Most people treating GDPR as a cold email ban haven't read the regulation. Article 6(1)(f) โ legitimate interests โ explicitly permits B2B cold email when three conditions are met. The problem isn't that GDPR blocks cold outreach. The problem is that most teams can't document why their outreach passes the legitimate interest test. That documentation gap is what the ICO actually fines companies for โ not the sending itself.
๐ก TL;DR
GDPR does not ban cold email. Article 6(1)(f) permits B2B cold outreach under legitimate interests when you pass a three-part test: purpose, necessity, and balancing. You must also honour opt-outs immediately, include a postal address, and keep a documented Legitimate Interest Assessment (LIA). The UK ICO, France's CNIL, and Germany's DSK all allow B2B cold email under legitimate interests โ but differ on how strictly they apply it. Consent is required for consumer (B2C) outreach and for certain EU member states. Fix your compliance documentation before your infrastructure โ sending from a properly configured pre-warmed inbox doesn't make a non-compliant campaign legal.
What Article 6(1)(f) Actually Says
GDPR Article 6(1)(f) states that processing is lawful if it's necessary for the purposes of legitimate interests pursued by the controller โ unless those interests are overridden by the interests or rights of the data subject.
For cold email, this means three things must be true:
Purpose test: You have a genuine, real legitimate interest โ not a manufactured one. "We want more customers" alone doesn't pass. "We offer compliance software specifically relevant to financial services firms with over 50 employees, and we're reaching their compliance leads" passes.
Necessity test: Cold email must be necessary to achieve that interest. If you could achieve the same result without processing personal data, legitimate interests don't apply.
Balancing test: Your interests must not override the data subject's privacy rights. B2B contacts processing is generally more permissive here โ business email addresses used in a professional capacity carry lower privacy expectations than personal data.
๐ก The Part Most People Skip
You need to document this test in writing before you send. A Legitimate Interest Assessment (LIA) is not legally required by GDPR โ but it's the only thing that demonstrates accountability during an ICO investigation. Without it, you lose the legitimate interest argument by default. It doesn't need to be long โ one page covering the three tests is sufficient for most B2B cold email use cases.
EU Enforcement Varies More Than People Think
GDPR is a framework. How strictly each member state's regulator applies it to B2B cold email differs significantly. Here's the practical breakdown:
Country | Regulator | B2B Cold Email Under Legit Interests | Consent Required? |
|---|---|---|---|
UK | ICO | โ Permitted โ guidance explicitly allows it | No (B2B) |
Germany | DSK | Cautious โ existing business relationship preferred | Recommended |
France | CNIL | โ Permitted for B2B with clear relevance | No (B2B) |
Netherlands | AP | โ Permitted with proper documentation | No (B2B) |
Spain | AEPD | Case-by-case โ stricter interpretation | Often required |
Poland | UODO | โ Consent typically required even for B2B | Yes |
Germany is worth calling out specifically. The DSK takes a stricter view than the UK ICO โ the expectation is that you have at least a loose prior business relationship or have sourced the contact from a public professional context (LinkedIn, company website, trade directory). Cold outreach to purchased lists is riskier in Germany and should be reviewed with a local legal advisor before running at scale.
What Every GDPR-Compliant Cold Email Must Include
Regardless of which legal basis you're relying on, every B2B cold email to EU or UK prospects must include these elements. Missing any one of them turns a legal send into a non-compliant one.
1. Clear Opt-Out Mechanism
An unsubscribe link or clear opt-out instruction in every email. When someone opts out, they must be removed within 30 days โ but in practice, removing them before your next send is the right standard. We've seen teams at Litemail get compliance warnings not for the sending itself but for slow opt-out processing. Automate it.
2. Your Identity and Physical Address
The email must identify who is sending it and include a valid postal address. A PO Box counts. A registered business address counts. No address at all is a GDPR violation โ and also a CAN-SPAM violation for US prospects on the same list.
3. Why You're Contacting Them
Don't rely on them to figure out the relevance. State it briefly โ "I'm reaching out because you manage IT procurement at mid-market manufacturing firms, and we work specifically with that profile." That sentence demonstrates the balancing test was applied. It also improves reply rates because it shows you've done your homework.
4. A Way to Access Your Privacy Policy
You don't need to paste your full privacy policy in the email โ a link is fine. But the privacy policy must document legitimate interests as your legal basis for processing and explain what data you hold and why.
Writing a Legitimate Interest Assessment โ What to Cover
An LIA doesn't need to be a legal document. It needs to be a written record that shows you thought through the three tests. Here's the structure that covers the ICO's expectations:
Who you are and what you do โ one paragraph describing your company and the purpose of the outreach campaign.
What data you're processing โ name, business email address, job title, company name. That's it for most B2B cold email.
Purpose test answer โ why does your company have a legitimate interest in contacting this specific audience? Be specific about the ICP and why the outreach is relevant to them.
Necessity test answer โ why is cold email necessary to achieve this? Why can't you achieve the same result without processing this data?
Balancing test answer โ why does your interest not override the data subject's privacy expectations? Explain the professional context of the data, the relevance of the outreach, and the opt-out mechanism provided.
Safeguards โ list the steps you're taking to protect the data subject: opt-out mechanism, data minimisation, suppression list maintenance, data retention policy.
One page. Keep it in a shared document dated before campaign launch. That document is your defence in any regulatory query.
The One Rule That Changes Everything: B2B vs B2C
Legitimate interests applies to B2B cold email โ where you're contacting someone in their professional capacity at a business email address. It does not apply to consumer outreach.
If your list contains personal email addresses (Gmail, Yahoo, Hotmail) or you're contacting individuals who aren't acting in a business role โ you need explicit consent under GDPR. There's no legitimate interests route for B2C cold email to personal email addresses in most EU jurisdictions.
Actually โ scratch that framing. The cleaner way to think about it: legitimate interests requires that the data subject would reasonably expect contact in their professional context. A CFO's work email at their employer's domain passes that test. A personal Gmail address does not, regardless of what role that person holds.
Compliant Cold Email Starts With Clean Infrastructure
GDPR compliance covers what you send and to whom. Infrastructure covers whether it arrives. Pre-warmed inboxes from $4.99/inbox โ automated DNS, dedicated US and EU IPs, Good/High in Google Postmaster Tools โ ensure your compliant emails actually reach the inbox they're intended for.
Get Pre-Warmed Inboxes from $4.99 โ
Dedicated EU IPs for European prospects ยท Automated SPF/DKIM/DMARC ยท Full admin access ยท No minimum order
About Litemail โ Litemail provides pre-warmed Google Workspace and Microsoft 365 inboxes for cold email outreach. From $4.99/inbox with automated DNS, dedicated US and EU IPs, and full admin access. View pre-warmed inbox plans โ
Related reading:
CAN-SPAM & GDPR Cold Email Compliance Guide ยท CASL Cold Email Compliance Canada 2026 ยท Is Cold Email Legal in 2026? Country-by-Country Guide ยท Cold Email Compliance Audit 2026 ยท Pre-Warmed GWS Inboxes for Cold Email Compliance
Key Takeaways
GDPR does not ban cold email โ Article 6(1)(f) permits B2B outreach under legitimate interests when the three-part test is passed and documented.
A Legitimate Interest Assessment (LIA) is not legally required, but without one you lose the legitimate interests argument during any ICO investigation by default.
EU enforcement varies by country โ UK ICO and France's CNIL are permissive for B2B; Germany's DSK is stricter; Poland typically requires consent even for B2B.
Every GDPR-compliant cold email must include an opt-out mechanism, your physical address, sender identity, and a link to your privacy policy.
Legitimate interests does not apply to B2C cold email or to personal email addresses โ those require explicit consent in most EU jurisdictions.
Opt-out requests must be processed before your next send โ automating suppression list management is the safest approach at scale.
Using dedicated EU IP addresses for European prospects (as Litemail provides) reduces scrutiny from EU mail servers and improves inbox placement for GDPR-relevant campaigns.
Frequently Asked Questions
Is cold email legal under GDPR in 2026?
Yes โ B2B cold email is legal under GDPR when you rely on legitimate interests under Article 6(1)(f), pass the three-part LIA test, include required email elements (opt-out, address, identity), and document your legal basis. Cold email is not legal for B2C outreach to personal email addresses without explicit consent in most EU jurisdictions.
Do I need consent to send cold email to EU business contacts?
No โ for B2B outreach to business email addresses, legitimate interests is the correct legal basis in most EU countries and the UK. Consent is required for B2C outreach, certain German B2B scenarios, and B2B outreach in Poland. Check the specific member state if you're targeting contacts in a single country at scale.
What is a Legitimate Interest Assessment and do I need one?
An LIA is a written document demonstrating that your cold email campaign passes GDPR's three-part test: purpose, necessity, and balancing. It's not legally mandated โ but it's the only defence available during an ICO investigation. Without one, you can't demonstrate accountability. One page covering the three tests, dated before campaign launch, is sufficient for most B2B cold email operations.
How quickly do I need to process opt-out requests under GDPR?
GDPR requires opt-outs to be processed within 30 days. But the practical standard for cold email is before your next send to that contact โ meaning suppression list management should be automated and near-real-time. Slow opt-out processing is one of the most common GDPR compliance failures ICO investigations surface, even when the sending itself was lawful.
Can I send cold email to LinkedIn-sourced contacts under GDPR?
Yes โ business email addresses sourced from public professional profiles (LinkedIn, company websites, trade directories) generally pass the legitimate interests balancing test. The data subject, by listing their professional contact information publicly, has a reasonable expectation of professional contact. Include a reference to where you sourced their contact details if it strengthens the relevance argument in the email.
Does GDPR apply to UK cold email after Brexit?
The UK has its own UK GDPR โ the same regulation carried into UK law post-Brexit with the ICO as regulator. UK GDPR applies to all outreach targeting UK data subjects. The ICO's guidance on legitimate interests for B2B cold email is among the most permissive in Europe โ explicitly acknowledging that cold email can be lawful under legitimate interests when properly documented.
Does my cold email infrastructure affect GDPR compliance?
Infrastructure doesn't affect your legal basis โ but it does affect whether compliant emails reach their intended recipients. Sending from dedicated EU IPs (as Litemail provides) improves inbox placement for European prospects. Automated DNS setup prevents authentication failures that cause emails to be filtered or bounced regardless of their legal status.
What's the difference between GDPR cold email rules and CAN-SPAM?
CAN-SPAM (US) is opt-out based โ you can send commercial email without prior consent as long as recipients can opt out, you include a physical address, and the email isn't deceptive. GDPR requires a positive legal basis (like legitimate interests) before sending. GDPR is stricter on documentation and purpose. For campaigns targeting both US and EU contacts, your compliance process needs to satisfy both frameworks simultaneously.
Buy Pre-Warmed Email Inboxes & Domains | Litemail
Buy pre-warmed email accounts, inboxes and domains from $4.99/inbox. Google Workspace & Microsoft 365. Automated DNS, US & EU IPs. Setup in 5 minutes.
View Plans & Pricing โ
Related reading:
CAN-SPAM & GDPR Cold Email Guide ยท Is Cold Email Legal in 2026? Country Guide ยท Cold Email Compliance Audit 2026 ยท CASL Cold Email Compliance Canada 2026 ยท Best Pre-Warmed Inbox Providers 2026 (Ranked)
