GDPR Cold Email: The Compliance Guide That Doesn't Leave Out the Hard Parts
You just scraped 5,000 emails targeting France, Germany, and Spain. You've got a legitimate interest argument ready. You're probably not compliant - and the reason isn't what most GDPR cold email guides tell you.
Those guides stop at "legitimate interest" and call it a day. That's dangerous advice. The General Data Protection Regulation doesn't ban cold email, but legitimate interest is only one layer. The ePrivacy Directive - transposed differently in every EU member state - can override it entirely. Teams confidently blast cold emails into Spain using the same playbook they use for France, and that's where they get burned. EU regulators penalize unsolicited marketing and unlawful processing with fines ranging from tens of thousands to millions, and draft ePrivacy Regulation proposals have aimed to align penalties with GDPR tiers (up to 4% of global turnover).
Three Things Most Guides Leave Out
- The ePrivacy Directive can override GDPR legitimate interest. Country-level rules determine whether you can actually send that email - not just Art. 6(1)(f).
- Rules vary dramatically by country. France, Spain, Germany, and the UK each have different requirements. One playbook doesn't work across Europe.
- Data accuracy is itself a compliance obligation. Under Art. 5(1)(d), sending to invalid or outdated emails means processing inaccurate personal data.
Is Cold Emailing Legal Under GDPR?
Yes. GDPR Recital 47 explicitly names direct marketing as a potential legitimate interest. Art. 6(1)(f) provides the legal basis - you can process personal data when you have a genuine business reason, you've documented it, and you respect the individual's right to object. Art. 21 gives recipients an absolute right to opt out of direct marketing. Once someone objects, you stop. No exceptions.
GDPR alone would make B2B cold emailing relatively straightforward. The complication is what sits on top of it.
The ePrivacy Rule Most Guides Skip
Art. 95 of GDPR and Recital 173 are clear: where the ePrivacy Directive (2002/58/EC) contains specific rules with the same objective, those rules take precedence. Art. 13(1) of the ePrivacy Directive generally requires prior consent for unsolicited commercial communications - but each country implemented it differently. That fragmentation is why "legitimate interest is fine" isn't the full answer for compliant cold outreach in Europe.
In our experience, the France-Spain-Germany gap catches more teams than any other compliance issue.
| Country | National Law | B2B Cold Email Rule | Key Nuance |
|---|---|---|---|
| France | Common CNIL-aligned practice | No opt-in needed for B2B | Suppression list required; 3-year retention is a common rule |
| Germany | UWG (Unfair Competition Act) | Prior consent required | One of Europe's strictest regimes; even B2B needs consent in most cases |
| Spain | LSSI-CE Art. 21 | Consent, with a soft opt-in exception | Details must come from a sale/negotiation; similar products; opt-out in every message |
| UK | PECR | More permissive for B2B | Stricter for individual subscribers than corporate subscribers; GDPR lawful basis still applies for personal data |
France is permissive - you can send cold emails to B2B prospects without opt-in in most prospecting scenarios, provided you disclose the data source, identify the message as commercial, and include an unsubscribe mechanism. Germany is among the strictest: the UWG requires prior consent for commercial emails in most B2B scenarios. Spain's LSSI-CE centers on consent, with a "soft opt-in" style exception where the contact details must come from a sale or negotiation, the offer must relate to similar products or services, and an opt-out must appear initially and in every message. The UK sits in between, with PECR generally treating corporate subscribers more leniently than individual subscribers.
Check the target country's ePrivacy transposition before you send a single email. This isn't optional.
How to Document Legitimate Interest
The ICO publishes a sample LIA template you can download and adapt per campaign. It walks through the three-part test:
Purpose test: What's the legitimate interest? Be specific. "We're reaching out to VP-level marketing leaders at SaaS companies about pipeline attribution" beats "growing revenue."
Necessity test: Is cold email necessary? If prospects aren't findable through inbound or events, outbound email is a reasonable channel. (If you're building a repeatable outbound motion, see sales prospecting techniques.)
Balancing test: Does the individual's privacy override your interest? A VP of Marketing at a SaaS company expects vendor outreach. A hospital nurse doesn't.
Run an LIA per campaign, not once for your entire outbound program. Different audiences, geographies, and messaging all shift the balancing test. We've seen teams treat the LIA as a one-time checkbox - that's the fastest way to fail an audit.
Art. 5(1)(d) makes data accuracy a legal obligation - sending to invalid emails means processing inaccurate personal data. Prospeo's 5-step verification and 7-day refresh cycle keep your lists audit-ready with 98% email accuracy, so your GDPR cold email campaigns never fail on data quality.
Stop risking compliance fines on stale, unverified contact data.
Compliant Cold Email Template
Your first email should contain five disclosure elements:
Subject: Quick question about [specific topic relevant to their role]
Hi [First Name],
I'm [Your Name] from [Company]. (Identity disclosure)
I found your email through [specific source - e.g., your company's website, a conference attendee list]. (Data source disclosure)
We help [specific type of company] solve [specific problem], and based on [Company Name]'s [specific detail], I thought this might be relevant. (Purpose and relevance)
If you're not interested, just let me know and I'll remove your details from our list immediately. (Opt-out language)
[Your Name] [Company] · [Physical Address] (Physical address in signature)
Don't bury the data source in a footer nobody reads. Good GDPR-aligned cold email practice means making disclosures visible and clear in the body itself. (For more reply-focused structure, borrow from these sales follow-up templates.)
The Audit-Ready Compliance Checklist
DSARs have increased 56% since GDPR enforcement began, and 67% of organizations saw higher costs responding to them. An audit-ready outbound process isn't paranoia - it's operational hygiene.
- Check target country ePrivacy rules before building any list. France ≠ Germany ≠ Spain.
- Run an LIA per campaign. Document purpose, necessity, and balancing for each audience segment.
- Log the source of every lead - where it came from (e.g., URL) and the date captured. If someone asks where you got their data, you need an answer within one calendar month. (This is easier when your lead generation workflow is standardized.)
- Process opt-outs within minutes. Move contacts to a suppression list - don't delete the record, or you risk re-contacting them from a future list.
- Maintain a full audit trail of sends, responses, opt-outs, and actions taken. The consensus on r/GrowthHacking is clear: source documentation, instant DNC processing, and audit trails are non-negotiable at scale.
- Verify email accuracy before sending. Art. 5(1)(d) requires data accuracy - sending to invalid addresses means processing inaccurate personal data, which is a direct compliance violation. Prospeo runs real-time verification with 98% accuracy on a 7-day data refresh cycle and logs source and verification status per contact, which simplifies DSAR responses and audit documentation. (If you're comparing tools, start with Bouncer alternatives or an AI email checker.)
When Someone Asks "Where Did You Get My Data?"
A prospect replies asking where you got their email. That's a DSAR, and it doesn't need to mention "GDPR" to be valid.
You have one calendar month to respond with: confirmation you're processing their data, a copy of it, the purposes, categories, recipients, retention period, their rights (including the right to complain to a supervisory authority), and the source of the data. For complex requests, you can extend the deadline by two months - but you must notify the requester within the first month.
Here's the thing: if you can't trace where a contact came from, you can't respond properly. That single failure turns a routine request into a regulatory risk. (This is also why many teams avoid list buying entirely - see Is It Illegal to Buy Email Lists?.)
Common Misconceptions
"Only generic addresses are safe." You can email named individuals with a lawful basis. The UK regime is stricter for individual subscribers than corporate subscribers, but named individuals aren't off-limits - they require documented legitimate interest. The confusion on r/DigitalMarketing about this is widespread.
"Manual outreach is fine, automated isn't." The method doesn't change the legal analysis. Whether you send one email manually or a thousand through a sequencer, the same GDPR and ePrivacy rules apply. Automation doesn't make it "marketing" in a legal sense - the content and purpose do. (If you're scaling responsibly, align this with sequence management and email velocity.)
"GDPR killed cold email." GDPR permits it under legitimate interest. ePrivacy is the variable that determines whether unsolicited outreach is allowed in a given country. Let's be honest: if your average contract value is under EUR5k and you're only targeting Germany, cold email probably isn't your channel. But for B2B teams selling into France, the UK, or the Nordics, compliant cold emailing remains one of the highest-ROI outbound motions available. Skip Germany-only campaigns unless you've got explicit consent infrastructure in place. (To improve outcomes without increasing risk, tighten your B2B cold email sequence and cold email subject line examples.)
Logging lead sources and maintaining audit trails is non-negotiable under GDPR. Prospeo gives you 300M+ profiles from vetted, GDPR-compliant sources with full transparency - no scraped junk, no third-party email provider dependencies, and DPAs available on request.
Build audit-ready prospect lists at $0.01 per verified email.
FAQ
Can you send cold emails under GDPR without consent?
Yes, if you document a legitimate interest assessment and comply with the target country's ePrivacy transposition. France allows B2B cold outreach without opt-in in most prospecting scenarios. Germany's UWG requires prior consent for nearly all commercial emails. Spain permits a soft opt-in exception when the address was obtained during a sale or negotiation.
Do I need an unsubscribe link in every cold email?
You must include a clear opt-out mechanism and honor it immediately via a suppression list. A one-click unsubscribe link is the simplest approach and satisfies Art. 21's right to object to direct marketing processing.
How does email verification help with GDPR compliance?
Art. 5(1)(d) requires data accuracy. Sending to invalid addresses means processing inaccurate personal data - a direct compliance violation. Real-time verification eliminates stale records and logs verification status per contact for audit readiness.
Does GDPR apply differently to B2B and B2C cold email?
GDPR itself doesn't distinguish B2B from B2C - legitimate interest applies to both. The difference comes from ePrivacy transpositions: most EU countries are more permissive for corporate-subscriber emails than individual-subscriber emails. Always check the national law for each target market.