GDPR Cold Email B2B: What's Actually Legal in 2026
CNIL hit SOLOCAL Marketing Services with a EUR 900,000 fine for commercial prospecting violations. That was 2025 - and enforcement is only accelerating. If a prospect replies "How did you get my email?", you need a source, a timestamp, and a documented reason for reaching out. Not next week. Right now.
The law sounds scarier than it is when you read it as a practitioner instead of a lawyer. GDPR cold email for B2B can be legal in Europe, but the rules aren't what most guides tell you.
The Short Answer
Yes, you can send cold B2B emails in the EU. GDPR's Recital 47 explicitly recognizes direct marketing as a legitimate interest. The catch is documentation and country-level rules.
Legitimate interest isn't a blanket pass. You need a documented Legitimate Interest Assessment per campaign - not a one-time checkbox.
Country rules vary dramatically. Germany is consent-heavy for individuals and commonly enforced as double opt-in. France is permissive for profession-related outreach. The UK exempts corporate subscribers from the PECR consent rule for marketing emails.
Data quality is compliance hygiene. High bounce rates kill deliverability and increase complaints. Verify before you send.
Why B2B Cold Email Is Legal Under GDPR
79.1% of cold email senders rank it as their top lead generation tactic - and GDPR can allow it, because Recital 47 explicitly states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." That's not a loophole. It's the regulation's own language.
The real question isn't whether GDPR can allow B2B cold email. It's which law governs your specific situation, and whether you've documented enough to survive a complaint.
Which Law Actually Governs?
Most guides get this wrong: GDPR isn't the only law that matters. For electronic communications - email, SMS, phone - the ePrivacy Directive (Directive 2002/58/EC) adds a separate rules layer on top.
GDPR Article 6(1)(f) lets you process personal data under legitimate interest. But ePrivacy rules, implemented through national laws, often set the conditions for unsolicited electronic marketing. Per GDPR Article 95 and Recital 173, where the two overlap, ePrivacy takes precedence.
Each EU member state implemented the ePrivacy Directive differently. Germany's implementation is strict. France's is more permissive for B2B when the outreach is profession-related. The UK carved out corporate subscribers from the consent rule entirely. So the answer to "can I cold email this person?" depends on which country they're in, whether they're at a corporation or a sole trader, and whether your outreach relates to their professional role. The ePrivacy layer is what most people should actually worry about, and most guides don't mention it because it complicates the narrative.
Country Risk Tiers for EU Outreach
Not all EU markets carry the same risk. Here's a practical tier map based on how each country implemented ePrivacy rules:
| Tier | Countries | Key Rules |
|---|---|---|
| High risk | Germany, Italy, Spain, Sweden | Consent required; DE: double opt-in |
| Moderate | France, Netherlands, UK | FR: role-based OK; UK: corporates exempt |
| Universal | All markets | Unsubscribe option, sender ID, data source |
Germany is the hardest market to cold email cleanly. Their implementation is consent-heavy for marketing emails to individuals, and enforcement is active. Practitioners on r/coldemail consistently flag Germany as the market where they've had the most compliance pushback. If you're starting EU outbound, skip this one until your process is bulletproof.
France is far more permissive for B2B. CNIL guidance allows profession-related outreach as long as you inform the recipient, provide an opt-out, and the message relates to their professional role. This makes France one of the friendliest markets for compliant B2B email prospecting.
The UK is the friendliest for B2B. Under PECR, corporate subscribers are exempt from the consent rule for marketing emails. Sole traders and some partnerships are treated as individuals, though, so you still need to know who you're emailing.
In our experience, starting with UK and France gives teams the fastest path to compliant pipeline. Layer in other markets once your documentation process is airtight.
The article above says it plainly: high bounce rates kill deliverability and increase complaints. Prospeo's 5-step email verification - with catch-all handling, spam-trap removal, and honeypot filtering - delivers 98% accuracy. That means bounce rates under 4%, cleaner sender reputation, and fewer angry prospects asking where you got their data. Every email comes with a verified source and timestamp, so your Art. 14 transparency obligations are covered from day one.
Stop risking your domain reputation on unverified data.
How to Document Legitimate Interest
The ICO publishes an official LIA template with three tests. Here's a simplified fill-in-the-blank version for cold email campaigns:
Purpose test
"We're contacting [job title] at [company type] because [specific business reason - e.g., they use competitor X and our product solves Y]."
Necessity test
"Email is the least intrusive way to reach this audience. We can't achieve this through [alternative - e.g., inbound alone, advertising] because [reason]."
Balancing test
"The recipient would reasonably expect outreach about [topic] given their role as [title]. We minimize impact by [limiting follow-ups to 2-3, honoring opt-outs instantly, providing data source]."
Do this per campaign, not once for all outbound. A blanket LIA covering "all sales emails forever" won't survive scrutiny. We've seen teams treat this as a one-time formality and regret it when a complaint lands - the documentation needs to exist before the first email goes out.
GDPR Compliant Cold Email Template
Here's an annotated template with each element mapped to the requirement it satisfies:
From: Jane Smith, Acme Solutions - Art. 13/14: clear sender identity
Subject: Quick question about your outbound stack
Hi {{first_name}},
I found your contact details on your company's website while researching firms scaling outbound in the DACH region. - Art. 14: transparency about data source (provide within 1 month)
As {{job_title}} at {{company}}, you're likely dealing with [specific pain point]. We help teams like yours [specific value prop]. - Recital 47: purpose tied to recipient's professional role
Would a 15-minute call next week make sense?
If you'd prefer not to hear from me, just reply and I'll remove your details immediately. - Art. 21: right to object, with instant processing
Best, Jane Smith | Acme Solutions 123 Main Street, London, EC1A 1BB - PECR: valid contact address for opt-out
The data source line is the one most people skip - and it's the one regulators ask about first. "I found your email on [specific source]" isn't optional if you're relying on Art. 14 transparency for third-party sourced data.
Audit-Ready Compliance Checklist
If a regulator or an angry prospect asks questions, you need answers fast:
- Source documentation per lead - store the URL and timestamp where you found each email. If you can't answer "how did you get my email?" in 10 seconds, you're not compliant.
- LIA per campaign - documented before sending, not retroactively.
- Instant opt-out processing - block within minutes, not days. Sync your suppression list across every tool in your stack.
- Art. 14 notice - if you obtained data from a third party, inform the data subject within 1 month.
- Audit trail - what was sent, when, to whom, and what happened next.
- Retention policy - delete non-responsive contacts quickly, often within ~30 days. For longer retention, CNIL's guidance for prospecting data uses a "up to 3 years from last interaction" benchmark. Delete what you don't need.
The r/GrowthHacking thread on GDPR compliance lines up with this: source documentation, per-campaign LIAs, and instant DNC processing are the three non-negotiables practitioners actually implement. Sales compliance isn't about perfection - it's about having defensible documentation when questions arise.
What Happens When You Get It Wrong
CNIL's EUR 900,000 fine against SOLOCAL was for commercial prospecting without consent and transferring data to partners without a valid legal basis. CALOGA caught an EUR 80,000 fine tied to the same themes.
Total GDPR fines have crossed EUR 1.6B+ across all categories. The maximum penalty is EUR 20 million or 4% of global annual turnover - whichever is higher.
Let's be honest: most companies won't get a maximum fine from a single complaint. But we've watched teams lose domain reputation over a single poorly sourced campaign. The legal costs, deliverability damage, and operational disruption are real even at smaller penalty levels. If your average deal size is under EUR 5,000, you can't afford to fight a GDPR complaint. The compliance cost of one escalation will wipe out months of pipeline. Build the documentation upfront or don't send the emails.
Data Quality as Compliance Infrastructure
Bad data doesn't just kill your reply rates - it creates compliance exposure. Every bounced email signals to mailbox providers that you're sending to unverified lists. Enough bounces and complaints can get your sending infrastructure flagged fast, and a flagged domain is expensive to recover. Treating data quality as part of your GDPR cold email B2B strategy protects both deliverability and legal standing.
Prospeo runs 98% email accuracy with a 7-day data refresh cycle, so you're not emailing stale contacts who left the company six months ago. DPAs are available and opt-outs are enforced globally - which matters when your compliance depends on clean sourcing metadata.
Your LIA documentation requires a specific, defensible reason for reaching out. Prospeo's 30+ search filters - buyer intent, technographics, job changes, department headcount - let you build hyper-targeted lists where every contact has a documented business rationale. Layer in Bombora intent data across 15,000 topics to prove your outreach is relevant to the recipient's professional role, exactly what Recital 47 demands.
Build audit-ready prospect lists that satisfy every balancing test.
FAQ
Does GDPR apply to role-based emails like info@ or sales@?
Role-based addresses don't contain personal data, so GDPR doesn't apply directly. National ePrivacy rules still govern unsolicited marketing to those addresses in some countries. Named individual emails always trigger GDPR obligations.
Can I send follow-up emails without consent?
Yes, if your legitimate interest still holds and the recipient hasn't objected. Keep follow-ups to 2-3 maximum, each adding new value. Once someone objects, stop immediately - Art. 21 makes this absolute.
How do I prove where I got someone's email?
Store the source URL and timestamp for every lead at the moment of collection. This is your Art. 14 compliance trail. Even a spreadsheet works if you record "where" and "when" per contact - the format doesn't matter, the habit does.
How does outbound differ from inbound under GDPR?
Inbound contacts typically give consent by filling out a form, satisfying Art. 6(1)(a). Outbound cold email relies on legitimate interest under Art. 6(1)(f) instead, requiring the LIA documentation outlined above. Transparency and opt-out obligations apply to both, but the legal basis and documentation burden differ significantly.