Is B2B Cold Email Legal in the EU?
In the EU, B2B cold email is usually lawful under GDPR's legitimate interest (Art. 6(1)(f)) - with a balancing test and easy opt-out. Here's how to do it right.

In short: a cold email sent to businesses (B2B) is generally lawful to send across the EU, provided it rests on a valid legal basis, is backed by a documented balancing exercise, and lets the recipient unsubscribe with a single click in every message. In practice, the legal basis is legitimate interest (GDPR Article 6(1)(f)). This is not the same thing as a consumer (B2C) newsletter, which usually requires prior, explicit consent.
Important: this article is general information, not legal advice. The GDPR applies everywhere in the EU, but the rules that specifically govern electronic marketing are set out in national law and vary from country to country. For your own situation - target markets, countries, data sources - get an opinion from a qualified lawyer.
What do we mean by cold B2B email?
A cold email is the personalized introduction you send to a decision-maker at a company you have no prior relationship with, but for whom your offer could genuinely be relevant. It is not a mass blast: you research each recipient individually and write a message meant for them. That's also why it's a different genre from a newsletter, and why there's a limit to how far personalization is worth taking.
The legal basis: legitimate interest (GDPR Art. 6(1)(f))
The GDPR recognizes six possible legal bases for processing personal data. For cold B2B outreach, the one most commonly relied on is legitimate interest. Recital 47 of the Regulation says so explicitly: processing for direct marketing purposes may be regarded as carried out for a legitimate interest.
Legitimate interest is not a free pass. Three conditions have to be met, and it's worth writing them down in a documented balancing exercise - often called a Legitimate Interest Assessment (LIA):
- You have a real, lawful interest in making contact (for example, winning new business partners).
- The outreach is necessary for that purpose (relevant, targeted, not a scattergun blast).
- Your interest does not override the recipient's rights - which is exactly why you need an easy opt-out and a restrained, relevant approach.
One practical detail that matters a lot: a named work address (e.g. anna.smith@company.com) is personal data, so the GDPR applies to it in full. A role address (e.g. info@company.com) generally can't be tied to an identified individual, so it's lower-risk - but it's a worse choice for deliverability.
B2B vs. B2C: why they're judged differently
| Aspect | B2B cold email | B2C newsletter / ad |
|---|---|---|
| Typical legal basis | Legitimate interest (Art. 6(1)(f)) | Prior, explicit consent |
| Prior sign-up required? | Usually not, with a balancing test | Yes, opt-in |
| Who are you addressing? | A business decision-maker, in their professional capacity | A private individual, as a consumer |
| Unsubscribe | Mandatory, in every message | Mandatory, in every message |
| Volume | Small, targeted, relevant | Mass list |
The key point: B2B outreach stands on solid ground when you contact someone in their professional capacity with a relevant offer - not as a private individual, indiscriminately.
How to stay compliant
- A documented balancing exercise (LIA) for every campaign.
- One-click unsubscribe in every message, honored immediately and permanently.
- A global suppression list (do-not-contact): anyone who unsubscribes or asks to be removed never gets another message.
- Relevant, targeted outreach - not to everyone, only to people it genuinely speaks to.
- A transparent sender: a real company, a real name, a real point of contact.
- A privacy notice that covers the legal basis for the outreach and the data subject's rights.
The technical side is part of compliant operation too: without an authenticated domain (SPF, DKIM, DMARC), a dedicated sending account, and a good reputation, your message ends up in the spam folder anyway. There's more on this in our piece on domain authentication and on how not to burn your main domain's reputation.
The ePrivacy Directive and national variation
The GDPR sets the data-protection baseline across the EU, but it isn't the only rule in play. Electronic marketing communications are also governed by the ePrivacy Directive (2002/58/EC). Because it's a directive, each member state transposes it into its own national law - and the rules on unsolicited email vary as a result.
Some countries treat business email addresses more permissively; others are stricter. In practice, jurisdictions such as Germany and Austria tend to be tougher and may effectively expect consent even for business-to-business messages. So if you're sending into those markets, plan for it specifically.
Because this area differs by country and by case, the responsible approach is simple: conservative practice + documentation + a lawyer's review for your own situation.
How we do it
The way b2bemail works is built on exactly this responsible framework: a documented balancing exercise, one-click unsubscribe in every message, a global suppression list, and outreach that is targeted and relevant only - never a mass blast. You can read the details on our security and GDPR page, and the plans are on the pricing page.
If you're unsure how to launch a compliant B2B campaign in your own market, book an intro call - we'll walk through it together.
This content is general information and does not constitute legal advice. For compliance in your specific situation, consult a qualified professional.

Kapás Bence
Founder · operator, b2bemail
I run our clients' B2B outreach myself: I research every recipient individually, write them a personalized email, and stay on top of every reply that comes back.
Learn more about the serviceLet's talk about your own campaign.
On a 30-minute intro call we'll look at who's worth reaching and what you can realistically expect.
Book a call