Privacy Policy vs Outreach Data Notice: What B2B Cold Email Actually Needs
A website privacy policy tells visitors what happens to data they hand over through a form. It says almost nothing useful about what happens to a business contact's data when your company found them, not the other way around. If you run cold B2B outreach, you need a second, narrower document — an outreach data notice — that explains where the contact came from, why processing it is lawful, and how to opt out. Here is what belongs in it and what legal basis actually applies.
- A website privacy policy and an outreach data notice answer different questions — outreach needs its own, linked from every cold email.
- Legitimate interest is the usual lawful basis for B2B cold email under GDPR, but it requires a real balancing test, not just an assertion.
- CAN-SPAM in the US permits cold email without prior consent but requires a working opt-out and accurate sender identification in every message.
- The notice must say where the contact data came from — this single line resolves most recipient objections before they escalate.
- Keep the notice short, factual and linked, not an embedded legal essay in the email body — length reads as either evasive or spammy.
Why your website privacy policy doesn't cover cold outreach
A standard privacy policy is written around data subjects who interact with your company directly: form submissions, account sign-ups, cookies on your site. It describes processing that the person initiated. Cold B2B outreach inverts that relationship — the company initiated contact using data gathered from a third-party source, a public directory, a company website, or a data provider, before the recipient ever knew the sender existed.
That inversion matters legally and practically. Under GDPR, processing personal data (and a named business contact's email, title and company is personal data even in a B2B context) triggers a transparency obligation regardless of whether the person is a customer yet. A privacy policy buried in a website footer, which the recipient has no reason to have read, does not satisfy that obligation for someone who has never visited the site.
The fix is not to rewrite the whole privacy policy — it is to publish a short, specific notice covering outreach data processing, and link to it from every cold email, typically in the signature or footer line next to the opt-out. Recipients who want to know why they got the email can find the answer in one click instead of digging through unrelated consumer-facing text.
What the outreach data notice should actually say
Keep it short and specific rather than comprehensive. The notice needs to answer, in plain language: what data is processed (name, business email, job title, company, sometimes phone), where it came from (public sources, a data provider, company websites — name the category, not necessarily the exact vendor), why it's processed (identifying relevant business contacts for outreach about a specific product or service category), how long it's retained, and how to object or request deletion.
Name the lawful basis explicitly if you operate under GDPR or a similar regime — this is usually legitimate interest for B2B outreach, discussed in the next section. State plainly that the recipient can opt out at any time and that doing so is immediate and permanent, not a one-campaign pause.
Avoid two failure modes. The first is copying a full consumer privacy policy wholesale and expecting it to cover outreach — it will read as irrelevant boilerplate to a recipient looking for one specific answer. The second is writing nothing at all and hoping the opt-out link alone satisfies the obligation — an opt-out mechanism and a transparency notice are two different requirements, and only having one leaves the other unmet.
- Categories of data processed (name, business email, title, company, phone if applicable).
- Source of the data (public directories, company websites, data providers — by category).
- Purpose of processing (identifying relevant contacts for outreach about X category of product/service).
- Lawful basis (legitimate interest, consent, or contract, stated explicitly).
- Retention period or the criteria used to determine it.
- How to object, opt out, or request deletion, and the timeframe for honoring the request.
Legitimate interest: the usual basis, not a blank check
Under GDPR, legitimate interest is the lawful basis most B2B cold outreach relies on, because consent is impractical to obtain before first contact and the relationship is business-to-business rather than involving a consumer. But legitimate interest is not self-certifying — it requires a genuine balancing test weighing your business interest in reaching the contact against that person's reasonable expectations and rights.
In practice, the balance tends to favor the sender when the contact is a business email tied to a professional role, the outreach is relevant to that role (a CFO gets a finance-tooling email, not a consumer offer), the volume and frequency are reasonable, and an easy opt-out is honored immediately. The balance tips against the sender when the outreach is unrelated to the recipient's professional function, when data was scraped from sources the person had no reason to expect would be used this way, or when the sender keeps contacting someone who already opted out.
Document the balancing test, even briefly — a short internal note stating why legitimate interest applies to this outreach program is the kind of record that turns a defensible position into a demonstrable one if ever questioned. This is a compliance habit, not a legal filing; it costs a paragraph and removes a real gap.
The US picture: CAN-SPAM's different starting point
CAN-SPAM does not require prior consent for commercial email, including cold B2B outreach, which is a materially different starting point from GDPR's basis requirement. What it does require is concrete: accurate sender identification (no forged headers, a real reply-to), a truthful subject line that doesn't misrepresent the email's content, a valid physical postal address, and a functioning opt-out mechanism honored within the statutory window.
The gap CAN-SPAM leaves open is transparency about data sourcing — it doesn't mandate a notice explaining where a contact's data came from the way GDPR-style transparency obligations do. Companies sending only to US-based contacts sometimes skip the sourcing notice for this reason. That's a legally defensible minimum, but a thin one: recipients increasingly expect the same transparency regardless of jurisdiction, and a short sourcing line costs little to add and removes a recurring category of "how did you get my email" replies.
For companies outreaching across US and EU contacts from one program, building the notice to GDPR's higher bar and applying it everywhere is simpler than maintaining two compliance tracks — and it reads as more credible to any recipient, in any jurisdiction, who asks.
Putting it into the email itself
The notice lives on a webpage, not inside the email body — a cold email stuffed with legal paragraphs reads as either a mass-market disclaimer or, worse, as evasive. What belongs in the email is a single line: sender's real name and company, a one-clause reason for the contact tied to the recipient's role, and a link — labeled plainly, such as "why you received this" or "privacy/opt-out" — pointing to the full notice.
Make the opt-out itself one click and immediate, with no login, no survey, no "tell us why you're leaving" gate before the unsubscribe processes. Every point of friction on the opt-out path is a point of friction on trust, and trust is the actual asset an outreach data notice is protecting — the legal minimum and the relationship-preserving version turn out to be nearly the same document.
Footer line: "[Sender name], [Company] — this business email was sourced from [public company records / a B2B data provider] to reach [role] contacts about [category]. Why you received this & opt out: [link]."
FAQ
Is a website privacy policy enough to cover cold email outreach?
No. A website privacy policy addresses data visitors give you directly; cold outreach uses data sourced from elsewhere before any interaction happened. You need a short, separate notice covering outreach data — where it came from, why it's processed, and how to opt out — linked from the cold email itself.
What legal basis covers B2B cold email under GDPR?
Legitimate interest is the usual basis, but it requires an actual balancing test between your business interest and the recipient's reasonable expectations, not just an assertion. It tends to hold when the outreach is relevant to the recipient's professional role, reasonably infrequent, and honors opt-outs immediately.
Does CAN-SPAM require consent before sending a cold email?
No. CAN-SPAM permits commercial email, including cold B2B outreach, without prior consent. It does require accurate sender identification, a truthful subject line, a valid postal address, and a working opt-out honored promptly — the requirements sit on the mechanics of the email, not on prior permission.
What should the outreach data notice actually contain?
Cover the data categories processed, where they came from (by category of source), the purpose of processing, the lawful basis relied on, a retention period, and a clear path to object or request deletion. Keep it short and specific — a page, not an essay, linked from every cold email.
Should the privacy notice text go inside the cold email itself?
No. Put a single line in the email — sender identity, a one-clause reason for contact, and a link to the full notice. A cold email padded with legal paragraphs reads as spam-adjacent; the notice belongs on a linked page a recipient can check if they choose to.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us