GDPR Cold Email B2B in 2026: What's Legal, What's Not, and How to Stay Compliant

Can You Legally Send Cold Emails Under GDPR in 2026?

€7.1 billion. That's how much European regulators have collected in GDPR fines since May 2018, according to the DLA Piper GDPR Survey (January 2026). And roughly 35% of those fines involved consent violations. Read that again.

So can you send cold emails under GDPR in 2026? Short answer: yes. Longer answer: yes, but only if you stop treating GDPR like a scary boogeyman and start treating it like what it actually is — a rulebook with specific moves you're allowed to make.

Here's what most sales reps get wrong. They hear "GDPR" and assume the whole continent is off limits for B2B cold email. That's not true. GDPR cold email is legal in most of Europe — when done right. The catch? You need a legal basis — and no, "my boss told me to send 5,000 emails this week" doesn't count.

The magic words are legitimate interest. Article 6(1)(f) of the GDPR explicitly allows data processing — including sending emails — when you have a legitimate business reason that doesn't override the recipient's privacy rights. For B2B, this is your golden ticket. But (and this is the part everyone skips) you need to document it. More on that in a second.

If you want the full picture on cold email legality beyond just GDPR — CAN-SPAM, CASL, the whole lot — check out our cold email compliance guide. This article goes deep on the GDPR-specific stuff that'll keep your B2B outreach out of trouble.

Legitimate Interest: The Legal Basis That Makes B2B Cold Email Possible

You don't need consent. Let me say that louder for the people in the back: you do not need explicit consent to send a B2B cold email under GDPR. What you need is something arguably better — a documented business reason that passes a three-part test.

This concept is called legitimate interest, and it's backed by Recital 47 of the GDPR, which explicitly states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." That's not some legal loophole someone found on Reddit. It's in the actual regulation.

But here's where most teams mess up: they assume legitimate interest means "I think my product is relevant." Nope. You need a formal Legitimate Interest Assessment (LIA) on file. And it has three parts.

The Three-Part LIA Test (Purpose, Necessity, Balancing)

Purpose test: Why are you contacting this person? "They're a VP of Sales at a SaaS company and we sell sales enablement tools" works. "They have an email address" does not.

Necessity test: Is email the least intrusive way to reach them? For B2B professional contacts, the answer is almost always yes — you're not going to show up at their office door. (Well, you could, but that's a different article.) The key here: you should only process the minimum data necessary. Name, business email, company, role. That's it. No personal phone, no home address.

Balancing test: Would the recipient reasonably expect to receive your email? A marketing director receiving a pitch about email analytics? Expected. A dentist receiving a pitch about enterprise DevOps tools? Not so much. This is where relevance saves you — or buries you.

The UK ICO provides a free LIA template that walks you through all three tests. Download it. Fill it in. Keep it on file. If a DPA ever comes knocking, this document is your alibi.

Quick thought on consent vs legitimate interest — I see this debate on r/GrowthHacking all the time. People asking "should I get opt-in consent for B2B?" And honestly? If you can get consent, great. But for cold outreach by definition, you can't get consent before the first touch. That's why legitimate interest exists. It's not a shortcut. It's the designed mechanism for this exact scenario.

One more thing. The distinction between double opt-in and single opt-in matters more for your ongoing email marketing than for cold outreach — but it's worth understanding where cold email stops and email marketing begins.

B2B vs B2C Under GDPR — Why It Matters

Massive difference. And most guides treat them the same. Don't.

B2C cold email under GDPR is basically dead. Consumers have strong privacy expectations, DPAs are aggressive about enforcement, and legitimate interest is almost impossible to argue when you're emailing someone's personal Gmail about protein powder.

B2B is different. When you email a professional at their work address about something relevant to their job, the balancing test tilts in your favor. They're acting in a professional capacity. They expect vendor outreach. Recital 47 was practically written for this use case.

But — and I cannot stress this enough — "B2B" doesn't mean "anything goes." You still need role relevance. You still need an opt-out. You still need to know which country they're in, because that changes everything.

GDPR vs ePrivacy: Which Law Actually Governs Your Cold Emails?

This is the part nobody talks about loud enough.

GDPR governs how you process personal data. The ePrivacy Directive (2002/58/EC) governs electronic communications specifically. For cold email, the ePrivacy rules often take precedence over GDPR — and here's the painful part: each EU country implements the ePrivacy Directive differently.

So you can be GDPR-compliant and still break the law in Germany. Fun, right?

Germany's UWG (Unfair Competition Act) requires prior consent for B2B commercial emails in most cases. France's CNIL allows legitimate interest for B2B but demands strict opt-out mechanisms. The UK (post-Brexit) follows PECR, which is relatively permissive for B2B.

This is why "is cold emailing legal in Europe?" has no single answer. B2B cold email regulations vary wildly by country. And that's exactly why the next section exists.

Country Risk Tiers: Where You Can (and Can't) Cold Email in Europe

Picture this. A SaaS founder in Berlin sends the exact same cold email to a prospect in Munich and another in Dublin. Same email, same product, same offer. One is perfectly legal. The other could trigger a €50K fine.

Welcome to European cold email compliance.

Here's how I'd tier the risk, based on current enforcement patterns and local ePrivacy implementations:

Risk Tier	Countries	Rule Summary	What It Means for You
High Risk	Germany, Austria	Prior consent typically required even for B2B (UWG in Germany)	Avoid cold email unless you have explicit opt-in or an existing business relationship
Moderate Risk	France, Netherlands, Spain, Italy	Legitimate interest accepted with strict LIA documentation and opt-out	Cold email OK if you document your LIA and include a clear unsubscribe
Lower Risk	UK, Ireland, Sweden, Denmark, Finland	B2B "soft opt-in" generally accepted; more permissive ePrivacy rules	Standard compliance (opt-out, relevant targeting, sender ID) is usually sufficient

High Risk: Germany & Austria

Germany is the strictest market in Europe for cold email. Period. The UWG (Gesetz gegen den unlauteren Wettbewerb) requires prior consent for most commercial emails, even B2B ones. Austrian law follows a similar approach.

Does that mean you can never email a German prospect? Not exactly. If you have an existing business relationship or if the person has clearly made their contact info available for business inquiries (like on a company website's "contact sales" page), you might have a case. But "I found their email on LinkedIn" won't cut it.

My advice? Unless you have legal counsel confirming your specific use case, treat Germany and Austria as opt-in-only markets. The risk just isn't worth it.

Moderate Risk: France, Netherlands, Spain

France is interesting. CNIL (the French DPA) accepts legitimate interest for B2B cold email — but they expect you to prove it. Strict LIA documentation, relevant targeting, easy opt-out. The CNIL has been aggressive with fines in 2024-2025 (more on that in the enforcement section), so sloppy compliance gets punished fast.

The Netherlands and Spain operate similarly. Legitimate interest works, but the DPAs are active and fines are real. If you're going to avoid sending spam in your prospecting campaigns, these markets require you to actually mean it.

Lower Risk: UK, Ireland, Nordics

The UK's PECR (Privacy and Electronic Communications Regulations) is the friendliest framework for B2B cold email in Europe. Post-Brexit, the UK follows its own data protection rules, and B2B commercial emails sent to corporate subscribers generally don't require prior consent — just a valid opt-out mechanism.

Ireland, Sweden, Denmark, and Finland are also relatively permissive for B2B outreach. The emphasis is on responsible targeting and easy unsubscription rather than blanket consent requirements.

That said, "lower risk" doesn't mean "no risk." You still need the basics: sender identity, relevant content, working unsubscribe. Lazy mass emailing will get you flagged anywhere.

The GDPR-Compliant Cold Email Checklist (2026)

Knowing the law exists isn't the same as knowing you're compliant with GDPR cold email rules. I've seen too many teams who "know about GDPR" but can't actually pass a 10-point audit. Try asking your sales team to explain their legitimate interest documentation. Go ahead. I'll wait. So here it is — the checklist you should run through before every campaign.

1. Targeting B2B professional addresses only — no personal emails, no gmail/yahoo for individual consumers
2. Documented Legitimate Interest Assessment (LIA) on file — the three-part test, written down, stored somewhere findable
3. Data source is traceable and lawful — you can prove where every email came from
4. Sender identity is clear — your real name, real company, real domain. No hiding behind "John from Company X" with a burner domain
5. Clear opt-out/unsubscribe mechanism included — one click, works immediately, no "we'll process your request in 30 days" nonsense
6. Email content is relevant to recipient's professional role — a CMO getting a pitch about marketing analytics? Fine. A CMO getting a pitch about forklift parts? Not fine
7. SPF, DKIM, DMARC authentication configured — technical compliance matters. Unauthenticated emails = spam folder = wasted effort anyway
8. Data processing records maintained (Article 30 GDPR) — you need a record of what data you hold, why, and how long
9. Country-specific ePrivacy rules verified — Germany ≠ UK ≠ France. Check before you send
10. Data deletion process in place for opt-outs — when someone opts out, their data goes. Not into a "suppression list that we'll get to eventually." Gone

And while you're at it, make sure your follow-up sequences are compliant too. A GDPR-safe first email means nothing if your third follow-up is a desperate "just bumping this to the top of your inbox!!!" with no unsubscribe link.

Only 24% of email marketers are fully GDPR compliant right now. Which means 76% are flying blind. Don't be in that group.

Real GDPR Enforcement Cases That Should Scare You (2024-2026)

330+ fines issued by European DPAs in 2025 alone. That's almost one per day. And the CMS GDPR Enforcement Tracker now lists 2,245 documented fines through early 2026. This isn't theoretical risk. It's Tuesday.

Here are the cases that should actually change how you operate:

Company	Fine	DPA / Year	Violation
SOLOCAL	€900,000	CNIL, 2025	Commercial emails without sufficient legal basis
Orange France	€50,000,000	CNIL, 2024	Embedded ads in emails without clear consent
Carrefour Spain	€3,050,000	AEPD, 2024-2025	Failed to process unsubscribe requests
Verkada (US)	$2,950,000	FTC, 2024	Missing unsubscribe links (CAN-SPAM)

SOLOCAL — €900K (CNIL, 2025)

This one hits closest to home. SOLOCAL Marketing Services got fined €900,000 by CNIL for sending commercial prospecting emails without a sufficient legal basis. That's not "they forgot a checkbox." That's "they couldn't prove why they were emailing these people."

The takeaway? Your LIA documentation isn't a nice-to-have. It's the thing that separates a €900K fine from a normal workday.

Orange — €50M (CNIL, 2024)

Orange France got hit with a €50 million fine for embedding advertising in emails without obtaining clear consent. Now, this was broader than cold email — it involved existing customer communications with embedded ads. But the principle applies: if the person didn't agree to receive commercial content, you're exposed.

And €50 million. For emails. Let that sink in.

Carrefour — €3.05M (AEPD, 2024-2025)

Carrefour Spain got fined €3.05 million by the Spanish DPA for failing to process unsubscribe requests from customers. People clicked "unsubscribe" and kept getting emails. That's not a GDPR gray area — that's just broken compliance infrastructure.

If your opt-out mechanism doesn't work instantly and reliably, you're sitting on a ticking fine. How hard is it to build a working unsubscribe? Apparently too hard for a company worth billions. Fix yours before the DPA does.

And for perspective beyond Europe: Verkada (a US security company) got slapped with a $2.95 million fine by the FTC plus a 20-year compliance program for missing unsubscribe links in commercial emails. CAN-SPAM, not GDPR — but the message is global. Regulators everywhere are watching your outbox.

As one poster on r/coldemail put it: "The question isn't whether you'll get caught. It's whether your documentation holds up when you do." Couldn't have said it better.

Want to avoid becoming the next case study? Start by not making the 7 most common cold email mistakes — some of them are compliance landmines.

How to Build a Compliant B2B Prospect List From Scratch

So where do GDPR-safe leads actually come from?

You think a purchased list from some vendor in a Telegram group counts as GDPR-compliant email outreach? Please. Not from buying a 50,000-contact list off the internet. (I know. We've all been tempted.) Purchased lists are a compliance nightmare — you can't verify the data source, the contacts are usually stale, and your complaint rate will tank your domain reputation before any DPA even gets involved.

The smart play? Build your own list from verifiable public sources. Here's why this matters legally:

Traceability is your best friend under GDPR. When a DPA asks "where did you get this person's data?", the answer needs to be specific. "We bought a list" is a red flag. "This business has a public listing on Google Maps with their business email, phone number, and address — and we targeted them because they match our ICP by industry and location" is an audit-proof answer.

This is exactly what Scrap.io does. Every lead comes from Google Maps — publicly listed business data with a verifiable source. You get the company name, business email, phone, website, location, reviews, and more. And because you filtered by industry, location, and business type, you can document the "purpose" and "necessity" parts of your LIA with actual specifics.

Hyper-targeted micro-lists of 500-1,000 recipients consistently outperform mass blasts. We're talking 20-30% reply rates (Instantly.ai case studies, 2026) versus the 1-2% you get from spraying purchased lists at the wall. Compliant campaigns also see 38% higher open rates and 68% higher click-through rates on average. Turns out, sending relevant emails to the right people works better. Who knew.

GDPR-Compliant Cold Email Template (Copy-Paste Ready)

A compliant cold email isn't a boring one. It's a clear, relevant, traceable one. Here's a template you can actually use — with annotations on what each element satisfies legally.

Subject: [Specific pain point] for [Company name]

Body:

Hi [First name],

I noticed [specific observation about their business — pulled from public data]. [Company name] looks like it's [relevant context about their situation].

We help [type of business] [specific outcome]. For example, [real client or case study] saw [specific result] after [timeframe].

Would it make sense to chat for 15 minutes this week?

Best,
[Your name]
[Your company] — [Website]
📌 You're receiving this because [specific reason — e.g., "your business is listed as a [industry] company in [location]"]. Unsubscribe here.

Let me break down what makes this compliant:

• "I noticed [specific observation]" → Demonstrates the purpose test (you have a reason for contacting them)
• "We help [type of business]" → Shows relevance to their professional role (balancing test)
• "You're receiving this because..." → Transparency on data source (Article 14 GDPR)
• "Unsubscribe here" → Working opt-out mechanism (ePrivacy + GDPR right to object)

And yeah — this template works a lot better when your data actually includes business context. If all you have is a name and email, your personalization is going to sound fake. Tools like AiSDR have shown that AI-driven compliance-first campaigns can hit 12.7% reply rates across 25,000+ emails. The secret isn't magic copy. It's relevant data + clean targeting.

For more on writing cold emails that get responses (not just stay legal), check out our guide on how to write a cold email.

FAQ — GDPR Cold Email Questions Answered

Can I send cold emails to EU business contacts without consent under GDPR?

Yes, in most EU countries. Article 6(1)(f) allows processing based on legitimate interest. For B2B, this means you can email a professional at their business address if your offer is relevant to their role, you document your reasoning (LIA), and you provide a clear opt-out. However, Germany requires prior consent even for B2B under its stricter ePrivacy implementation (the UWG). Always check the country-specific rules before sending.

What's the difference between GDPR and the ePrivacy Directive for cold email?

GDPR governs how you process personal data — collection, storage, usage. The ePrivacy Directive governs electronic communications specifically — whether you can send that email in the first place. For cold email, ePrivacy rules often take precedence, and they vary by country. Some countries (UK, France) are more permissive for B2B; others (Germany) require consent. You need to comply with both.

How much can I be fined for non-compliant cold emails under GDPR?

Maximum penalties reach €20 million or 4% of global annual turnover — whichever is higher. In practice, B2B cold email fines range from €500 for small businesses to €900,000+ (SOLOCAL, CNIL 2025). The total GDPR fines exceeded €7.1 billion by early 2026. Don't assume your company is too small to attract attention — fines of under €200K against SMEs are well documented.

How do I document legitimate interest for B2B cold email?

Complete a Legitimate Interest Assessment (LIA) covering three tests: Purpose (why you're contacting them), Necessity (why email is the appropriate and least intrusive channel), and Balancing (their privacy rights vs. your business interest). Keep this on file. The UK ICO provides a free LIA template you can use as a starting point. Update your LIA whenever your targeting criteria or data sources change.

Can I buy email lists and cold email under GDPR?

Technically possible, but extremely risky. You must verify the list provider obtained data lawfully, and you need to document a legitimate interest for each contact category. In practice, purchased lists come with high complaint rates, stale data, and zero traceability — exactly the things DPAs look for when investigating. Building your own list from verifiable public sources (like Google Maps business data via Scrap.io) is safer, more effective, and gives you the documentation trail GDPR demands.

Oh, and one more thing — on Quora, people still ask "can I cold email in Europe?" like it's a yes/no question. It isn't. The answer depends on your data source, your documentation, your targeting, and which country you're emailing into. Now you know. Bref. GDPR cold email B2B isn't illegal. It's just not a free-for-all. The teams that win are the ones who invest 30 minutes in documentation and targeting instead of blasting 10,000 strangers and hoping nobody complains.

If there's one thing to take from this article, it's that compliance and performance are the same thing. Targeted, relevant, well-documented outreach gets better reply rates, lower complaint rates, and zero fines. Mass-blasting garbage lists gets you blacklisted, reported, and fined.

The math is obvious. Do the work.