What Is GDPR and How Does It Affect Cold Email?

TL;DR

GDPR is the EU data protection law, and it generally requires a valid legal basis — most often consent or, in narrower B2B cases, legitimate interest — before emailing individuals in the EU/EEA, a stricter starting point than the US opt-out-based CAN-SPAM approach. This page is general information, not legal advice.

GDPR legal-basis requirement

Under GDPR, sending marketing email to an individual generally requires a lawful basis — commonly explicit consent, or in some B2B contexts, legitimate interest, a narrower basis that still requires a documented balancing test and an easy opt-out. This is a meaningfully different starting point than CAN-SPAM opt-out model.

B2B cold email and GDPR

Some organizations rely on legitimate interest for B2B cold email sent to individuals in a clearly relevant professional context, but this basis has real limits, varies by EU member state guidance, and does not apply the same way to consumer contacts. This is an area where legal interpretation genuinely differs, and businesses should get jurisdiction-specific legal advice rather than relying on general summaries like this one.

Practical requirements regardless of legal basis

A clear identity of who is emailing and why, an easy way to object or opt out, honoring opt-outs and data-deletion requests promptly, and not retaining contact data indefinitely without a documented reason.

Frequently asked questions