GDPR and Cold Email: What B2B Companies Need to Know
GDPR and cold email is one of the most misunderstood topics in B2B outbound. Many companies believe that GDPR bans cold email entirely. That is not true. The General Data Protection Regulation regulates how personal data is processed, including email addresses. But it does not prohibit B2B cold email when done correctly. The key is understanding the legal basis for your outreach, specifically the "legitimate interest" framework that most B2B cold email operates under.
At Alchemail, we run cold email campaigns for US and global B2B clients, including companies that target European prospects. We have generated $55M+ in pipeline and 927 meetings in 2025 while maintaining compliance across jurisdictions. This guide explains what you need to know to send cold email to EU contacts legally.
Important disclaimer: This is a practical guide based on our understanding of GDPR as it applies to B2B cold email. It is not legal advice. Consult a qualified data protection attorney for guidance specific to your situation.
What GDPR Actually Says About Email
GDPR does not mention "cold email" specifically. It regulates the processing of personal data, which includes email addresses. The regulation provides six legal bases for processing personal data. For B2B cold email, two are relevant:
1. Consent (Article 6(1)(a))
The individual has given clear, affirmative consent to process their data for a specific purpose. This is what many people think GDPR requires for all email. It does not.
2. Legitimate Interest (Article 6(1)(f))
The processing is necessary for a legitimate interest pursued by the sender, as long as it does not override the individual's rights and freedoms. This is the legal basis most B2B cold email operates under.
Legitimate Interest for B2B Cold Email
Legitimate interest is the practical framework for GDPR-compliant cold email. Here is how it works:
The Three-Part Test
To use legitimate interest, you must pass a three-part test:
| Test | Question | B2B Cold Email Application |
|---|---|---|
| Purpose test | Is there a legitimate interest? | Yes: business development and commercial outreach are recognized legitimate interests |
| Necessity test | Is the processing necessary? | Yes: you need the email address to contact the person |
| Balancing test | Do the individual's rights override your interest? | Depends: B2B contacts have lower privacy expectations for work email than consumers do for personal email |
When Legitimate Interest Works for Cold Email
Legitimate interest is strongest when:
- You are emailing business email addresses (not personal Gmail, Yahoo, etc.)
- The recipient's professional role is relevant to your offer
- Your message is relevant to their business responsibilities
- You provide a clear way to opt out
- You have documented your legitimate interest assessment
- The data was obtained from legitimate sources (public directories, business databases, company websites)
When Legitimate Interest May Not Apply
- Emailing personal email addresses of individuals
- Mass, untargeted emailing with no relevance to the recipient
- Sending to individuals who have already opted out
- Processing sensitive personal data (health, political views, etc.)
- Emailing consumers (B2C) in countries with stricter rules
GDPR vs ePrivacy Directive: The Email Layer
Here is where it gets more complex. GDPR covers data processing, but the ePrivacy Directive (and individual EU country implementations) specifically covers electronic communications, including email marketing.
Different EU countries have implemented the ePrivacy Directive differently:
| Country | B2B Cold Email | Key Rules |
|---|---|---|
| UK | Generally permitted | Soft opt-in for existing customers; cold B2B email allowed with opt-out |
| Germany | Restrictive | Requires prior consent in many cases (UWG law) |
| France | Moderate | B2B cold email permitted to professional addresses with opt-out |
| Netherlands | Moderate | B2B email generally permitted with opt-out |
| Italy | Moderate | B2B email permitted under legitimate interest |
| Spain | Moderate | B2B email permitted with opt-out |
| Nordic countries | Moderate | Generally permit B2B email with opt-out |
Germany is the strictest. German law (Gesetz gegen den unlauteren Wettbewerb, or UWG) generally requires prior consent for commercial email, even B2B. If you are targeting German contacts, consult a German data protection attorney.
The UK is the most permissive (post-Brexit, under UK GDPR and PECR). B2B cold email is widely accepted with an opt-out mechanism.
Practical Compliance Checklist for GDPR Cold Email
Here is what to do in practice:
Before Sending
Document your Legitimate Interest Assessment (LIA). Write down your legitimate interest, why email is necessary, and how you balance the individual's rights. Keep this on file.
Use business email addresses only. Never email personal addresses (gmail.com, outlook.com, etc.) for B2B cold outreach in the EU.
Verify data source legitimacy. Your contact data should come from legitimate sources: business directories, company websites, professional databases, or business card exchanges. At Alchemail, we use Apollo, Clay, and LeadMagic for B2B data sourcing and verification.
Segment by country. Different EU countries have different rules. Apply the strictest standard or segment your campaigns by country and adjust your approach.
Prepare your privacy notice. Have a clear, accessible privacy policy that explains how you process personal data for outreach purposes.
In Every Email
Include your identity. Full company name and contact information.
Explain why you are contacting them. A brief statement of relevance (implicit in your message, but important for compliance).
Provide an opt-out. Every email must include a clear, easy way to unsubscribe. One-click unsubscribe is best practice.
Include your physical address. Required under both GDPR and CAN-SPAM.
After Sending
Honor opt-outs immediately. Process unsubscribe requests within 24-48 hours. Maintain a suppression list.
Respond to data subject requests. Under GDPR, individuals can request access to their data, correction, or deletion. Have a process for handling these requests within 30 days.
Maintain records. Keep records of your data sources, legitimate interest assessment, and consent/opt-out management.
Data Protection Impact Assessment
For larger cold email campaigns targeting EU contacts, consider conducting a Data Protection Impact Assessment (DPIA). While not always legally required for B2B email, a DPIA demonstrates due diligence and helps you identify and mitigate privacy risks.
A DPIA for cold email should cover:
- What personal data you collect and process (email, name, title, company)
- Where the data comes from (Apollo, Clay, LinkedIn, etc.)
- How the data is stored and secured
- Who has access to the data
- How long you retain the data
- What safeguards protect the individual's rights
Comparison: GDPR vs CAN-SPAM for Cold Email
| Aspect | GDPR (EU) | CAN-SPAM (US) |
|---|---|---|
| Legal basis required | Yes (legitimate interest or consent) | No (opt-out model) |
| Prior consent needed | Not for B2B under legitimate interest | No |
| Opt-out required | Yes | Yes |
| Physical address required | Best practice | Yes (required) |
| Sender identification | Yes | Yes |
| Data subject rights | Yes (access, deletion, correction) | Limited |
| Penalties | Up to 4% of global annual revenue or 20M EUR | Up to $50,120 per email |
| Applies to | Any company targeting EU individuals | Email sent to/from US |
For companies targeting both US and EU prospects (like many Alchemail clients), the practical approach is to comply with GDPR standards across all campaigns. If you meet GDPR requirements, you exceed CAN-SPAM requirements automatically.
How Alchemail Handles GDPR Compliance
At Alchemail, our compliance approach for campaigns targeting EU contacts includes:
- Business email addresses only. We never target personal email addresses for B2B outreach.
- Legitimate data sources. We source data from Apollo, Clay, LeadMagic, and other legitimate B2B databases.
- Opt-out in every email. Clear unsubscribe mechanism in every message.
- Suppression list management. Opt-outs are processed immediately and maintained across all campaigns.
- Country-specific segmentation. We apply appropriate standards based on the recipient's country.
- Physical address included. Every email includes the sender's address.
- Data retention policies. We do not retain personal data longer than necessary for the campaign.
This approach lets us maintain bounce rates under 2% and spam rates under 0.3% while staying compliant. For our infrastructure approach, see the cold email infrastructure setup guide.
What About the Upcoming ePrivacy Regulation?
The ePrivacy Regulation (ePR) has been in development for years and is expected to eventually replace the ePrivacy Directive. The proposed regulation would:
- Harmonize electronic communication rules across the EU
- Potentially tighten rules around B2B cold email
- Introduce clearer rules about metadata processing
- Apply directly (like GDPR) rather than requiring national implementation
As of this writing, the ePR has not been finalized. When it is, B2B cold email rules may change. Stay informed and adapt your practices accordingly.
Practical Risk Assessment
Here is an honest assessment of GDPR risk for B2B cold email:
| Risk Factor | Level | Mitigation |
|---|---|---|
| Sending to business emails with legitimate interest | Low | Document your LIA, include opt-out |
| Sending to personal emails | High | Do not do this for EU contacts |
| Sending to German business contacts | Medium-High | Consider consent-based approach |
| Sending without opt-out | High | Always include unsubscribe option |
| Ignoring data subject requests | High | Have a process for handling requests |
| No Legitimate Interest Assessment | Medium | Document your LIA before campaigns |
| Large-volume untargeted sends | Medium | Target relevant contacts with relevant messaging |
The companies that face GDPR enforcement for email are typically those doing mass, untargeted consumer email marketing without consent. B2B companies sending relevant, opt-out-enabled cold email to business addresses operate in a much lower risk category.
Frequently Asked Questions
Is cold email legal under GDPR?
B2B cold email is legal under GDPR when conducted under the legitimate interest legal basis. This requires: a documented legitimate interest assessment, targeting business email addresses, sending relevant messages, and providing a clear opt-out mechanism. Individual EU country laws may add additional requirements.
Do I need consent to send cold emails in the EU?
Not necessarily for B2B cold email. Legitimate interest is a valid legal basis under GDPR for B2B outreach. However, some EU countries (notably Germany) have stricter national laws that may require consent. For most EU countries, B2B cold email with opt-out is permitted under legitimate interest.
What happens if I violate GDPR with cold email?
GDPR penalties can reach up to 4% of global annual revenue or 20 million EUR, whichever is higher. In practice, enforcement for B2B cold email is rare compared to consumer data breaches. However, the risk is real, and the reputational damage from a GDPR complaint can be significant. Compliance is the better investment.
Should I avoid cold emailing EU contacts entirely?
No. EU markets represent significant B2B opportunity. The key is to comply with GDPR by using legitimate interest as your legal basis, targeting business email addresses, including opt-out mechanisms, and respecting data subject rights. Many successful B2B companies run compliant cold email campaigns across Europe.
How does GDPR affect cold email data sourcing?
Data used for cold email must come from legitimate sources. B2B databases like Apollo, Clay, and LeadMagic source data from public business information, company websites, and professional directories. This is generally considered legitimate under GDPR. Purchasing data from questionable sources or scraping personal information without a legal basis is not compliant.
Need help running GDPR-compliant cold email campaigns targeting European B2B markets? Book a call with Artur and we will build a compliant outreach strategy for your business.