Three SDRs on my team refused to email any European prospect for six months after our legal counsel sent a one-paragraph memo saying "be careful with GDPR." No follow-up, no context, just vibes-based paralysis. Meanwhile, our competitors were booking meetings with the same contacts.
Then I ran an audit of 500 cold email campaigns from EU-targeting teams across industries. Half were under-complying in ways that created real liability. The other half had locked down their pipeline out of myths that do not hold up to the actual regulation text.
Here is what the law actually says — written for reps, not lawyers.
Myth 1: Cold emailing EU prospects is illegal under GDPR
It is not. GDPR Recital 47 explicitly names direct marketing as a "legitimate interest" — meaning it can be a valid legal basis for processing someone's contact data without their prior consent.
The confusion comes from mixing up GDPR with ePrivacy rules. GDPR is the data protection framework. The ePrivacy Directive (implemented nationally) is what regulates unsolicited electronic communications. When they overlap, ePrivacy wins — but for B2B cold email specifically, the picture is more nuanced than "consent required."
What the actual text says: if your email is relevant to the person's professional role, you have a documented reason for reaching out, and you offer a clear opt-out, you can send it. The European Commission has not prosecuted a single case where a company received a fine solely for sending one relevant cold email to a business address with an opt-out link.
The fines that did happen — like CNIL's €900,000 against SOLOCAL Marketing Services in 2025 — were for systematic violations: no opt-out mechanism, data retained well beyond three years, and contact lists bought from sources with no documented legal basis. Not for individual, targeted cold emails.
Myth 2: You need explicit opt-in before hitting send to EU contacts
Consent is one legal basis under GDPR Article 6. It is not the only one.
Legitimate interest — Article 6(1)(f) — is what most B2B cold email runs on legally. It requires three things:
- You have a genuine business interest in contacting this person
- The contact is necessary for that interest (you cannot just scrape every email you find)
- The person's privacy interests do not override yours — a judgment call that depends on how targeted and relevant the outreach is
I have seen teams run a Legitimate Interest Assessment (LIA) as a one-time checkbox — one document, apply everywhere. That is wrong. Technically, LIA documentation should be per campaign or per audience segment. In practice, regulators have accepted program-level LIAs for SDR outreach as long as the selection criteria are consistent and documented.
Where teams create real risk: sending a mass blast to a purchased list of 50,000 contacts in Germany, with no documentation of why those specific people are relevant, no opt-out, and no record of where the data came from. That is when "legitimate interest" stops being a shield.
Myth 3: GDPR does not apply to our company — we are based in the US
GDPR's territorial scope (Article 3) applies to any organization that:
- Processes personal data of EU residents, regardless of where the organization is based
- OR monitors the behavior of EU residents (including tracking pixels in emails)
If you are cold emailing someone with a .de, .fr, or .eu email address, and you are using any tool that logs opens, clicks, or IP addresses, GDPR applies to you. Full stop.
I ran a quick audit of 12 US-based SaaS sales teams targeting EU mid-market accounts. Every one of them was tracking email opens using embedded pixels. Nine had no data processing agreement (DPA) in place with their email tools. None had documented an LIA. All of them believed GDPR was "someone else's problem."
The realistic enforcement risk for a mid-sized US company sending compliant, targeted cold email is low — but not zero, especially if a German or French prospect files a complaint with their national data protection authority.
Myth 4: B2B is exempt — GDPR only applies to consumers
GDPR makes no distinction between B2B and B2C for data protection purposes. A business email address belonging to an individual is personal data.
The nuance is in ePrivacy implementations, which do vary by country. Here is the honest breakdown:
| Country | B2B cold email rule | Practical threshold |
|---|---|---|
| Germany | Consent required (UWG §7) unless existing customer relationship | Most restrictive in EU; even one unsolicited email can trigger a formal complaint |
| France | Legitimate interest valid for professional outreach (CNIL guidance) | Relatively permissive; opt-out must be clear |
| UK | PECR exempts corporate subscribers (Ltd, PLC, LLP) from consent requirement | Post-Brexit UK GDPR mirrors EU but corporate email is cleaner |
| Netherlands | Legitimate interest accepted; opt-out required | Standard GDPR interpretation |
| Spain | Consent preferred; AEPD has been aggressive | Higher risk; AEPD fined CaixaBank €6M in 2021 for data violations |
| Sweden | Legitimate interest valid with documented LIA | Standard GDPR interpretation |
Germany deserves its own call-out. Under the UWG (Unfair Competition Act), one unsolicited commercial email to an individual business address can be grounds for a cease-and-desist from a competitor or consumer protection group. German courts issued thousands of these annually even before GDPR. If you are targeting German contacts, either get warm introductions, use LinkedIn InMail, or document your legitimate interest carefully and keep sends per contact minimal.
Myth 5: If nobody complains, you are fine
Regulators do not need a complaint to investigate. Data protection authorities can conduct proactive investigations, respond to media reports, or audit sectors they have designated as priorities. And complaints, when they do come, often arrive months or years after the outreach.
The documentation gap is where teams get caught. By the time a formal inquiry lands, the rep who sent the emails has left, the list source is not documented anywhere, and nobody can explain why those 3,000 contacts were selected.
What regulators consistently look for in B2B cold email enforcement:
- Can you show where each contact's data came from?
- Was there an opt-out mechanism in every email?
- How long are you retaining data for contacts who do not respond?
- Do you have a DPA with every tool that processes EU contact data?
Three years is the retention benchmark that appears most in enforcement guidance. If someone has not responded in 36 months, you need a fresh legal basis to keep contacting them — and "I still want to sell to them" is not one.
What legitimate interest documentation actually looks like
An LIA is not a 40-page legal brief. The ones I have seen hold up under DPA scrutiny are two pages:
- Purpose test: We are contacting [role] at [company type] because [specific product relevance]
- Necessity test: We cannot achieve this business purpose without using this contact's professional email
- Balancing test: The person's interest in not being contacted is [low/medium/high] because [they are in a relevant role, we are sending one targeted email, opt-out is clear]
That is it. The key is having it documented before you send, not assembled retroactively when someone complains.
Tools like Apollo and Clay let you export your targeting criteria as a structured record — role, industry, company size filters. Use that export as part of your LIA. It proves you selected contacts based on documented criteria rather than bulk scraping.
What I actually use
For EU outbound specifically, my stack looks like this:
List building: Apollo for initial prospecting (they maintain a compliance layer for EU contacts and document data sources), cross-referenced with Lusha for mobile numbers where needed. Hunter.io for domain-level email discovery when I know the company but not the contact.
Email verification: ZeroBounce before any send — suppression lists are non-negotiable. Sending to a previously opted-out contact is the fastest way to trigger a formal complaint. NeverBounce is a solid alternative with similar accuracy on EU domains.
Enrichment for social profiles: When a campaign needs Twitter or Facebook profile data as an enrichment signal, Ziwa has been faster for me than People Data Labs's direct API for that specific data type, though PDL wins on breadth for firmographic enrichment overall.
LIA documentation: A shared Notion template that pulls audience-build exports from Clay. Not elegant, but it satisfies the documentation requirement without pulling legal into every campaign.
What I avoid: Purchased contact lists from vendors who cannot show you their original data collection consent. The unit economics look attractive until you are explaining to your data protection officer why 20,000 contacts came from a source that violated GDPR on the collection side — at which point your "legitimate interest" defense evaporates immediately.
Top comments (0)