Is Cold Email Legal Under GDPR?
Yes. GDPR does not ban cold email. The General Data Protection Regulation provides a legal basis called "legitimate interest" that allows B2B cold outreach when certain conditions are met. However, GDPR does require you to handle personal data responsibly, provide transparency about how you use data, and offer easy opt-out mechanisms.
The key distinction is between spam and legitimate business outreach. GDPR targets the former while permitting the latter — as long as you follow the rules.
Understanding the Legal Framework
The Six Legal Bases for Processing Personal Data
GDPR requires a legal basis for processing personal data. For cold email, the relevant bases are:
- Legitimate interest (Article 6(1)(f)) — The primary basis for B2B cold email. You can process data when you have a legitimate business interest that does not override the individual's privacy rights.
- Consent (Article 6(1)(a)) — Explicit permission from the individual. Not typically used for cold email (since you do not have prior consent), but relevant for opt-in marketing.
Legitimate Interest: The Three-Part Test
To use legitimate interest as your legal basis, you must pass three tests:
Purpose test: Is there a legitimate interest?- You are a business offering products or services
- You have a reasonable belief the prospect could benefit
- Your outreach has a genuine business purpose (not random spam)
- You need the prospect's email address and name to communicate
- You need company data to ensure relevance
- There is no less intrusive way to achieve your purpose
- The data is business contact information, not sensitive personal data
- The individual could reasonably expect to be contacted in a business context
- You provide clear opt-out and handle data responsibly
- The impact on the individual is minimal (receiving a relevant business email)
Documenting Your Legitimate Interest Assessment
You must document your legitimate interest assessment (LIA). This does not need to be a lengthy legal document, but you should have a written record that covers:
- What your legitimate interest is
- Why processing is necessary
- How you balanced your interest against the individual's privacy
- What safeguards you have in place (opt-out, data security, etc.)
"A legitimate interest assessment does not need to be reviewed by a lawyer, but it does need to exist. If a data protection authority ever asks how you justify your cold email, you need a written answer." — AutoReach Team
What GDPR Requires for Cold Email
Requirement 1: Transparency
You must be transparent about who you are and how you use data:
- Include your company name and contact information in every email
- Have a privacy policy that explains your data processing for outreach
- Be willing to explain to any recipient how you obtained their data
Requirement 2: Purpose Limitation
Use data only for the stated purpose:
- If you collected data for B2B outreach, use it for B2B outreach
- Do not sell, share, or repurpose the data without a separate legal basis
- Do not use business contact data for unrelated marketing
Requirement 3: Data Minimization
Collect and store only the data you need:
- Name, email, company, and title are justified for outreach
- Do not collect unnecessary personal data (date of birth, home address, etc.)
- Delete data you no longer need for your stated purpose
Requirement 4: Accuracy
Keep data accurate and up to date:
- Verify email addresses before sending
- Remove bounced addresses promptly
- Update records when you learn of changes (job changes, new email)
- Do not send to outdated data
Requirement 5: Storage Limitation
Do not keep data longer than necessary:
- Define a retention period for prospect data (e.g., 12-24 months)
- Delete or anonymize data after the retention period
- Review and clean your database regularly
Requirement 6: Right to Object (Opt-Out)
Individuals have the right to object to processing under legitimate interest:
- Include an unsubscribe link or opt-out instruction in every email
- Process opt-out requests immediately (within 24 hours)
- Maintain a suppression list of opted-out contacts
- Never re-contact someone who has opted out
Requirement 7: Data Security
Protect the personal data you process:
- Store data in secure systems with encryption
- Limit access to authorized team members
- Use secure connections (HTTPS, TLS) for data transmission
- Have a process for handling data breaches
Practical Compliance Checklist
Before You Start Cold Emailing
- [ ] Document your legitimate interest assessment
- [ ] Create or update your privacy policy to cover outreach data processing
- [ ] Set up a data retention and deletion policy
- [ ] Implement a suppression list for opt-outs
- [ ] Verify your data sources are legitimate (no purchased lists from questionable brokers)
- [ ] Configure your email tool to include unsubscribe functionality
For Every Email You Send
- [ ] Include your company name
- [ ] Include your physical address or a link to it
- [ ] Include a clear opt-out mechanism
- [ ] Ensure the content is relevant to the recipient's business role
- [ ] Use accurate and non-deceptive subject lines
- [ ] Send from a real, monitored email address
Ongoing Compliance
- [ ] Process opt-outs within 24 hours
- [ ] Maintain and check your suppression list before every send
- [ ] Clean your prospect database regularly
- [ ] Review and update your LIA annually
- [ ] Train new team members on GDPR compliance
- [ ] Monitor regulatory updates for changes
Country-Specific Rules Within the EU
While GDPR is the baseline across the EU, some countries have additional rules through their ePrivacy implementations:
| Country | Additional Requirements |
|---|---|
| Germany | Stricter interpretation; consent often preferred for first contact |
| France | CNIL guidance recommends consent for B2C; legitimate interest accepted for B2B |
| UK | Post-Brexit, UK GDPR mirrors EU GDPR; ICO enforces; generally B2B-friendly |
| Netherlands | Dutch DPA accepts legitimate interest for B2B outreach |
| Italy | Garante requires clear legitimate interest documentation |
Practical Approach for Multi-Country Outreach
For most B2B teams, the safest approach is:
- Follow GDPR legitimate interest requirements as your baseline
- For German prospects, be extra cautious — consider softer initial outreach
- Always include clear opt-out
- Document your legitimate interest for each market
- Monitor local regulatory guidance for changes
GDPR and AI-Generated Emails
Using AI to write cold emails does not change your GDPR obligations. The relevant questions are:
- Data processing: If your AI tool processes personal data (names, emails, company data), it must comply with GDPR. AutoReach processes data in compliance with GDPR, including encryption, access controls, and data minimization.
- Transparency: You do not need to disclose that an AI wrote the email, but the content must be truthful and the sender must be identifiable.
- Automated decision-making: GDPR Article 22 gives individuals rights related to automated decision-making with significant effects. Cold email qualification scoring is generally not considered to have "significant effects," but be aware of the provision.
FAQ
Can I cold email anyone in the EU?
You can cold email individuals in a B2B context when you have a legitimate business interest and the individual could reasonably expect to be contacted. You should not cold email individuals randomly without any business relevance.
Do I need explicit consent for B2B cold email?
No, not under GDPR. Legitimate interest is an accepted legal basis for B2B outreach. However, you must meet the three-part test and provide easy opt-out.
What happens if I violate GDPR?
Penalties range from warnings and orders to stop processing, up to fines of 20 million euros or 4% of global annual revenue, whichever is higher. In practice, most enforcement actions against cold email result in warnings or orders to change practices, not maximum fines.
How long can I keep prospect data?
GDPR does not specify exact retention periods. You must define a reasonable retention period based on your business purpose. For prospecting data, 12-24 months is a common and defensible retention period.
Can I use LinkedIn data for cold email?
Publicly available business data on LinkedIn can be used under legitimate interest, but scraping LinkedIn at scale may violate LinkedIn's terms of service (separate from GDPR). The safest approach is to use data from LinkedIn Sales Navigator within its intended use.
What about the ePrivacy Regulation?
The ePrivacy Regulation (expected to update the ePrivacy Directive) is still in legislative process. Current ePrivacy rules vary by EU country. Watch for updates, as the new regulation may introduce specific rules for unsolicited B2B email.
Best Practices for GDPR-Compliant Cold Email
- Target carefully — The more relevant your outreach, the stronger your legitimate interest
- Research before emailing — Show you understand the prospect's business
- Make opt-out effortless — One-click unsubscribe, processed immediately
- Keep records — Document your LIA, data sources, and processing activities
- Use reputable data sources — Never buy lists from questionable brokers
- Respect the spirit of the law — GDPR protects people from unwanted intrusions; make sure your outreach is genuinely useful