Is Cold Email Legal in Europe? GDPR Cold Email, Plainly

A plain-English guide to GDPR cold email for B2B outreach in Europe - what's legal, what's not, and how to run compliant campaigns.

Is Cold Email Legal in Europe? GDPR Cold Email, Plainly

You want to email prospects in Europe. Someone on your team said "that's illegal under GDPR." Someone else said "everyone does it, don't worry." Both are wrong in the way that gets you into trouble.

This is the plain version. No legal cosplay, no scare tactics. Just what GDPR cold email actually means for B2B outreach, what you can send, and how to run campaigns that survive both a regulator and a spam filter.

Quick disclaimer: this is practical guidance, not legal advice. If you're worried about a specific case, talk to a lawyer in the relevant country. Now let's get into it.

Is cold email legal in Europe under GDPR?

Yes - cold B2B email is legal in most of Europe if you have a lawful basis, you're relevant to the recipient's job, and you honor opt-outs. GDPR does not ban cold outreach. It regulates how you handle personal data and demands you justify why you're processing it.

The confusion comes from mashing two different rules together. GDPR governs personal data (names, work emails, job info). The ePrivacy rules - implemented differently in each country - govern electronic marketing. B2B cold email lives at the intersection of both, and the details shift depending on whether you're emailing Germany, France, or the UK.

So the honest answer is: legal, but conditional. The conditions are learnable and most of them are just good sending hygiene anyway.

What is the lawful basis for cold email under GDPR?

For B2B cold email, the usual lawful basis is legitimate interest - not consent. You don't need someone to opt in before you send a relevant business message. You need a defensible reason to process their data and proof you weighed their rights against yours.

Legitimate interest requires a simple, documentable balancing test. Ask yourself three things:

  • Is the message genuinely relevant to their role? Emailing a CFO about accounts payable software is defensible. Emailing them about pet grooming is not.
  • Would they reasonably expect outreach like this? A business decision-maker expects vendor pitches. A private individual at a personal address does not.
  • Are you being proportionate? One or two well-targeted messages, easy to opt out, low friction. Not fifty emails to a list you scraped blind.

This is why tight targeting isn't just a performance lever - it's your legal cover. When your list is built from a real ICP, relevance is baked in. When you spray and pray, you fail the balancing test and tank your reply rate at the same time.

Legitimate interest isn't a loophole - it's a promise that you thought about the person before you hit send.

Do you need consent for B2B cold email in the EU?

Mostly no for corporate recipients, but it depends on the country. Some member states treat B2B email under the same relaxed rules as legitimate interest; others apply stricter marketing consent rules, especially where the recipient looks like an individual rather than a business.

Here's the practical split you actually need to remember:

  • Corporate/role addresses (info@, sales@, and named addresses at a clearly commercial domain): generally fine on legitimate interest across most of the EU.
  • Sole traders and individuals (a freelancer's personal-looking address): riskier - some countries want consent, treat these as individuals.
  • The UK post-Brexit runs PECR alongside UK GDPR. B2B email to corporate subscribers is broadly allowed; email to individuals and sole traders generally needs consent.
  • Germany is the strict end. Its interpretation of unsolicited commercial email is tough, and legitimate interest gets scrutinized hard.

You don't need to memorize 27 legal regimes. You need to know that "one rule for all of Europe" is a myth, and to lean conservative when a recipient looks like a person rather than a company.

What does a compliant GDPR cold email actually look like?

A compliant cold email identifies who you are, is clearly relevant to the recipient's job, offers an easy way to opt out, and processes only data you can justify. It reads like a person wrote it to another person - because that's also what gets replies.

Use this as your pre-send checklist:

  1. Identify yourself clearly - real name, real company, no anonymous sender games.
  2. Confirm relevance - the message maps to their actual role and industry, not a guess.
  3. Include a genuine opt-out - a plain "reply and I'll stop" works; make it real and honor it fast.
  4. Keep data minimal - name, company, role, work email. You don't need their home address or a dossier.
  5. Log your lawful basis - a short note on why this segment fits legitimate interest.
  6. Source your list responsibly - verified, permission-aware data, not a scraped dump.
  7. Delete on request - if they ask to be removed and erased, do it and record it.

Notice how much of this overlaps with plain deliverability. Being honest about who you are, keeping messages relevant, and making opt-out easy are exactly the behaviors that keep you out of spam. If you want the sending side of that story, our deliverability checklist covers it end to end, and why cold emails go to spam shows how compliance and inbox placement reinforce each other.

How do you handle data subject rights in an outbound campaign?

You give people a real, fast way to opt out and to be erased, and you actually process those requests. Under GDPR, recipients can object to processing, ask what data you hold, and demand deletion - and "we lost the email" is not a defense.

In practice this means three operational habits:

  • Suppression that sticks. When someone opts out, they go on a permanent suppression list that survives across every future campaign and every domain you send from. No re-adding them next quarter.
  • Erasure on request. If they want their data gone, remove it and keep a minimal record that you did.
  • Transparency if asked. Be ready to say where you got their details and why you contacted them.

This is where DIY outreach quietly falls apart. When you run spreadsheets and free tools, suppression leaks between lists, someone gets emailed twice after opting out, and now you have both an angry prospect and a compliance gap. Managed infrastructure exists partly to make these rights enforceable across every mailbox at once - which is a big reason people move from in-house to an agency setup.

Does GDPR change how you should build sending infrastructure?

Yes - indirectly but heavily. GDPR pushes you toward smaller, cleaner, better-targeted volumes, and that happens to be exactly how you should send for deliverability anyway. Compliance and inbox placement pull in the same direction.

Think about what the regulation rewards. Minimal data, tight relevance, low volume per contact, easy opt-out. Now think about what protects your domain reputation: authenticated sending, warmed mailboxes, conservative per-mailbox limits, low bounce rates. Same list.

We run about 25 emails per mailbox per day - not because a regulator set that number, but because restraint per mailbox protects reputation and forces the targeting discipline GDPR wants too. Every domain is authenticated with SPF, DKIM and DMARC, warmed over a 3-4 week ramp, and monitored daily. Across our own campaigns that discipline sits at 98.7% inbox placement, a bounce rate around 0.8%, and a reply rate near 4.5% - the kind of numbers you get when your list is relevant enough to be both legal and effective.

Your infrastructure choice matters here. Whether you go shared or dedicated, the setup should be sized to your goals, not bolted onto a generic template - and it should never be a "built for you then walk away" handover. Our cold email infrastructure is always operated by us, which means suppression, deletion and authentication get maintained continuously rather than forgotten after week two.

Is LinkedIn outreach a safer alternative to GDPR cold email?

Not safer - just different. LinkedIn still processes personal data, so GDPR applies there too. The advantage is that connection-based outreach carries a stronger sense of expectation, and mixing channels lets you send fewer emails to the same target.

That's the practical win. Instead of hammering one inbox, you split touches across email and LinkedIn, which lowers your email volume per person while raising response rates. Done right, it's both gentler on your compliance posture and more effective. We map that out in our email + LinkedIn cadence guide, and our mixed outreach service runs both channels together so no single one gets overloaded.

If you're weighing the tradeoffs directly, cold email vs LinkedIn outreach breaks down where each channel earns its place.

The short version

GDPR cold email is legal for B2B outreach across most of Europe when you have a lawful basis (usually legitimate interest), stay genuinely relevant, honor opt-outs and erasure, and treat individuals more carefully than corporates. Germany and the UK are the strictest, so lean conservative there.

The good news is that everything GDPR asks - relevance, minimal data, easy opt-out, low volume - is also what makes cold email actually work. Compliance and results are the same discipline wearing two hats.

Want outreach into Europe that's built to be relevant, compliant, and delivered to the inbox rather than the spam folder? Talk to us - you tell us who you want to reach and why, and we handle the lists, copy, infrastructure and monitoring, operated by us the whole way.


Want this handled for you? Moongie runs managed cold email infrastructure, mixed email + LinkedIn outreach and high-converting landing pages. Book a free 30-minute strategy call - or win our playbook in the Inbox Run game.

Free download

Cold Email Playbook - 30+ pages of what actually works

Infrastructure, warmup, list hygiene, copy, cadence - the full system, distilled from running 1,500+ mailboxes. Win it free in Inbox Run.

Get the playbook free
Share this article X LinkedIn Facebook Email
โ† All posts