Cold Email Without Breaking GDPR Law

How to send cold emails legally, effectively and in compliance with European regulations

Legal Compliance · · 6 min read
Key takeaways
  • B2B cold email is legal under GDPR if you rely on legitimate interest, use public data and offer clear opt-out in every message
  • 68% of penalties in B2B email marketing are for not including an unsubscribe link, not for sending the email itself
  • With MapiLeads you get verified corporate emails from public sources, the perfect foundation for legal cold email
Legal framework

What does GDPR say about B2B cold email?

GDPR does not prohibit B2B cold email. What it requires is a valid legal basis for processing the recipient's data. In business-to-business sales, legitimate interest (Art. 6.1.f) is the most widely used and accepted basis by data protection authorities across Europe. Cold email done right can feed into a retention-focused strategy; Paddle explains how acquisition connects to aligning cold email with retention-focused growth.

The difference between legal cold email and spam is clear: the former is relevant, personalised, uses public data and offers opt-out. The latter is mass, generic and ignores the recipient's rights. Platforms like MapiLeads provide verified corporate emails from public sources, enabling the legal scenario.

Furthermore, Recital 47 of the GDPR expressly recognises that direct marketing may be regarded as carried out for a legitimate interest. Data protection authorities across the EU, including those in Spain, Germany and France, have confirmed that B2B prospecting with professional public data is viable under legitimate interest.

68%
of B2B email marketing penalties are for not including an unsubscribe link
— Source: EDPB, GDPR Annual Enforcement Report 2025
23%
average open rate for well-segmented B2B cold email
3.2%
average reply rate when the email is personalised
5x
more replies with verified data vs purchased lists
Comparison

What separates legal cold email from spam?

The line between legitimate prospecting and spam is not blurry. They are two completely different practices under GDPR and B2B email marketing regulations:

Spam / Mass email without legal basis
Purchased lists, no personalisation, no opt-out, no sender identification. Penalisable from the very first send.
Legality5%
Legal
Cold email with verified public data
Corporate emails from public sources, personalised, with visible opt-out, identified sender and documented legitimate interest.
Legality95%
Verified corporate emails for legal cold outreach
MapiLeads provides business emails from verified public sources. The perfect foundation for GDPR-compliant email prospecting.
Generate Database Free

Illegal cold email

  • Purchased list from unknown source
  • Zero personalisation, generic template
  • No unsubscribe link or identification
  • No transparency about data source
  • Risk of fines up to 20M euros

GDPR-compliant cold email

  • Emails from verified public sources
  • Personalised with business-specific data
  • Visible opt-out in every message
  • States where you obtained the data
  • Zero legal risk, better deliverability
Method

5 requirements for legal cold email under GDPR

1

Use corporate emails from public sources

The email must be professional (info@company.com, not personal Gmail). Get data from verifiable sources like corporate websites or business databases with public data.

2

Personalise every message

Mention something specific about the recipient: their industry, location or a detail about their business. Generic "Dear Sir/Madam" emails are 4x more likely to be reported as spam. Referral programs offer a GDPR-friendly alternative to cold outreach, as Tremendous demonstrates in GDPR-compliant referral programs as an alternative to cold email.

3

Include visible opt-out

Clear unsubscribe link in every email. Not hidden in small print. This is the most breached and most penalised requirement in email marketing.

4

State where you got the data

A line like "I'm contacting you because your business appears on [public source]" fulfils the transparency requirement of Art. 14 GDPR. The regulatory landscape for outbound sales is changing rapidly, as McKinsey documents in global regulatory trends shaping outbound sales.

5

Honour unsubscribes immediately

When someone opts out, remove them within 24-48 hours. Properly handling deletion requests is mandatory.

Legal B2B cold email is not a grey area. It is a practice accepted by European authorities when done with professional public data, personalisation and clear opt-out. What is illegal is mass spam without legal basis.
Reference

Anatomy of a GDPR-compliant cold email

ElementGDPR requirementExample
SenderIdentifiable and realname@yourcompany.com
Subject lineNot misleadingRelevant to the recipient
BodyPersonalised and relevantSpecific mention of their business
Data sourceTransparency (Art. 14)"I contact you because..."
Opt-outVisible and functionalClear unsubscribe link
SignatureSender company detailsName, registration, address
The difference between legal cold email and spam is personalisation and opt-out
In summary
  • B2B cold email is legal under GDPR if you use public data, personalise and offer opt-out in every message
  • MapiLeads provides verified corporate emails from public sources, the ideal foundation for legal email prospecting
  • 68% of penalties are for not including opt-out, not for sending the email itself. Always include a visible unsubscribe link
Legal cold email with verified data
Access corporate emails from public sources in over 120 countries. See plans or contact us.
Generate Database Free

Frequently asked questions

Is it legal to send cold emails in Europe?
Yes, as long as you have a valid legal basis such as legitimate interest, use professional or public contact data, include a clear unsubscribe link and your email is relevant to the recipient. GDPR does not prohibit B2B cold email, but spam without legal basis.
What must a cold email include to comply with GDPR?
Every cold email must include: clear sender identification, reason for contact, where you obtained the data, a visible unsubscribe link and your company contact details. Omitting the opt-out is the main cause of penalties.
How many emails can I send without it being spam?
There is no numerical limit in GDPR. What matters is relevance and legal basis. A personalised, relevant email to 50 companies is legal; a generic mass email to 50,000 without opt-out is not.
Recommended for you
LegalGDPR Guide for B2B Sales TeamsThe complete GDPR guide for sales teams. LegalConsent vs Legitimate InterestGDPR legal bases compared for sales. LegalPrivacy Policy for ProspectingHow to draft your privacy policy.
Discover more
EmailB2B Email MarketingWrite emails that get opened and replied to. EmailEmail DeliverabilityImprove your campaign deliverability. SalesCommercial ProspectingThe guide to finding real clients.