Cold Email Without Opt-In: Where the Legal Line Actually Sits
«You can't email anyone without their consent» is repeated so often that many teams believe lawful cold outreach is impossible. It is not — B2B cold email operates legally in most major markets without prior opt-in, but on a specific legal footing with real obligations attached. This guide explains the legitimate-interest basis under GDPR, the CAN-SPAM model in the US, and the practical boundaries that separate lawful outreach from spam.
- Opt-in is one lawful basis under GDPR, not the only one; B2B outreach typically relies on legitimate interest instead.
- Legitimate interest requires a real balancing test: professional relevance to the recipient's role is the core of it.
- CAN-SPAM in the US permits unsolicited commercial email outright, subject to truthful headers, identification and a working opt-out.
- National e-privacy rules vary across the EU — some countries are stricter for B2B email than the GDPR baseline suggests.
- The obligations that come with legitimate interest — transparency, easy objection, instant suppression — are non-negotiable and enforceable.
Why opt-in became the default assumption
The opt-in norm comes from consumer email marketing, and for good reason: mass mailing individuals at their personal addresses on the basis of «we found your email somewhere» is exactly what anti-spam law was written to stop. ESPs baked consent into their terms of service, marketing courses taught it as gospel, and over time «permission marketing» hardened from a best practice for one channel into a perceived legal requirement for all email.
But the law itself is more differentiated. Data protection regimes distinguish between contexts, and most draw some line — explicit or practical — between marketing to consumers and communicating with people in their professional capacity about matters relevant to their business. A procurement director's work email, used to send a relevant offer to her company, is a different situation from a consumer's personal inbox, and regulators treat it differently.
The result: targeted B2B cold email is a lawful, widely practiced channel in the US, UK and most of the EU — provided you operate on the correct legal basis and meet its conditions. That last clause is where most senders fail.
Legitimate interest under GDPR: the actual mechanics
GDPR offers several lawful bases for processing personal data, and consent is only one of them. For B2B prospecting, the relevant basis is legitimate interest — and GDPR's recitals explicitly acknowledge that direct marketing may constitute a legitimate interest. A business email address tied to a named person is still personal data, so you need this basis; but you do not need the person's prior permission.
Legitimate interest is not a magic phrase you invoke. It requires a three-part balancing test, which you should document in a legitimate interest assessment (LIA). First, purpose: you have a genuine commercial interest — offering a product plausibly useful to the recipient's company. Second, necessity: contacting this decision-maker directly is a proportionate way to pursue it, and you are using no more data than needed. Third, balancing: your interest does not override the recipient's rights and reasonable expectations. This third prong is where targeting quality becomes a legal question, not just a marketing one.
The balancing test is where address-based outreach and spam part ways legally. A logistics director receiving one relevant, individually addressed message about freight software, with a clear sender identity and an easy way to object, sits comfortably within reasonable professional expectations. The same person receiving daily blasts from a scraped list about unrelated products does not. Relevance to the recipient's role is not just a conversion tactic — it is the substance of your legal position.
Alongside the basis itself come the standing GDPR duties: tell people where you got their data if they ask (and proactively, per the transparency articles — in practice, a privacy notice linked from the email covers much of this), honor access and erasure requests, and treat any objection to direct marketing as absolute — under GDPR, the right to object to direct marketing admits no counter-balancing. One «remove me» means permanent suppression, everywhere, immediately.
The e-privacy layer: where EU countries diverge
GDPR is only half the European picture. The e-Privacy Directive governs electronic marketing specifically, and it was implemented country by country, with a carve-out that lets member states choose softer rules for corporate subscribers. The result is a patchwork: some countries (Germany and Austria are the strictest well-known examples) effectively require consent or a very strong existing-relationship argument even for B2B email, while others (Ireland, the Netherlands, France in most B2B contexts, and the UK under PECR) permit unsolicited B2B email to corporate addresses under the legitimate-interest style regime described above.
Practically, this means an EU-wide campaign cannot run one uniform playbook. Segment your list by country and apply the strictest interpretation where required — in consent-leaning jurisdictions, that may mean routing those accounts to phone, LinkedIn or events instead of cold email. Also mind the distinction some regimes draw between a corporate role address (info@, sales@) and a named individual's address; the named individual almost always gets more protection.
None of this is a reason to abandon the channel. It is a reason to treat country as a first-class field in your prospect data, next to industry and job title — which well-run address-based campaigns already do.
The US model: CAN-SPAM's opt-out regime
The United States takes the opposite architectural approach. CAN-SPAM does not require prior consent for commercial email at all — cold email to business or even consumer addresses is legal by default. Instead, the law imposes conduct rules on every commercial message: no false or misleading header information, no deceptive subject lines, identification of the message as coming from your business including a valid physical postal address, a clear and functioning opt-out mechanism, and processing of opt-outs promptly (the law gives a ten-business-day window; treat same-day as the professional standard). Once someone opts out, further mail to them is a violation, with penalties assessed per email.
The practical upshot: in the US the legal risk is not in sending the first email but in sloppy mechanics — a broken unsubscribe link, a misleading «Re:» subject line on a first touch, a missing postal address, or continuing a sequence after an opt-out. Every one of these is common in badly run campaigns and every one is straightforwardly avoidable.
One caution for international senders: CAN-SPAM governs mail to US recipients, but if your list mixes jurisdictions, you carry each recipient's regime with them. A US-style «send first, opt out later» approach applied to a German list is a compliance incident waiting to happen.
What legitimate interest never covers
The boundaries matter as much as the permission. Legitimate interest is a basis for relevant, professional, restrained communication — and several common practices sit clearly outside it regardless of how the sender rationalizes them.
It never covers purchased consumer lists or scraped personal addresses; the balancing test collapses when the recipient has no professional connection to your offer. It never covers ignoring an objection — the GDPR right to object to direct marketing is absolute, and under CAN-SPAM continued mail after opt-out is a per-message violation. It never covers deception: fake forwarding chains, fabricated «following up on our call» openers, or sender identities that obscure who you are undermine both the legal basis and, under CAN-SPAM, the header-truthfulness rules directly. And it wears thin with volume: a fourth, fifth, sixth follow-up to a silent recipient stops looking like proportionate pursuit of a legitimate interest and starts looking like harassment — both to regulators and to the mailbox providers whose filters are, in practice, the first enforcers you will meet.
- No purchased or scraped lists — source data from verifiable public and firmographic sources and keep provenance records.
- No contact after objection — one opt-out suppresses the person permanently across all campaigns.
- No deceptive subjects, senders or fake threads — truthful identity is a legal requirement, not a style choice.
- Proportionate cadence — 2–3 follow-ups, then stop; silence is an answer.
- Document your legitimate interest assessment before the campaign, not after the complaint.
A compliance checklist for address-based outreach
Here is the operating standard we hold campaigns to at LDM, which doubles as a defensibility checklist. It is not legal advice for your specific situation — jurisdictions differ and edge cases exist — but a campaign meeting all of these points is on solid ground in opt-out-friendly markets.
Every recipient is a named decision-maker whose role makes the offer plausibly relevant, at a company matching a documented ICP. Data comes from identifiable sources and is verified before sending. Country-specific rules are checked and consent-leaning jurisdictions handled separately. The email states plainly who you are and why you are writing; the sending domain and signature identify a real company with a real address. An objection mechanism is present and frictionless — a reply saying «no» must work as well as any link. Opt-outs land on a permanent suppression list the same day. And the whole conversation flow, including who objected and when, lives in one system of record so compliance is auditable rather than aspirational.
Run this way, cold email without opt-in is not a loophole — it is the channel working as the law intends: businesses making relevant, honest, answerable approaches to other businesses, with the recipient holding an unconditional right to say stop.
FAQ
Is cold email to business addresses legal in the EU?
In most EU countries, yes — on the legitimate-interest basis under GDPR, provided the message is relevant to the recipient's professional role, you are transparent about who you are, and you honor objections immediately. However, national e-privacy implementations vary: Germany and Austria in particular lean toward requiring consent even for B2B, so segment campaigns by country.
Do I need to run a legitimate interest assessment before a campaign?
If you rely on legitimate interest under GDPR, you should document one: your purpose, why direct contact is necessary and proportionate, and why the recipient's rights are not overridden. It does not need to be long, but it needs to exist before the campaign — it is your primary evidence if a recipient or regulator asks on what basis you processed their data.
What does CAN-SPAM actually require for cold email in the US?
Prior consent is not required. Every commercial message must have truthful header and sender information, a non-deceptive subject line, identification of the sender including a valid physical postal address, and a clear opt-out that works and is honored promptly. Violations are assessed per email, so sloppy mechanics get expensive.
Someone replied asking where I got their email. What do I have to tell them?
Under GDPR they have a right to know. Answer specifically and honestly — the actual source, such as a public company website or a business data provider — and be ready to fulfil access or erasure requests. If your data provenance is something you would be uncomfortable stating in that reply, that is a sign the list should not be in use.
Does a reply saying «not interested» legally require me to stop?
Treat it as yes. Under GDPR, an objection to direct marketing is absolute — you must stop and suppress the contact. Under CAN-SPAM, any expression of opt-out triggers the prohibition on further mail. Beyond the law, continuing after a «no» is the fastest route to spam complaints, which damage your sending infrastructure for every future campaign.
Are info@ and sales@ addresses safer to email than named individuals?
Generally yes, because generic corporate addresses are not personal data in the same way a named person's address is, and several national regimes explicitly treat corporate subscribers more permissively. The trade-off is effectiveness: role inboxes are weakly monitored and rarely reach the decision-maker, which is why well-run outreach still targets named individuals and simply carries the fuller compliance obligations that come with it.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us