Live Direct Marketing
HomeBlogCompliance

GDPR and Cold B2B Email: What the Law Actually Requires

July 7, 2026 · 9 min read · Guide: Compliance

The most common misconception about GDPR and cold email is that it bans the practice outright, sending well-meaning teams either into paralysis or into a false sense of safety once they add an unsubscribe link. Neither is right. GDPR permits cold B2B outreach under a specific legal basis with specific conditions attached, and knowing those conditions precisely is what separates a defensible outreach program from one exposed to a complaint.

Key takeaways
  • GDPR does not require opt-in consent for B2B cold outreach — it permits processing business contact data under the legitimate interest legal basis instead.
  • Legitimate interest has real limits: the outreach must be relevant to the recipient's professional role, proportionate, and not override their rights.
  • Every cold email needs a clear identity of the sender, the reason for contact, and a working, immediate way to opt out.
  • An objection or opt-out must be honored promptly and permanently — re-contacting someone who opted out is a compliance failure, not a follow-up.
  • GDPR applies by recipient location, not sender location — a non-EU company emailing EU-based contacts is still in scope.

The legal basis: legitimate interest, not consent

GDPR recognizes several lawful bases for processing personal data, and consent is only one of them. For B2B cold outreach, the relevant basis is almost always legitimate interest: a company has a legitimate business reason to contact another company's employees about a product or service relevant to their professional role, and that interest can lawfully outweigh the minor intrusion of an unsolicited email, provided the outreach stays within reasonable, expected bounds.

This matters because it means a B2B cold email list built from public business sources — a company website, a professional profile, a business directory — does not need prior opt-in the way a consumer marketing list does. What it needs instead is a genuine legitimate-interest basis, documented and defensible, not a blanket assumption that 'B2B is always fine.'

The legitimate interest basis is not unconditional. It requires what is generally described as a balancing exercise: the business interest in reaching the contact has to be weighed against that person's reasonable expectations and rights, and it fails that balance when the outreach is irrelevant to their role, excessively frequent, or the kind of contact a reasonable professional in that position would not expect.

What keeps outreach inside legitimate interest

Three things keep a cold B2B campaign inside a defensible legitimate-interest basis: relevance, proportionality, and respect for the recipient's rights. Relevance means the offer actually connects to the recipient's professional function — emailing a company's finance director about a finance tool is relevance; emailing every employee at a company regardless of role about the same tool is not.

Proportionality means the contact data used is limited to what the outreach needs — name, business email, job title, company — and the frequency of contact is not excessive. A single well-targeted email, or a short sequence with reasonable spacing, sits comfortably inside proportionate use; daily unsolicited contact does not.

Respect for rights means the recipient can object at any time and that objection is honored immediately and completely. This is the piece most outreach programs get functionally wrong even when they think they are compliant — an unsubscribe link that takes days to process, or that removes someone from one list while a separate list or a different team keeps emailing them, is not honoring the right in practice.

What every compliant cold email needs

A handful of concrete elements need to be present in the message itself, not buried in a privacy policy the recipient never sees. Clear sender identity — a real company name and a way to verify who is sending — is the baseline; anonymous or disguised sending is incompatible with a legitimate-interest basis, which depends on the outreach being the kind of transparent business contact a professional would expect.

A brief, honest reason for contact belongs in the message: why this company, why this person, in plain language rather than vague marketing copy. This is not just good practice — it is part of what makes the legitimate-interest balancing test hold up, because it demonstrates the outreach was targeted rather than blasted indiscriminately.

An immediate, working opt-out is required in substance even where a formal unsubscribe link is not always technically mandatory for a one-to-one style email — in practice, every cold sequence should include one, because it is the cleanest way to satisfy the right to object and it removes any ambiguity about whether the recipient was given an easy way to stop.

Handling opt-outs and objections correctly

An opt-out under legitimate interest is the exercise of the right to object, and it carries more weight than an unsubscribe click from a newsletter — once received, that person should not appear in any future cold outreach from the sending organization, not just the specific campaign or list they responded to. A common and costly mistake is treating suppression as per-list rather than organization-wide, so a contact who opted out of one sequence gets re-contacted months later by a different team or a different list pull from the same company.

Objections should be actioned promptly, and the practical standard worth holding to is the same day or within a short, defined window — not at the next list-cleaning cycle. Keep a permanent, centralized suppression record that every new list gets checked against before a send, rather than relying on each campaign owner to remember who opted out previously.

A recipient does not need to cite GDPR or use any particular wording to trigger this obligation — 'please stop emailing me,' a reply asking to be removed, or a click on an unsubscribe link all count, and all deserve the same treatment: immediate, permanent suppression.

Practical checklist for every campaign

Run this against every new cold B2B campaign targeting EU-based contacts before it launches, regardless of where the sending company is based — GDPR scope follows the recipient's location, not the sender's.

FAQ

Do I need consent to send a cold email to a business contact under GDPR?

No — B2B cold outreach is typically lawful under the legitimate interest basis rather than consent, provided the outreach is relevant to the recipient's professional role, proportionate in volume, and respects their right to object. Consent becomes the relevant basis for consumer marketing lists, not for targeted B2B outreach.

Does GDPR apply if my company is outside the EU?

Yes, if the recipients are based in the EU. GDPR's scope follows the location of the data subject, not the sender, so a company anywhere in the world emailing EU-based professional contacts needs to meet the same legitimate-interest conditions.

Can I keep emailing a contact who never replies?

You can continue a reasonably spaced, limited sequence, but indefinite or excessively frequent outreach with no response starts to fail the proportionality part of the legitimate-interest balancing test. Set a defined sequence length and stop, rather than emailing the same non-responsive contact indefinitely.

What happens if someone reports my cold email as unwanted?

Treat it the same as a formal objection: suppress that contact immediately and permanently across every list and campaign. A pattern of complaints also signals the outreach may not be meeting the relevance or targeting standard that legitimate interest depends on, worth reviewing regardless of any single complaint's outcome.

Is a bought or scraped email list compliant with GDPR for cold outreach?

It depends heavily on the source and how the data was originally collected — data acquired through scraping private information, breaches, or another party's non-compliant list undermines the legitimate-interest basis. Public, professional business information gathered directly or from a reputable, compliant source is on much firmer ground.

Does adding an unsubscribe link make my cold email automatically GDPR-compliant?

No — an opt-out is necessary but not sufficient. The outreach also needs a genuine legitimate-interest basis: relevance to the recipient's role, proportionate contact data and frequency, and a defensible data source. An unsubscribe link without those still falls short.

Important: this is not bulk email and not spam. We run targeted outreach: every message goes to a specific representative of a specific company for a legitimate business reason, in small daily volumes, personalised to the recipient. Every email identifies the sender and includes one-click opt-out; unsubscribes and stop-lists apply to all future campaigns without exception. Companies that ask not to be contacted are excluded permanently.

Want to apply this to your outreach?

We will map it to your segment and product — before any work starts.

Talk to us