GDPR is not a ban on cold email
The most common misconception: 'GDPR banned cold email in Europe.' It didn't.
GDPR regulates how you process personal data — including email addresses. It requires a legal basis for processing. For B2B cold email, that basis is typically 'legitimate interest' (Article 6(1)(f)): you have a legitimate business reason to contact someone in a professional capacity about something relevant to their role.
What GDPR actually did: it raised the bar for responsible outreach. You can't buy a list of 100,000 random Europeans and blast them. You can contact specific professionals whose role and company context make your product genuinely relevant to them — as long as you follow the rules.
The legitimate interest test
To use legitimate interest as your legal basis, you need to pass a three-part balancing test:
1. Purpose: you have a clear, specific business reason for contacting this person (not 'they might buy something someday'). 2. Necessity: email is a reasonable way to reach them (it is for B2B — this is how business communication works). 3. Balance: your interest doesn't override the recipient's rights and expectations. A VP of Sales expects to receive outreach about sales tools. A random consumer does not expect unsolicited B2B pitches.
In practice, most B2B cold email passes this test easily — as long as you're targeting people whose professional role makes your product relevant and you're not contacting them about something unrelated to their work.
What you must do in every cold email
These are non-negotiable compliance requirements:
- Identify yourself: your name, company name, and a way to reach you. Anonymous cold email is a GDPR violation.
- State why you're contacting them: a brief explanation of why your product/service is relevant to their role. This satisfies the 'transparency' requirement.
- Provide a clear opt-out: an unsubscribe link or a 'reply STOP to opt out' instruction. Every email, every time.
- Honor opt-outs immediately: within 48 hours maximum, though best practice is instant. Emailing someone after they've opted out is the fastest way to draw a GDPR complaint.
- Only use work email addresses: contacting someone at their personal Gmail or Yahoo address about a B2B product is a gray zone at best and indefensible at worst.
- Don't process sensitive data: religion, health, political views, sexual orientation. If your enrichment data includes any of these categories, strip them.
Country-specific nuances that trip people up
GDPR is the floor, but individual EU countries have additional e-privacy regulations:
Germany (UWG): the strictest interpretation. German courts have ruled that B2B cold email without prior consent can violate the UWG (Unfair Competition Act). In practice, enforcement is complaint-driven — if someone complains, you're exposed. Many companies avoid cold emailing German prospects entirely or use extra-careful targeting.
France (LCEN): B2B cold email is generally permitted if the message is related to the recipient's professional function. Similar to the GDPR legitimate interest test.
UK (post-Brexit): follows GDPR-equivalent rules under the UK Data Protection Act 2018. B2B cold email is permitted under the same legitimate interest basis.
Nordics: generally B2B-friendly. Denmark, Sweden, and Finland follow GDPR without significant additional restrictions on B2B outreach.
Bottom line: if you're emailing across Europe, Germany is the one market where you should be extra careful. Everywhere else, standard GDPR compliance is sufficient.
Practical compliance checklist
Before launching any cold email campaign targeting European recipients:
- Document your legitimate interest assessment. One paragraph per campaign explaining why these recipients, in these roles, at these companies would find your product relevant. Keep it on file.
- Verify you're using work email addresses only. Filter out @gmail.com, @yahoo.com, @hotmail.com from your EU prospect lists.
- Include an unsubscribe mechanism in every email. Automated unsubscribe links are best; 'reply to opt out' is acceptable but harder to manage at scale.
- Maintain a suppression list. Every opt-out goes on a global suppression list that applies across all campaigns, all channels, forever. This is the single most important compliance mechanism.
- Set up a process for data subject access requests (DSARs). If a European prospect asks 'what data do you have on me?' you need to be able to answer within 30 days. Know where their data lives in your systems.
- Review your data sources. If you're buying contact data, ensure the provider has a GDPR-compliant basis for the data they're selling. If they can't answer this question clearly, find a different provider.
Frequently asked questions
Is cold email legal under GDPR?
Yes, for B2B purposes. GDPR Article 6(1)(f) allows processing personal data based on 'legitimate interests' — which includes B2B sales outreach. You must balance your interest against the recipient's rights and provide an easy opt-out.
Do I need consent to send B2B cold email in Europe?
Not explicit consent, no. The 'legitimate interest' basis under GDPR allows B2B cold email without prior opt-in. However, some EU countries have additional e-privacy regulations (notably Germany with UWG) that may require prior consent for email marketing. B2B cold email occupies a gray zone in Germany specifically.
What must I include in every cold email for GDPR compliance?
Your identity (name and company), a clear way to opt out (unsubscribe link or reply instruction), your business address, and a legitimate reason for contacting them (why your product/service is relevant to their business role).
What happens if I violate GDPR with cold email?
Fines can reach €20M or 4% of global annual revenue, whichever is higher. In practice, enforcement against B2B cold email is rare and usually targets egregious cases (mass consumer spam, ignoring opt-outs repeatedly). But the risk is real and the fines are not theoretical.