GDPR Cold Email: What You Can and Can't Do in 2025

There's a widespread myth in B2B sales that GDPR bans cold email. It does not. Unsolicited B2B outreach is permitted under GDPR when it meets specific conditions - and getting this right is increasingly a competitive advantage, not just a compliance checkbox.

Here's the complete picture, as of 2025.

The Legal Basis: Legitimate Interest

GDPR requires a lawful basis for processing personal data. For B2B cold email, the relevant basis is legitimate interest under Article 6(1)(f) of GDPR.

Legitimate interest is not a blanket permission. It requires a three-part test:

1. Purpose test - Is there a genuine, legitimate purpose for contacting this person? (Selling a relevant product/service to a professional who might benefit from it = yes.)
2. Necessity test - Is processing their data necessary for that purpose? (Using their work email to send a relevant offer = yes.)
3. Balancing test - Do your interests override the individual's privacy interests? This is the hard one. Contacting a VP of Engineering at a software company about a developer tool = probably yes. Contacting a personal email address about an unrelated product = no.

The key insight: the stronger the relevance between your product and the recipient's role/company, the more defensible your legitimate interest claim. This is why ICP precision isn't just a performance optimization - it's a compliance requirement.

What B2B Cold Email Under GDPR Requires

1. Only use professional/business contact information

Work email addresses at company domains ([email protected]) are generally acceptable. Personal email addresses (Gmail, Hotmail, etc.) for a business purpose are in a gray area and should be avoided unless the individual uses them as their primary professional contact.

2. Easy, clear opt-out on every email

Every cold email - including follow-ups - must include a clear, easy-to-use unsubscribe mechanism. This can be a link, a reply instruction ("Reply STOP to unsubscribe"), or both. The opt-out must be honored immediately - processing it within 7 days is the safe standard.

3. Suppression lists

Once someone opts out, you must never contact them again - not just "not contact them via this campaign." Their email address must go on a permanent suppression list that is checked before every future send. Forgetting to suppress is one of the most common GDPR violations in outbound and results in significant fines.

4. Document your legitimate interest assessment

You don't need to share this documentation with recipients proactively, but you need to be able to produce it if a supervisory authority asks. This means having a written record of: who you're contacting, why you believe it's relevant to them, and what safeguards you've put in place (easy opt-out, suppression list, etc.).

5. Respond to Subject Access Requests (SARs)

EU data subjects can request what data you hold on them. You have 30 days to respond. For outbound teams, this means knowing which contact records belong to EU residents and being able to retrieve and delete them on request.

What Breaks GDPR Compliance Most Often

The failures we see repeatedly:

• No suppression list - or a suppression list that isn't checked before every send. One unsuppressed re-contact of someone who opted out is a violation.
• Opt-outs that take days to process - if your platform batches unsubscribes weekly, you may re-contact someone between their opt-out request and when it's processed.
• Purchasing third-party lists without provenance - buying a list from a vendor who can't tell you where the data came from or confirm it was lawfully collected is a problem. You inherit the compliance risk.
• Contacting EU personal email addresses - consumer email addresses (Gmail, etc.) have a much higher compliance bar than business emails. The legitimate interest basis is harder to sustain.
• No documentation - you can't prove legitimate interest retroactively. It has to be assessed before you process the data.

The e-Privacy Directive: B2B Exceptions in the EU

Alongside GDPR, the e-Privacy Directive (EPD) governs direct marketing communications. Under EPD, B2B email is exempt from the opt-in requirement that applies to consumer email marketing - but you still need to comply with GDPR's legitimate interest requirements and provide opt-out.

Critically: member state implementations of EPD vary. Germany (BDSG/UWG), Austria, and some other countries have stricter national rules. If you're targeting German companies, consult a local compliance specialist - the rules are more restrictive than in, say, Ireland or the Netherlands.

What "GDPR-Ready" Actually Means for an Outbound Platform

When an outreach platform claims to be "GDPR-ready," look for these specific capabilities:

• Automatic suppression processing - opt-outs are applied instantly and checked before every send, not batched.
• Audit trail - immutable record of who approved what outreach, when, to whom. This is your documentation if a supervisory authority ever asks.
• Data deletion on request - SAR handling. Can you delete all data for a specific EU resident within 30 days?
• No email guessing - AI tools that construct email addresses based on patterns ([email protected]) rather than verified public sources are creating data of unknown provenance, which is harder to defend under GDPR.
• Geographic tagging - contacts from EU countries should be flagged so you can apply appropriate suppression and compliance workflows to them specifically.

CAN-SPAM vs. GDPR for US-Targeting Teams

If you're based in the EU but targeting the US (or vice versa), the applicable law is the recipient's jurisdiction for GDPR (it covers EU residents, wherever you are), and for CAN-SPAM, it's roughly the sender's jurisdiction.

CAN-SPAM is significantly more permissive than GDPR: it allows unsolicited commercial email with an opt-out mechanism, doesn't require a legitimate interest assessment, and has no data minimization requirements. Most B2B teams targeting the US find CAN-SPAM easy to comply with. The hard part is GDPR for any EU contacts in the same list.

The practical solution: maintain separate lists and compliance workflows for EU and non-EU contacts. Most enterprise outbound platforms support this via geographic segmentation and per-region suppression rules.

The Compliance-as-Competitive-Advantage Argument

Teams that treat GDPR compliance seriously tend to end up with better outreach programs - not just safer ones. The discipline of tight ICP targeting (required for legitimate interest), genuine opt-out processing (required for compliance), and documented approval workflows (required for audit trails) are the same practices that drive higher reply rates and better deliverability.

Compliance and performance point in the same direction. The teams that figured this out early are running cleaner lists, getting better replies, and sleeping better at night.

If you're reaching EU contacts, see how YOG.io supports international outbound with built-in GDPR-ready suppression and audit trails. For the full compliance and outreach picture, read how to build a compliant B2B lead list. And if you're evaluating platforms on compliance depth, compare YOG.io vs Instantly or YOG.io vs Smartlead - both lack the audit trail that GDPR requires.