Opt-In vs Legitimate Interest: Two Different Rulebooks
Ask most marketers how email consent works and they will describe opt-in: someone signs up, checks a box, and only then enters a sending list. That model is correct — for newsletters. It is also the wrong model to apply to cold B2B outreach, which under GDPR runs on an entirely different legal basis with different rules for who can be contacted, what has to be disclosed, and how objections get handled. Mixing the two is where a lot of otherwise careful teams end up out of compliance without realizing it.
- Opt-in consent is the legal basis for marketing to individuals who have actively agreed to receive it — newsletters, promotional lists, product updates to existing users.
- Legitimate interest is the legal basis most cold B2B outreach relies on instead — no prior sign-up required, but real conditions attached.
- The two models diverge on list-building, first-contact content, and what a valid opt-out has to do — applying opt-in rules to a legitimate-interest list, or vice versa, both create problems.
- A reply or an inbound signal from a cold-outreach recipient does not automatically create ongoing opt-in consent for a different kind of list, like a newsletter.
- When genuinely unsure which basis applies to a given list or campaign, the safer default in B2B is a narrow, well-targeted legitimate-interest approach rather than assuming broad implied consent.
What opt-in actually requires
Opt-in is the consent model most people picture when they think about email compliance: a person takes an affirmative action — checking an unticked box, submitting a form, confirming a double opt-in email — before they are added to a sending list. Consent obtained this way has to be specific (for this kind of communication, not a blanket agreement covering anything), informed (the person knew what they were signing up for), and freely given (not bundled into an unrelated action or made a condition of using an unrelated service).
Opt-in is the right model wherever the relationship is genuinely marketing-to-a-subscriber: newsletters, promotional offers, product update lists, anything where the recipient's ongoing willingness to receive communication is the entire premise of the list. It also comes with an expectation of easy, permanent withdrawal — consent given can be withdrawn as easily as it was given, and once withdrawn, sending has to stop.
What legitimate interest actually requires
Legitimate interest is a different legal basis entirely, and it is the one most cold B2B outreach relies on, precisely because outreach by definition targets people who have not signed up for anything — that is what makes it cold. Under this basis, a company can lawfully contact another company's employee about a professionally relevant product or service without prior consent, provided the contact is relevant to that person's role, proportionate in scope and frequency, and the recipient retains a clear, honored right to object.
The trade-off is that legitimate interest carries a built-in balancing requirement that opt-in does not: the sender has to be able to justify, if challenged, that the business interest in contacting this specific person reasonably outweighed the minor intrusion of an unsolicited email. That justification gets weaker the less relevant, more frequent, or more broadly targeted the outreach becomes — which is exactly why targeted, individually researched B2B outreach sits on firmer ground than a mass-blasted list scraped without regard to role or relevance.
Legitimate interest is not a loophole around consent requirements; it is a separate, narrower basis with its own discipline. Sloppy targeting, excessive frequency, or contacting people whose role has no plausible connection to the offer all erode the basis a sender is relying on.
Where the two models diverge in practice
The clearest divergence is at list-building. An opt-in list can only lawfully contain people who took the affirmative signup action described above — buying an email list, scraping addresses, or adding contacts who inquired about something unrelated all fail the opt-in standard. A legitimate-interest list, by contrast, can be built from public professional information — a company website, a professional profile, a business directory — because it never claimed the person agreed to be contacted; it relies on the balancing test instead.
The two also diverge on first-contact content. An opt-in newsletter's first send can reasonably assume the recipient wants marketing content, because they asked for it. A legitimate-interest cold email cannot make that assumption — the message needs to establish, briefly, why this specific person is being contacted, since that relevance is part of what makes the legitimate-interest basis hold up in the first place.
They diverge again on what an opt-out has to accomplish. Unsubscribing from an opt-in newsletter typically just needs to remove someone from that list. Honoring an objection under legitimate interest carries more weight — it is the exercise of a right, and best practice is suppressing that person from all cold outreach going forward, not just the one list or sequence that triggered it.
- List building: opt-in needs affirmative signup; legitimate interest can use public professional information.
- First message: opt-in can assume interest was already expressed; legitimate interest has to establish relevance.
- Opt-out scope: newsletter unsubscribe is list-specific; a legitimate-interest objection should suppress the contact organization-wide.
- Ongoing cadence: opt-in supports indefinite sending until withdrawal; legitimate interest favors a defined, proportionate sequence length.
Where confusion causes real mistakes
The most common mistake is treating a reply to a cold email as implied consent to add that contact to an unrelated marketing newsletter. It is not — a reply to a targeted, relevant outreach message is a signal within the legitimate-interest context it happened in, not a blanket opt-in to a different kind of ongoing marketing relationship. Moving someone from a cold sequence to a newsletter list still needs its own, separate consent step.
The reverse mistake also happens: teams apply opt-in-style caution to legitimate-interest outreach, assuming they need a checked box before any cold email can go out at all, and end up either abandoning outreach that is actually lawful or building elaborate pre-consent workflows that add friction without adding any real compliance benefit — legitimate interest was designed specifically to not require that step.
A third mistake is scope drift: a legitimate-interest list built for one relevant, narrow purpose gets reused for an unrelated campaign to the same contacts, at which point the original relevance justification no longer covers the new use. Each distinct outreach purpose needs its own relevance check, even against an existing, previously-justified list.
Deciding which basis applies to a given list
In practice, the deciding question is simple: did this person take an action indicating they want to hear from you, specifically? If yes — they signed up, requested information, or opted into a list — treat it as opt-in and follow that model's rules, including honoring the specific scope of what they agreed to. If no — the list was built from public professional information and the person has taken no prior action — treat it as legitimate-interest outreach and apply that model's discipline: relevance, proportionality, transparency, and immediate, permanent suppression on objection.
Where a program genuinely spans both — a company that does cold outreach and runs an opted-in newsletter — keep the two lists, processes, and suppression logic separate rather than merging them, since collapsing them into one system is exactly how a reply gets miscategorized as newsletter consent or an unsubscribe fails to cover the outreach list it should.
FAQ
Can I add someone to my newsletter just because they replied to my cold email?
Not automatically. A reply to targeted outreach is a legitimate-interest-context signal, not consent to a different, ongoing marketing relationship like a newsletter. Moving them to a newsletter list needs its own separate opt-in step, ideally by asking directly.
Do I need a checked consent box before sending any cold B2B email?
No — that is an opt-in requirement, and cold B2B outreach under GDPR typically relies on the legitimate interest basis instead, which does not require prior consent. It does require relevance, proportionate frequency, and an honored right to object.
Is legitimate interest a loophole that lets me skip consent requirements?
No — it is a separate legal basis with its own real conditions: the outreach has to be relevant to the recipient's professional role, limited in scope and frequency, and the recipient's objection has to be honored immediately and permanently. Sloppy, broad, or irrelevant outreach can fail that balancing test even without ever claiming consent.
If someone unsubscribes from one of my cold campaigns, do I need to suppress them everywhere?
That is the safer and generally correct practice. An objection under legitimate interest carries more weight than a single-list newsletter unsubscribe, and best practice is treating it as a signal to stop all cold outreach to that person, not just the specific list or campaign they responded to.
Can I use a purchased or scraped consumer email list for B2B cold outreach?
It depends heavily on how that data was collected and what it actually contains. A list built from public professional information the sender gathered directly sits on firmer legitimate-interest ground than one purchased from a third party with an unclear or non-compliant collection history.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us