73% lower cost per meeting · live in 7 days · 50+ companies, 5 markets Get your free GTM analysis →
← All plays
GDPRDeliverability

Is cold email legal under GDPR? The 2026 operator’s guide

June 15, 2026 · 6 min read · by Ahmet Faruk Yilmaz, Founder of Asphia

Is cold email legal under GDPR? The 2026 operator’s guide

TL;DR

Yes, B2B cold email is legal under GDPR when you rely on legitimate interest, target relevant business roles, and give a real opt-out. The lawful basis is the easy part. Provable targeting, suppression, and records are what keep you safe.

Yes, cold email is legal under GDPR. B2B outbound can rely on legitimate interest rather than consent when you target the right roles and offer a real opt-out. The lawful basis is the easy part. You also need to prove why you targeted each role, honor every opt-out, and keep the records. This is the framework we use for clients across the EU.

GDPR gives you six lawful bases to process personal data. For B2B cold email, the one that matters is legitimate interest (Article 6(1)(f) of the GDPR regulation).

You do not need prior consent to email a relevant decision-maker about a relevant business problem. You need a defensible reason, minimal data, and an easy exit.

Three conditions make legitimate interest hold up:

  • Purpose: you have a genuine commercial reason to reach this person.
  • Necessity: contacting them is a reasonable way to pursue it.
  • Balance: your interest does not override their rights and expectations.

A founder pitching a CFO a tool that cuts close times is squarely inside this. A vendor blasting 50,000 personal Gmail addresses about crypto is not. The line is relevance, not volume.

Run a Legitimate Interest Assessment (LIA) once per offer. Write down who you target, why, and how you limit harm. One page is enough. If a regulator asks, you have a record ready. Most teams skip this despite how little work it takes.

Rollsafe meme: cannot get a GDPR fine for cold email if you document your legitimate interest assessment The LIA is one page. The fine for skipping it is not.

GDPR vs the ePrivacy Directive: two laws, not one

Most “is cold email legal” confusion comes from mixing up two rules.

GDPR governs how you handle personal data. The ePrivacy Directive governs electronic marketing messages, and each EU country implements it differently. Cold email touches both.

DimensionGDPRePrivacy (national law)
What it coversProcessing personal dataSending marketing messages
B2B email defaultLegitimate interest allowedOften allowed, varies by country
B2C email defaultStricter, lean on consentConsent usually required
Who sets the detailEU-wide regulationEach member state
The opt-out ruleRight to objectUnsubscribe must be honored

Practical takeaway: GDPR is broadly consistent across the EU. ePrivacy is where countries diverge. So your lawful basis can be solid everywhere while your sending rules still need a country check.

Country rules that change the playbook

We send in five languages: English, Dutch, German, Arabic, and Turkish. The rules are not uniform. These country differences matter most:

  • Germany (UWG): the strictest market in our book. German courts have treated unsolicited B2B email as needing prior consent or a very tight existing-interest argument. We tighten targeting hard here and lean on warm signals. Do not treat Germany like the Netherlands.
  • Netherlands: B2B-friendly. Legitimate interest with relevant targeting and a clean opt-out works well. This is one of our highest-deliverability markets.
  • France (CNIL): B2B cold email is allowed when the message relates to the recipient’s profession. The role-relevance test is explicit here, so generic blasts get punished.
  • Austria: tracks close to Germany. Treat it as a consent-leaning market.
  • UK (UK GDPR plus PECR): post-Brexit but materially similar. Corporate subscribers (companies, LLPs) can be emailed under legitimate interest. Sole traders and partnerships get B2C-style protection.

The pattern: northern and western B2B markets accept legitimate interest. German-speaking markets demand more proof and tighter relevance. Build that into segmentation, not into a disclaimer at the bottom of the email.

What “compliant cold email” actually requires

Lawful basis is one box. These are the rest. We treat them as non-negotiable on every campaign.

Targeting you can defend

  • Email people whose job is relevant to your offer, at companies that fit your ICP.
  • Use business roles, not scraped personal inboxes. A CFO at a 200-person firm is fair game. Their personal Gmail is not.
  • Keep the relevance obvious from the first line. If you cannot explain why this person specifically, do not send.

Identity and transparency

  • Use a real domain, real name, real signature. No spoofing, no fake aliases.
  • State who you are and why you are reaching out. One sentence.
  • Link to a privacy notice that explains the legitimate interest basis and where you sourced the data.

Opt-out and suppression

  • Every email gets a clear, working opt-out. Plain language beats a 6-pixel “unsubscribe”.
  • Honor objections immediately and permanently. One global suppression list across every tool and inbox.
  • An opt-out in Smartlead must also block that person in Heyreach. Silos are how you get complaints.

Data minimization and retention

  • Hold only what you need: name, role, company, business email, the personalization signal.
  • Do not hoard. Purge contacts who never engaged and everyone who opted out (keep opt-outs only as a do-not-contact flag).
  • Be ready to answer access and deletion requests. If you cannot, you are not compliant, you are lucky.

How we run GDPR-native outbound at Asphia

Compliance is not a checkbox at the end of a campaign. It is part of the operating system. Here is the stack and process we use.

  1. Source and enrich in Clay and Apollo. We pull role, company, and a personalization signal. We do not scrape personal addresses.
  2. Segment by country before a single email goes out. Germany and Austria get tighter rules and warmer signals. The Netherlands and France run standard legitimate interest.
  3. Send through Sendkit and Manyreach for email, with Smartlead and Instantly handling rotation and warmup. LinkedIn runs through GetSales and Heyreach.
  4. Suppress globally. One opt-out list feeds every tool. Object once, you are out everywhere.
  5. Log everything: source of data, lawful basis, send timestamps, opt-out events. If a DPA asks, we produce the trail in minutes.

We tested the “blast and pray” approach against tight targeting on real client campaigns. Tight targeting produced better reply rates and lower complaint rates. There was no tradeoff between compliance and performance. Fewer complaints improved deliverability and led to more booked meetings.

Our clients pay for booked meetings, not for activity. That puts the commercial incentive in the same direction as compliance. Spam does not book meetings with serious buyers. It damages domains and brands. Outcome-based pricing rewards narrow targeting, which is also what GDPR requires. Teams that want this handled end-to-end can see how a GDPR-compliant cold email agency operationalizes these requirements.

The 5 mistakes that actually get you in trouble

We have seen these sink sender reputations and trigger complaints. Avoid all five.

  • Treating the whole EU as one market. Germany is not the Netherlands. Segment or pay for it.
  • One-tool suppression. Someone opts out of email, then gets a LinkedIn request. That is a complaint waiting to happen.
  • No paper trail. If you cannot show your lawful basis and data source, “trust me” is not a defense.
  • Personal inboxes and irrelevant contacts. Scraped Gmail lists are the fastest path to a regulator’s attention.
  • Hidden or broken opt-outs. Make it one click. Honoring it instantly is cheaper than any fine.

To send cold email legally under GDPR, target relevant business roles under legitimate interest, segment by country, suppress opt-outs globally, and keep records. Our B2B cold email agency in the UK and Netherlands both operate under this framework.

Free resource

Get the signal tier list in your inbox.

We rank signals from S to D to decide who gets a cold email and who does not. You get the list once. No follow-up emails.

FAQ

Is cold email illegal under GDPR?

No. B2B cold email is legal under GDPR when you rely on legitimate interest, target people whose job is relevant to your offer, and provide a clear opt-out in every message.

Do I need consent before sending a cold email in Europe?

Not for most B2B email. GDPR allows legitimate interest as a lawful basis. Consent is mainly required for B2C and in stricter countries like Germany and Austria.

Can I cold email a personal-looking address like [email protected]?

Yes if it is a clear work role at a business and your offer is relevant to that role. Avoid generic free inboxes and anyone who has opted out.

What is a Legitimate Interest Assessment and do I actually need one for cold email?

A Legitimate Interest Assessment (LIA) is a short written record explaining who you target, why your interest outweighs their privacy rights, and how you minimize harm. You are not legally required to use a template, but having one on file is your best defense if a regulator or recipient objects. One page is enough.

How long can I keep prospect data for cold email prospecting under GDPR?

GDPR requires data minimization and storage limitation. For cold email, keep prospect records only as long as there is a live commercial reason. Most practitioners retire records after 12 to 24 months with no engagement. Suppress opt-outs permanently so you never re-contact them, even after a data refresh.

Does GDPR cold email compliance differ for small businesses versus enterprise?

The rules are the same regardless of company size. What differs is enforcement risk: larger volumes attract more scrutiny. Small senders operating with clean targeting, low complaint rates, and a suppression list rarely draw regulatory attention. The compliance checklist (LIA, opt-out, transparency) applies at any scale.

Ahmet Faruk Yilmaz, founder of Asphia

Ahmet Faruk Yilmaz

Founder of Asphia. He builds and runs signal-based B2B outbound engines for lean teams, and has booked meetings with teams at companies across five markets. Writes about cold email, Clay, deliverability, and GTM engineering.

Want this run for you?

Get a free GTM analysis. We show you the exact engine we would build.

Get your free GTM analysis →