Is cold email GDPR-compliant in Europe? (B2B rules for 2025)
The short answer
Yes — B2B cold email is legal in the EU. It runs on the GDPR's legitimate interest basis (Article 6(1)(f)) and does not need the prior opt-in that consumer (B2C) marketing requires — as long as you email a relevant professional contact, identify yourself, and provide a clear, honored opt-out.
"Isn't cold email illegal in Europe?" is the objection that scares teams off outbound. It's a myth — but the nuance matters, and getting it wrong is a real risk. Here's the accurate version.
Note: this is general information, not legal advice. For your specific situation, confirm with a qualified data-protection adviser.
The legal basis: legitimate interest, not consent
GDPR requires a lawful basis to process personal data. For B2B marketing, that basis is legitimate interest under Article 6(1)(f) — you don't need prior consent. As the EU guidance on email marketing puts it, where a company has a justified interest, marketing emails may be sent to potential customers without consent.
The hard line is B2B vs. B2C:
| Audience | Lawful basis | Consent needed? |
|---|---|---|
| B2B (professional contacts) | Legitimate interest — Art 6(1)(f) | No |
| B2C (consumers) | Consent — Art 6(1)(a) | Yes (prior opt-in) |
What "legitimate interest" actually requires
Legitimate interest isn't a free pass — it's a balancing test. To rely on it for cold email you should be able to show:
- Relevance. The recipient's role makes your offer genuinely useful to their business. Spraying an irrelevant list fails the test.
- Professional context. You contact people at their professional address about their work, not their personal life.
- Reasonable expectation. A decision-maker in your target market would not be surprised to hear from a relevant vendor.
- Minimal impact. One relevant, easy-to-decline message is low-impact; high-frequency spam is not.
The ePrivacy layer (and the UK difference)
GDPR sets the data-processing rules; the ePrivacy Directive governs electronic marketing on top of it. In practice, EU member states apply extra protection to individual subscribers, which is why quality targeting and the relevance test matter so much for compliant outreach.
The UK is a common trip-up: under PECR, unsolicited B2B email to corporate bodies (limited companies, LLPs) is generally permitted, but sole traders and partnerships are treated like individuals and need the stricter consumer approach. If you email the UK, segment accordingly.
Your GDPR cold-email checklist
- ✅ Rely on legitimate interest (Art 6(1)(f)) for B2B; never cold-email consumers without consent.
- ✅ Email professional addresses about a genuinely relevant offer.
- ✅ Identify yourself — who you are and why you're reaching out — in every message.
- ✅ Include a clear opt-out, and honor it immediately and permanently.
- ✅ Source data from publicly available business sources and keep a record of where it came from.
- ✅ Honour data-subject requests (access, erasure) promptly.
- ✅ Maintain a suppression list so opted-out contacts are never re-emailed.
Done right, compliant outreach isn't a constraint — it's a competitive edge. Buyers trust senders who are transparent, and clean practices protect your deliverability at the same time.
Frequently asked
Is B2B cold email legal in the EU under GDPR?
Does GDPR require consent for cold email?
How do you send GDPR-compliant cold email?
Sources
- GDPR-info.eu — Email Marketing under the GDPR
- Overloop — Is Cold Email Illegal? Legal Guide
- Salesforce Europe — Legitimate interest for GDPR cold email B2B rules
- GDPR Local — GDPR Cold Email Strategy in 2025
Outbound that's compliant by design
We run B2B campaigns on legitimate interest, use publicly available business data, and honor every opt-out — so you grow pipeline without the legal worry.
Book a strategy call