GDPR & Cold Email: UK Compliance Guide

Part of our complete guide to B2B cold email.

Is cold email legal in the UK?

Yes, B2B cold email is legal in the UK. This is the first and most important thing to understand. Many businesses avoid cold email entirely because they assume GDPR prohibits it. It does not.

Under UK data protection law, you can send unsolicited emails to individuals at their business email addresses, provided you have a legitimate reason to contact them, you are transparent about who you are and why you are writing, and you give them a clear way to opt out.

The key distinction is between B2B and B2C. Sending unsolicited marketing emails to personal email addresses (B2C) requires prior consent. Sending relevant business communications to business email addresses (B2B) does not, as long as you meet certain conditions.

GDPR basics for cold email

Two pieces of legislation govern cold email in the UK: the UK GDPR (the UK’s post-Brexit version of the EU GDPR) and PECR (the Privacy and Electronic Communications Regulations). Understanding how they interact is essential.

Lawful basis: legitimate interest

Under GDPR, you need a lawful basis to process someone’s personal data. For B2B cold email, the relevant basis is legitimate interest. This means you have a genuine business reason to contact the person, contacting them is proportionate and reasonable, and their rights and expectations are not overridden by your interest.

In practice, this means you can email a marketing director at a SaaS company about your marketing analytics tool, because there is a clear and reasonable connection between your offer and their role. You cannot email that same person about an unrelated consumer product, because there is no legitimate business interest.

PECR and the B2B exemption

PECR is the regulation that specifically governs electronic marketing. For email, the general rule is that you need prior consent (opt-in) before sending marketing messages. However, PECR includes a specific exemption for B2B communications.

Under Regulation 22A, you can send unsolicited emails to corporate subscribers (businesses) without prior consent, provided the email is directed to a business address and is relevant to their professional role. This exemption does not apply to sole traders or partnerships, who are treated as individuals under PECR.

The practical test

Ask yourself three questions before sending any cold email:

Is this a business email address (not a personal one)?
Is my offer relevant to this person’s professional role?
Would a reasonable person in their position expect to receive this type of communication?

If the answer to all three is yes, you are likely on solid ground.

What you must include

Every cold email you send must include certain information. Omitting any of these can constitute a breach of GDPR or PECR.

Your identity: The recipient must know who is contacting them. Include your name, your company name, and your role. Do not use misleading sender names or disguise your identity.
A clear opt-out mechanism: Every email must include a straightforward way for the recipient to stop receiving messages. This can be an unsubscribe link or a simple line like “Reply STOP to opt out.” The mechanism must work immediately and be honoured without question.
Your business address: Include a physical business address in every email. This is a PECR requirement for all commercial electronic communications.
Data source disclosure: If the recipient asks how you obtained their data, you must be able to tell them. Under GDPR Article 14, you have 30 days to provide this information when requested.

What you must NOT do

Compliance is as much about what you avoid as what you include. These practices will put you on the wrong side of the regulations.

Prohibited practices

Do not use purchased consumer email lists. Lists of personal email addresses sold by third-party data brokers almost certainly lack valid consent for your specific use. Using them exposes you to significant legal risk.
Do not ignore opt-out requests. When someone asks to be removed, remove them immediately. There is no grace period. Continuing to email someone who has opted out is a clear breach of PECR.
Do not hide your identity. Using misleading “from” names, fake domains, or pretending to be someone you are not violates multiple regulations and destroys trust.
Do not email sole traders without consent. Sole traders and some partnerships are treated as individuals under PECR, meaning you need prior consent to email them. If in doubt, treat the contact as an individual.
Do not retain data indefinitely. You cannot keep prospect data forever “just in case.” You need a clear retention policy and a reason for continued processing.

Data handling best practices

How you manage prospect data is just as important as how you use it. GDPR requires you to handle personal data responsibly throughout its lifecycle.

Retention periods

Set a clear data retention policy. A common and reasonable approach for cold email is to remove prospect data 30 days after the final email in a sequence if there is no response. If a prospect does respond and a business relationship develops, you have a legitimate reason to retain their data for as long as that relationship continues.

Opt-out management

Maintain a suppression list of everyone who has opted out. This list should be checked before every campaign to ensure you never re-contact someone who has asked to stop receiving emails. The suppression list itself should be retained indefinitely — it is a record of consent withdrawal, not marketing data.

Data minimisation

Only collect and store the data you actually need. For cold email, this typically means name, business email address, company name, job title, and the source of the data. Collecting additional personal information without a specific purpose violates the data minimisation principle.

Security

Store prospect data securely with appropriate access controls. Spreadsheets shared across teams without password protection, for example, do not meet GDPR security requirements. Use proper CRM or outreach tools with role-based access.

PrawnMail’s approach to GDPR compliance

PrawnMail is a done-for-you outbound service for small B2B businesses, with compliance built into the workflow rather than bolted on as an afterthought.

B2B only: We only run outreach to professional contacts at their corporate email addresses. No consumer lists, no sole traders.
Research-based targeting: Rather than relying on purchased lists, we research each contact individually to ensure relevance and a defensible legitimate-interest basis.
Human-written, human-sent: Every email is a real message written for a real person. Nothing gets blasted.
Built-in opt-out: All emails include a clear unsubscribe mechanism. Opt-out requests are processed immediately and added to a permanent suppression list.
Sender identity: Your business name, contact details, and physical address are included in every email, meeting PECR disclosure requirements.
Data retention controls: Prospect data is managed with clear retention periods. Non-responsive contacts are removed in line with your data policy.

Because the service is fully done-for-you, compliance management is handled as part of the campaign — data handling, opt-out processing, and retention all taken care of.

Penalties for non-compliance

The consequences of getting GDPR wrong are significant and growing.

The Information Commissioner’s Office (ICO) has the authority to impose fines of up to 17.5 million pounds or 4 percent of annual global turnover, whichever is higher. While the largest fines have been reserved for major data breaches, the ICO has increasingly turned its attention to unsolicited marketing, with several organisations receiving six-figure fines for PECR violations in recent years.

Beyond financial penalties, non-compliance carries other risks:

Reputational damage: ICO enforcement actions are public. Being named in an enforcement notice damages your brand and erodes trust with prospects and customers.
Domain blacklisting: Spam complaints triggered by non-compliant email practices can get your sending domain blacklisted, making it impossible to reach anyone’s inbox. (We cover the distinction in detail in cold email vs spam, and the technical side in our deliverability checklist.)
Loss of business relationships: Companies increasingly vet their partners’ data practices. Non-compliance can disqualify you from working with larger organisations that require GDPR compliance from their supply chain.

The bottom line

GDPR compliance is not a barrier to cold email — it is a framework for doing it properly. Businesses that follow the rules build trust, protect their domain reputation, and create sustainable outreach programmes. Those that cut corners risk fines, blacklisting, and permanent reputational damage.