GDPR Cold Email Compliance Guide: Can You Still Send Cold Emails in the EU?

The question every B2B team selling into Europe eventually asks: can you still legally send cold emails in the EU under GDPR, or does the regulation shut outbound down entirely? The short answer is that B2B cold email is not automatically illegal in the EU, but it is heavily conditioned. This GDPR cold email compliance guide walks through what the law actually requires, why "legitimate interest" is the lawful basis most B2B senders rely on, and what separates a compliant, relevance-first message from one that risks fines and a wrecked domain reputation. The rules are stricter than in the US, and they vary by country, so the details matter.
We build compliant, relevance-first outbound for B2B clients and keep clean records as part of the system, so this guide reflects how we approach the topic in practice. Read it as an operator's map of the terrain, not a substitute for advice on your specific situation.
With that caveat in place, here is the practical picture. The rest of this guide breaks down the lawful basis most B2B senders use, how the rules shift country by country, and what a defensible cold email actually contains. Start with the summary below.
GDPR Basics for Cold Email
The General Data Protection Regulation (GDPR) governs how organizations handle the personal data of people in the EU and EEA. A business email address that identifies a person (for example, firstname.lastname@company.com) is personal data under GDPR. That means the moment you collect, store, or email that address, you are processing personal data and GDPR applies.
Two things follow from that. First, you need a lawful basis to process the data. GDPR lists six lawful bases, and for cold outreach the realistic ones are consent or legitimate interest. Second, you owe the person certain rights and protections regardless of which basis you use, including transparency about who you are and why you have their data, and the ability to object.
GDPR does not contain a blanket rule that says "cold email is banned." It sets conditions. The practical work of compliance is meeting those conditions honestly, not finding a loophole around them.
The Legitimate Interest Lawful Basis and the Balancing Test
Getting explicit consent before a first cold email is usually impractical, because you would need permission before you have ever contacted the person. So most B2B senders rely on legitimate interest as their lawful basis. Legitimate interest lets you process personal data for a genuine business purpose, provided that purpose is not overridden by the individual's rights and interests.
The catch is the balancing test. To rely on legitimate interest, you have to be able to show three things:
- Purpose: There is a real, specific business reason for the outreach (for example, offering a genuinely relevant service to a decision maker whose role involves buying it).
- Necessity: Emailing that person is a reasonable way to pursue that purpose, and you are not collecting or using more data than you need.
- Balance: Your interest does not override the recipient's reasonable expectations and rights. A senior buyer receiving a relevant, professional message at their work address is unlikely to be surprised or harmed. A random personal inbox getting an irrelevant pitch is a different story.
Relevance is the hinge. The more precisely your message fits the recipient's actual role and responsibilities, the stronger your legitimate interest argument becomes. This is why targeting and personalization are not just performance levers in the EU. They are part of the compliance posture.
The ePrivacy Directive, PECR, and Why B2B Differs From B2C
GDPR is not the only rule in play. The ePrivacy Directive governs electronic communications specifically, and each EU country implements it in its own national law. In the UK, the equivalent is PECR (the Privacy and Electronic Communications Regulations), which sits alongside the UK's version of GDPR after Brexit.
Here is the distinction that matters most for outbound. Under many national implementations of ePrivacy, unsolicited marketing email to individual consumers (B2C) generally requires prior consent. But rules for business recipients are often treated differently. In some countries, sending to a corporate or role-based business address on a legitimate-interest basis is more permissible than emailing a private individual, especially when the message is relevant to that person's professional role.
That difference is real, but it is not universal and it is not a free pass. Some member states apply consent-style expectations even in a B2B context, and the safe harbor for "business" email is narrower than many senders assume. Treat the B2C-versus-B2B distinction as a reason to be careful and country-aware, not as permission to blast every business address you can find.
What a Compliant Cold Email Needs
Compliance is less about a single magic step and more about consistently doing several things right. A defensible B2B cold email in the EU generally includes all of the following:
| Requirement | What it means in practice |
|---|---|
| Relevance to the role | The message clearly fits the recipient's job and responsibilities, which strengthens legitimate interest and reduces complaints |
| Clear sender identity | Your real company name, a genuine reply address, and a physical or verifiable business identity, no hiding who you are |
| Easy opt-out | A simple, obvious way to unsubscribe or object in every message, at no cost or friction to the recipient |
| Honored unsubscribes | Opt-outs are processed promptly and permanently, and that person is never emailed again |
| Lawful data sourcing | Contact data obtained through legitimate means, not scraped in violation of terms or bought from dubious sources |
| Records and documentation | You can show where the data came from, why you believe legitimate interest applies, and how you handle objections |
| Honesty in content | No misleading subject lines, no deceptive framing, no pretending to be a prior contact |
None of these are exotic. They describe outreach that is relevant, transparent, and respectful, which also happens to be the outreach that performs best. Compliance and good outbound point in the same direction.
Country-by-Country Strictness
One of the biggest traps is assuming GDPR is uniform across Europe. GDPR itself is an EU-wide regulation, but the ePrivacy rules that govern marketing email are implemented country by country, and enforcement culture varies widely.
A few realities to plan around:
- Germany is notably strict. German rules and case law have historically taken a hard line on unsolicited commercial email, and consent expectations can extend into B2B contexts more than in some neighboring countries.
- Rules vary by member state. What is defensible under a legitimate-interest approach in one country may face a consent expectation in another. There is no single EU-wide answer to "is this specific email fine."
- Enforcement appetite differs. Some national regulators are more active than others. A practice that goes unchallenged in one market can draw complaints in another.
The practical takeaway: if you are targeting multiple EU countries, do not design for the most permissive interpretation. Design for the stricter end of the range you are actually mailing into, and get local legal input for the markets that matter most to you, starting with the strict ones like Germany.
Practical Do's and Don'ts
Translating all of this into day-to-day operating rules:
Do:
- Target tightly so every recipient's role genuinely fits the offer.
- Personalize enough that the relevance is obvious, not generic.
- Identify yourself honestly with a real company and reply address.
- Include a clear opt-out in every message and honor it immediately.
- Source data lawfully and keep records of where it came from.
- Document a legitimate-interest assessment before each campaign.
- Get local legal advice for the countries you are serious about.
Don't:
- Buy scraped or dubious lists and assume they are fine to email.
- Send irrelevant, generic pitches to broad address dumps.
- Ignore or delay unsubscribe requests.
- Use misleading subject lines or fake "re:" threads.
- Assume "it's B2B" means GDPR and ePrivacy do not apply.
- Treat one country's permissiveness as the standard for all of Europe.
Keep in Mind: The Real Risks
The consequences of getting this wrong are not abstract, and they land in two places at once.
How the Pieces Fit Together
If you zoom out, EU compliance and effective outbound are the same discipline described two ways. Relevance protects your legitimate-interest basis and it lifts reply rates. Clean, lawfully sourced data keeps you defensible and it keeps your bounce rate under 2 percent. Honoring opt-outs is both a legal obligation and basic reputation hygiene. The teams that treat compliance as a targeting-and-records problem, rather than a legal afterthought, tend to run outbound that is both safer and better.
In the EU, compliance and good outbound are the same thing wearing different clothes. Relevance is your lawful basis and your reply rate. Clean data is your defense and your deliverability. Build the system to be relevant and honest, and most of the compliance question answers itself.
For the technical side of protecting deliverability, our SPF, DKIM, and DMARC guide for cold email covers the authentication that keeps compliant mail landing. And if you want the fuller picture of how targeting and records fit into a managed program, our managed outbound services page describes how we build it, or you can browse case studies to see the approach in action.
Ready for Outbound That Is Relevant and Defensible?
Sending into Europe means designing outreach that is relevant to the recipient, clean in its data sourcing, and documented well enough to stand behind. We build compliant, relevance-first outbound and keep clean records as part of the system, so sending into the EU becomes a targeting and documentation discipline rather than a legal gamble.
Frequently Asked Questions
A strong positive reply rate for B2B cold email is 1.5–3%. Top-performing campaigns with tight targeting and personalized copy can hit 4–5%. If you're below 1%, it usually signals a deliverability or messaging problem — not a volume problem.
The safe range is 30–50 emails per inbox per day for warmed inboxes. That's why outbound systems use multiple inboxes (we use 80) — to reach 40,000+ monthly sends while keeping each inbox well within safe limits. Sending more than 50/day from a single inbox risks spam folder placement.
Yes. The CAN-SPAM Act permits unsolicited commercial email as long as you include a physical address, an unsubscribe mechanism, accurate headers, and non-deceptive subject lines. Unlike GDPR in Europe, the US does not require prior opt-in consent for B2B cold outreach.
Domain warm-up typically takes 2–3 weeks. During this period, sending volume gradually increases while the email warm-up tool generates positive engagement signals (opens, replies) to build sender reputation. Skipping or rushing warm-up is the most common cause of deliverability problems.
Cold email is targeted, relevant outreach to a specific person based on their role, industry, or company — with a clear business reason. Spam is untargeted mass messaging with no personalization or relevance. The distinction matters legally (CAN-SPAM compliance) and practically (deliverability depends on relevance signals).

Dimitar Petkov
Co-Founder of LeadHaste. Builds outbound systems that compound. 4x founder, Smartlead Certified Partner, Clay Solutions Partner.


