GDPR and cold email

The GDPR covers companies established in the EU and companies anywhere in the world that offer goods or services to people in the EU, which is what cold outreach to EU prospects is, and the UK GDPR mirrors it for the UK. A named work address like jane.doe@company.com identifies an individual and is personal data; a generic address like info@company.com usually is not. Building a prospect list, enriching it, storing it, and emailing it are all processing, so a cold email program targeting EU or UK prospects sits squarely inside the regulation.

Every processing activity needs a lawful basis, and consent is impractical for cold outreach by definition, so most B2B senders rely on legitimate interest under Article 6(1)(f). GDPR's Recital 47 explicitly says direct marketing may be a legitimate interest, but relying on it means passing a three-part test: a purpose test (you have a genuine commercial interest), a necessity test (the processing is necessary to pursue it), and a balancing test (your interest is not overridden by the person's rights and reasonable expectations). Relevance is the practical heart of the balancing test. A tightly targeted message to someone whose role makes your offer plausibly useful balances very differently from a blast to a scraped list, and regulators expect the assessment to be documented, typically as a legitimate interests assessment.

GDPR also imposes transparency duties. Article 14 says that when you collect someone's data from a source other than the person, you must tell them who you are, why you are processing their data, your lawful basis, where the data came from, how long you keep it, and what rights they have, at the latest at the time of your first communication with them. In practice senders meet this by linking a privacy notice from the email. Article 21 gives an absolute right to object to direct marketing: if a prospect objects, you stop, with no balancing and no conditions, and you suppress the address so they are never contacted again. Making objection easy, with a clear opt-out line or link in every message, is both required in spirit and protective in practice.

The sending itself is governed by separate ePrivacy rules that vary by country. The UK's PECR distinguishes corporate subscribers, such as employees of limited companies and LLPs, from individual subscribers, such as sole traders and some partnerships. Marketing email to corporate subscribers does not require PECR consent, though the UK GDPR still applies to the individual's data and you must not disguise your identity and must provide a valid opt-out address. Individual subscribers are treated like consumers and generally require consent. Some EU member states, Germany among them, set a consent standard for marketing email that covers B2B, so country-by-country checks matter. This page is general information, not legal advice.

If any slice of your target market is in the EU or UK, lawful basis, disclosures, and objection handling stop being abstractions and become operational requirements for every campaign. The most serious GDPR infringements carry fines of up to 20 million euros or 4 percent of global annual turnover, whichever is higher, which is reason enough to take the paperwork seriously. The useful part is that what GDPR pushes you toward, tight targeting, accurate data, clear sender identity, and fast suppression, is the same discipline that tends to earn replies and protect deliverability anyway.