sample case study, and recordkeeping tips for safer deployments.' tags: ['GDPR', 'legitimate interest', 'AI', 'marketing', 'privacy', 'compliance'] date: '2025-11-06' draft: false canonical: 'https://protext.app/blog/legitimate-interest-ai-marketing-lia' coverImage: '/images/webp/legitimate-interest-ai-marketing-lia.webp' ogImage: '/images/webp/legitimate-interest-ai-marketing-lia.webp' readingTime: 8 lang: 'en'

Legitimate Interest for AI Marketing: Practical LIA

I remember the first time my team proposed using an off-the-shelf AI tool to optimize our marketing email cadence. It promised better open rates and smarter segmentation with almost no lift. Excited, we almost skipped the legal checks — until someone asked, "On what legal basis are we processing customer data?" That question forced a full stop and led me into the world of legitimate interest under the GDPR.

Over several projects since then, I’ve learned how powerful, practical, and — yes — risky legitimate interest can be for AI-assisted marketing. This piece distills that hands-on experience into a usable playbook: the three-part test in practical terms, a copy-ready LIA template, conservative controls with field-level specifics, a short quantified case study, and concrete recordkeeping tips.

Legitimate interest is an operational posture: define your need clearly, prove necessity, and show you protected the person whose data you used.

Why legitimate interest matters for AI in marketing

"Legitimate interest" is one of the GDPR’s lawful bases. It lets you process personal data when there’s a legitimate business reason and the individual’s rights are not overridden. For marketers using AI to improve targeting, personalization, or campaign optimization, legitimate interest can be more practical than consent for ongoing, expected processing.

Flexible doesn’t mean boundless. The GDPR requires a three-part test — purpose, necessity, balancing — and regulators expect empirical evidence, safeguards, and documented decisions. Treat this as a discipline, not a shortcut.

The three-part test — practical, step-by-step

Purpose test: be precise and lawful

Don’t write "marketing" and move on. Say what business outcome and consumer benefit you’re pursuing.

Example purpose sentence: "Improve click-to-subscription rates by allocating recipients to one of three email sequences using pseudonymized behavioral signals." That level of specificity helps reviewers evaluate necessity and proportionality.

Common legitimate interests in marketing include direct marketing, fraud prevention, and product improvement. Remember ePrivacy rules may still require opt-in for some channels (e.g., SMS).

Necessity test: show there’s no less intrusive option

This is the heavy lift. You must show you couldn’t achieve the same result with less personal data or a less invasive design.

Tactics I use to prove necessity:

• Test anonymized or aggregated inputs first and document the gap.
• Try synthetic data or non-identifiable fine-tuning.
• Record alternatives considered and empirical test results.

Concrete example: an A/B test where anonymized models gave a 4% uplift vs. 14% for pseudonymized-personal-data models. Record the experiment design, sample sizes, and whether the difference is practically meaningful for the business.

Balancing test: center the individual

Balance business benefit against potential harm and reasonable expectations. Assess harm across intrusiveness, accuracy, and consequence.

Practical tools:

• Privacy impact scoring (numeric).
• Personas that include potentially vulnerable groups.
• A harm register logging likelihood, impact, and mitigations.

If harms are likely or severe, prefer consent or remove risky processing.

Short quantified case study (realistic, audit-ready)

Project: personalization for an online retailer.

• Team: product manager, privacy lead, ML engineer, legal (4 people).
• Timeline: 10-week pilot, with phased roll-out over 6 months.
• Data: clickstream, purchase history, email engagement (no special categories).
• Experiments: anonymized training vs. pseudonymized data; rule-based baseline.

Results:

• Rule-based segmentation uplift: +8% conversion.
• Anonymized model uplift: +4% conversion.
• Pseudonymized model uplift: +14% conversion.
• Privacy complaints dropped ~30% after adding a simple opt-out and clearer notices.

Decision: rely on legitimate interest with a documented LIA, quarterly reviews, and conservative safeguards. This demonstrates team size, timeline, trade-offs, and measurable outcomes.

Micro-moment: I paused mid-demo when a reviewer asked whether postcode was necessary — removing it cut re-identification risk and didn’t change the model score. Small changes like that add up fast.

Conducting a Legitimate Interest Assessment (LIA): copy-ready template

Executive summary (one paragraph): interest, AI activity, decision, review cadence.

1. Describe the processing

• Scope: datasets, sources, ingestion frequency.
• Purpose: business outcome and user benefit.
• Outputs: automated decisions or recommendations.

1. Purpose test

• State the legitimate interest and why it’s lawful.

1. Necessity test

• List alternatives, experiments, and why they failed.

1. Balancing test

• Impact assessment, expectations, harm register entries, mitigations.

1. Controls and safeguards

• Technical, operational, and user-facing controls with specifics (examples below).

1. Record of decision

• Approver names, dates, and review cadence (quarterly for active projects).

Sample LIA excerpt (copyable):

"We will use clickstream and purchase history to train a personalization model to increase relevant product recommendations. Legitimate interest: improve customer relationships through relevant offers. Controls: pseudonymization (user_id replaced with salt+hash), feature minimization (remove postcode), encryption of PII fields, opt-out in preference center, quarterly LIA review."

Conservative controls — with field-level specifics

Data minimization

• Remove unnecessary attributes before training (e.g., drop full postcode to outward code only).

Pseudonymization and encryption

• Pseudonymize identifiers using HMAC-SHA256 with a rotating key.
• Encrypt PII at rest with AES-256; limit key access to a small engineer subset.
• Example: encrypt email and phone columns; retain pseudonymized user_id for joins.

Retention windows (auditable)

• Raw input logs: 90 days.
• Feature store snapshots: 365 days.
• Model training datasets: store hashes only; purge raw PII immediately after training.

Model governance and explainability

• Maintain a model card noting training sources, features used, performance, known biases, and last review date.
• Human-review gates for recommendations that target sensitive outcomes.

Opt-outs and transparency

• Preference center allowing opt-out from profiling-based marketing.
• Privacy notice snippet: include lawful basis, retention periods, and contact for objections.

Logging and monitoring

• Log access to raw data and model outputs; alert on unusual access or drift.
• Example purge SQL (adapt to your DB dialect): DELETE FROM input_logs WHERE created_at < NOW() - INTERVAL '90 days';

Vendor due diligence — what to ask

• DPA with subprocessors and permitted-use clauses.
• Proof of technical and organizational measures (TOMs) and certifications (e.g., ISO27001).
• Contractual controls preventing vendor reuse of raw training data for other clients.
• Ask about embeddings reversibility and secure deletion mechanics.

Recordkeeping: what regulators expect

Keep the completed LIA, experiments, meeting notes, signoffs, harm register, vendor DPA, and transparency materials. Version LIAs and link them to model artifacts (e.g., "product-recs_v2_2025-06-14") and include artifact hashes in the LIA.

When to prefer consent

Pick consent when processing is highly intrusive, uses sensitive attributes, or ePrivacy requires opt-in (SMS). Remember consent must be freely given, specific, informed, and withdrawable — consider lifecycle implications.

Closing checklist (short)

• Write a one-sentence purpose and stick to it.
• Run experiments and keep results.
• Build a harms register and mitigation plan.
• Apply conservative technical controls (field-level pseudonymization, AES-256 for PII).
• Offer opt-outs and clear notices.
• Complete and version an LIA with signoffs.
• Review LIAs whenever models or inputs change.

Final thought: relying on legitimate interest for AI-assisted marketing works — if you treat it like a discipline. Careful assessments, conservative controls, and transparent user choices reduce risk and build trust. If you want, I can share a downloadable LIA template or a short model-card example tailored to your stack.

---

References

[^1]: Taylor Wessing. (2025). The IAFs process to help address GDPR lawfulness in AI development and use. Taylor Wessing.

[^2]: CNIL. (2024). CNIL publishes recommendations on legitimate interest as a legal basis for AI training. InsidePrivacy (covering CNIL guidance).

[^3]: GDPR Local. (2023). GDPR legitimate interest. GDPR Local.

[^4]: Thoropass. (2022). Unpacking GDPR legitimate interest. Thoropass.

[^5]: Wilson Sonsini Goodrich & Rosati (WSGR). (2024). EU privacy regulators confirm that legitimate interest is a valid legal basis for AI model training and deployment. WSGR.

[^6]: IAPP. (2021). Guide to the GDPR legitimate interests. International Association of Privacy Professionals.

---